Moderate severityNVD Advisory· Published Jan 19, 2024· Updated Nov 3, 2025
Apache Tomcat: Leaking of unrelated request bodies in default error page
CVE-2024-21733
Description
Generation of Error Message Containing Sensitive Information vulnerability in Apache Tomcat.This issue affects Apache Tomcat: from 8.5.7 through 8.5.63, from 9.0.0-M11 through 9.0.43. Other, EOL versions may also be affected.
Users are recommended to upgrade to version 8.5.64 onwards or 9.0.44 onwards, which contain a fix for the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.tomcat:tomcat-coyoteMaven | >= 9.0.0-M11, < 9.0.44 | 9.0.44 |
org.apache.tomcat.embed:tomcat-embed-coreMaven | >= 8.5.7, < 8.5.64 | 8.5.64 |
org.apache.tomcat.embed:tomcat-embed-coreMaven | >= 9.0.0-M11, < 9.0.44 | 9.0.44 |
org.apache.tomcat:tomcat-coyoteMaven | >= 8.5.7, < 8.5.64 | 8.5.64 |
org.apache.tomcat.experimental:tomcat-embed-programmaticMaven | >= 9.0.43, < 9.0.44 | 9.0.44 |
Affected products
8- osv-coords7 versionspkg:bitnami/tomcatpkg:maven/org.apache.tomcat.embed/tomcat-embed-corepkg:maven/org.apache.tomcat/tomcat-coyotepkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5-LTSSpkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP5pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%20LTSS%20Extended%20Security%2012%20SP5
>= 8.5.7, < 8.5.98+ 6 more
- (no CPE)range: >= 8.5.7, < 8.5.98
- (no CPE)range: >= 8.5.7, < 8.5.64
- (no CPE)range: >= 9.0.0-M11, < 9.0.44
- (no CPE)range: < 9.0.36-3.121.1
- (no CPE)range: < 9.0.115-3.160.1
- (no CPE)range: < 9.0.36-3.121.1
- (no CPE)range: < 9.0.115-3.160.1
- Apache Software Foundation/Apache Tomcatv5Range: 8.5.7
Patches
Vulnerability mechanics
References
11- github.com/advisories/GHSA-f4qf-m5gf-8jm8ghsaADVISORY
- lists.apache.org/thread/h9bjqdd0odj6lhs2o96qgowcc6hb0cfzghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2024-21733ghsaADVISORY
- packetstormsecurity.com/files/176951/Apache-Tomcat-8.5.63-9.0.43-HTTP-Response-Smuggling.htmlghsaWEB
- www.openwall.com/lists/oss-security/2024/01/19/2ghsaWEB
- github.com/apache/tomcat/commit/86ccc43940861703c2be96a5f35384407522125aghsaWEB
- github.com/apache/tomcat/commit/ce4b154e7b48f66bd98858626347747cd2514311ghsaWEB
- lists.debian.org/debian-lts-announce/2025/01/msg00009.htmlghsaWEB
- security.netapp.com/advisory/ntap-20240216-0005ghsaWEB
- tomcat.apache.org/security-8.htmlghsaWEB
- tomcat.apache.org/security-9.htmlghsaWEB
News mentions
0No linked articles in our index yet.