CVE-2024-21733

Description

Generation of Error Message Containing Sensitive Information vulnerability in Apache Tomcat.This issue affects Apache Tomcat: from 8.5.7 through 8.5.63, from 9.0.0-M11 through 9.0.43. Other, EOL versions may also be affected. Users are recommended to upgrade to version 8.5.64 onwards or 9.0.44 onwards, which contain a fix for the issue.

How to fix CVE-2024-21733

To remediate CVE-2024-21733, upgrade the affected package to a fixed version below.

• —upgrade to 8.5.98 or later
• —upgrade to 9.0.43-2~deb11u11 or later
• —upgrade to 9.0.43-2~deb11u11 or later
• —upgrade to 8.5.64 or later
• —upgrade to 9.0.44 or later

Is CVE-2024-21733 being exploited?

Likely — EPSS is 71.0%, placing CVE-2024-21733 in the top tier of vulnerabilities by exploitation probability. Prioritise patching.

Affected packages (5)

• >= 8.5.7, < 8.5.98, >= 9.0.0, < 9.0.45
• from 0, < 9.0.43-2~deb11u11
• from 0, < 9.0.43-2~deb11u11
• >= 8.5.7, < 8.5.64
• >= 9.0.0-M11, < 9.0.44

CVSS scores

References (13)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2024-21733
• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2024-21733
• PATCHgithub.com/apache/tomcat
• WEBpacketstormsecurity.com/files/176951/Apache-Tomcat-8.5.63-9.0.43-HTTP-Response-Smuggling.html