CVE-2023-28709

Description

The fix for CVE-2023-24998 was incomplete for Apache Tomcat 11.0.0-M2 to 11.0.0-M4, 10.1.5 to 10.1.7, 9.0.71 to 9.0.73 and 8.5.85 to 8.5.87. If non-default HTTP connector settings were used such that the maxParameterCount could be reached using query string parameters and a request was submitted that supplied exactly maxParameterCount parameters in the query string, the limit for uploaded request parts could be bypassed with the potential for a denial of service to occur.

How to fix CVE-2023-28709

To remediate CVE-2023-28709, upgrade the affected package to a fixed version below.

• —no fix listed
• —upgrade to 10.1.6-1+deb12u1 or later
• —upgrade to 10.1.6-1+deb12u1 or later
• —upgrade to 11.0.0-M5 or later
• —upgrade to 8.5.88 or later

Is CVE-2023-28709 being exploited?

Low — EPSS is 0.5%, meaning exploitation activity has not been observed at scale.

Affected packages (5)

• >= 8.5.85, <= 8.5.87, >= 9.0.71, <= 9.0.73, >= 10.1.5, <= 10.1.7
• from 0, < 10.1.6-1+deb12u1
• from 0, < 10.1.6-1+deb12u1
• >= 11.0.0-M2, < 11.0.0-M5
• >= 8.5.85, < 8.5.88

CVSS scores

References (17)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2023-28709
• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2023-28709
• PATCHgithub.com/apache/tomcat
• WEBgithub.com/apache/tomcat/commit/5badf94e79e5de206fc0ef3054fd536b1bb787cd