First published: Mon May 22 2023(Updated: )
Apache Tomcat is vulnerable to a denial of service, caused by an incomplete fix for CVE-2023-24998 related to the failure to limit the number of request parts to be processed in the file upload function. By sending a specially crafted request using query string parameters, a remote attacker could exploit this vulnerability to cause a denial of service.
Credit: security@apache.org security@apache.org security@apache.org
Affected Software | Affected Version | How to fix |
---|---|---|
Apache Tomcat | >=8.5.85<=8.5.87 | |
Apache Tomcat | >=9.0.71<=9.0.73 | |
Apache Tomcat | >=10.1.5<=10.1.7 | |
Apache Tomcat | =11.0.0-milestone2 | |
Apache Tomcat | =11.0.0-milestone3 | |
Apache Tomcat | =11.0.0-milestone4 | |
IBM QRadar SIEM | <=7.5.0 - 7.5.0 UP6 | |
debian/tomcat10 | 10.1.6-1+deb12u1 10.1.16-1 | |
debian/tomcat9 | 9.0.31-1~deb10u6 9.0.31-1~deb10u10 9.0.43-2~deb11u6 9.0.43-2~deb11u9 9.0.70-2 | |
Debian Debian Linux | =12.0 | |
NetApp 7-Mode Transition Tool | ||
redhat/Apache Tomcat | <11.0.0 | 11.0.0 |
redhat/Apache Tomcat | <10.1.8 | 10.1.8 |
redhat/Apache Tomcat | <9.0.74 | 9.0.74 |
redhat/Apache Tomcat | <8.5.88 | 8.5.88 |
maven/org.apache.tomcat:tomcat-coyote | >=8.5.85<8.5.88 | 8.5.88 |
maven/org.apache.tomcat.embed:tomcat-embed-core | >=9.0.71<9.0.74 | 9.0.74 |
maven/org.apache.tomcat.embed:tomcat-embed-core | >=10.1.5<10.1.8 | 10.1.8 |
maven/org.apache.tomcat.embed:tomcat-embed-core | >=11.0.0-M2<11.0.0-M5 | 11.0.0-M5 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2023-28709 is a vulnerability in Apache Tomcat that allows for a denial of service attack.
Apache Tomcat 11.0.0-M2 to 11.0.0-M4, 10.1.5 to 10.1.7, 9.0.71 to 9.0.73, and 8.5.85 to 8.5.87 are affected by CVE-2023-28709.
CVE-2023-28709 has a severity rating of 7.5 (high).
Yes, the fix for CVE-2023-28709 is available in Apache Tomcat versions 8.5.88, 9.0.74, 10.1.8, and 11.0.0-M5.
You can find more information about CVE-2023-28709 on the Red Hat Security Advisory page and the Apache Tomcat mailing list.