CVE-2024-21733: Apache Tomcat: Leaking of unrelated request bodies in default error page
First published: Fri Jan 19 2024(Updated: )
Apache Tomcat could allow a remote attacker to obtain sensitive information, caused by the leaking of unrelated request bodies in default error page. By sending a specially crafted request, an attacker could exploit this vulnerability to obtain sensitive information, and use this information to launch further attacks against the affected system.
Credit: security@apache.org security@apache.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/tomcat | <9.0.44 | 9.0.44 |
| redhat/tomcat | <8.5.64 | 8.5.64 |
| maven/org.apache.tomcat.embed:tomcat-embed-core | >=8.5.7<8.5.64 | 8.5.64 |
| maven/org.apache.tomcat:tomcat-coyote | >=9.0.0-M11<9.0.44 | 9.0.44 |
| IBM Engineering Requirements Management DOORS Web Access | <=9.7.2.7 | |
| IBM Rational DOORS Web Access | <=9.7.2.7 | |
| Tomcat | >=8.5.7<8.5.64 | |
| Tomcat | >=9.0.1<9.0.44 | |
| Tomcat | =9.0.0-milestone11 | |
| Tomcat | =9.0.0-milestone12 | |
| Tomcat | =9.0.0-milestone13 | |
| Tomcat | =9.0.0-milestone14 | |
| Tomcat | =9.0.0-milestone15 | |
| Tomcat | =9.0.0-milestone16 | |
| Tomcat | =9.0.0-milestone17 | |
| Tomcat | =9.0.0-milestone18 | |
| Tomcat | =9.0.0-milestone19 | |
| Tomcat | =9.0.0-milestone20 | |
| Tomcat | =9.0.0-milestone21 | |
| Tomcat | =9.0.0-milestone22 | |
| Tomcat | =9.0.0-milestone23 | |
| Tomcat | =9.0.0-milestone24 | |
| Tomcat | =9.0.0-milestone25 | |
| Tomcat | =9.0.0-milestone26 | |
| Tomcat | =9.0.0-milestone27 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://lists.apache.org/thread/h9bjqdd0odj6lhs2o96qgowcc6hb0cfz
- http://www.openwall.com/lists/oss-security/2024/01/19/2
- http://packetstormsecurity.com/files/176951/Apache-Tomcat-8.5.63-9.0.43-HTTP-Response-Smuggling.html
- https://security.netapp.com/advisory/ntap-20240216-0005/
- https://exchange.xforce.ibmcloud.com/vulnerabilities/279952
- https://www.ibm.com/support/pages/node/7124058 (Advisory)
- https://nvd.nist.gov/vuln/detail/CVE-2024-21733
- https://security.netapp.com/advisory/ntap-20240216-0005
- https://github.com/apache/tomcat/commit/86ccc43940861703c2be96a5f35384407522125a
- https://github.com/apache/tomcat/commit/ce4b154e7b48f66bd98858626347747cd2514311
- https://tomcat.apache.org/security-8.html
- https://tomcat.apache.org/security-9.html
- https://github.com/advisories/GHSA-f4qf-m5gf-8jm8 (Advisory)
- https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.44
- https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.64
- https://access.redhat.com/errata/RHSA-2024:2707
- https://access.redhat.com/errata/RHSA-2024:3354
- https://bugzilla.redhat.com/show_bug.cgi?id=2259204
Frequently Asked Questions
What is the severity of CVE-2024-21733?
CVE-2024-21733 has been classified as a moderate severity vulnerability that could lead to information disclosure.
What versions of Apache Tomcat are affected by CVE-2024-21733?
CVE-2024-21733 affects Apache Tomcat versions 8.5.7 to 8.5.64 and 9.0.1 to 9.0.44, including several milestone versions.
How do I fix CVE-2024-21733?
To fix CVE-2024-21733, upgrade Apache Tomcat to version 8.5.64 or 9.0.44.
What type of information can be leaked due to CVE-2024-21733?
CVE-2024-21733 can potentially leak unrelated request bodies through the default error page.
Is CVE-2024-21733 a remote vulnerability?
Yes, CVE-2024-21733 allows a remote attacker to exploit the vulnerability by sending a specially crafted request.
- agent/title
- agent/weakness
- agent/first-publish-date
- agent/type
- collector/oss-sec
- source/oss-sec
- alias/CVE-2024-21733
- agent/remedy
- agent/author
- collector/mitre-cve
- source/MITRE
- collector/epss-latest
- source/FIRST
- agent/epss
- agent/severity
- collector/redhat-bugzilla
- source/Red Hat
- agent/software-canonical-lookup
- agent/references
- agent/trending
- agent/source
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-f4qf-m5gf-8jm8
- agent/last-modified-date
- agent/event
- collector/ibm-support
- source/IBM
- agent/software-canonical-lookup-request
- agent/softwarecombine
- agent/tags
- agent/description
- collector/github-advisory
- collector/nvd-api
- source/NVD
- collector/nvd-cve
- package-manager/redhat
- package-manager/maven
- vendor/ibm
- canonical/ibm engineering requirements management doors web access
- version/ibm engineering requirements management doors web access/9.7.2.7
- canonical/ibm rational doors web access
- version/ibm rational doors web access/9.7.2.7
- vendor/apache
- canonical/tomcat
- version/tomcat/8.5.7
- version/tomcat/9.0.1
- version/tomcat/9.0.0-milestone11
- version/tomcat/9.0.0-milestone12
- version/tomcat/9.0.0-milestone13
- version/tomcat/9.0.0-milestone14
- version/tomcat/9.0.0-milestone15
- version/tomcat/9.0.0-milestone16
- version/tomcat/9.0.0-milestone17
- version/tomcat/9.0.0-milestone18
- version/tomcat/9.0.0-milestone19
- version/tomcat/9.0.0-milestone20
- version/tomcat/9.0.0-milestone21
- version/tomcat/9.0.0-milestone22
- version/tomcat/9.0.0-milestone23
- version/tomcat/9.0.0-milestone24
- version/tomcat/9.0.0-milestone25
- version/tomcat/9.0.0-milestone26
- version/tomcat/9.0.0-milestone27