GHSA-cx6h-86xw-9x34

Source

https://github.com/advisories/GHSA-cx6h-86xw-9x34

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/07/GHSA-cx6h-86xw-9x34/GHSA-cx6h-86xw-9x34.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-cx6h-86xw-9x34

Aliases

Published

2023-07-06T21:14:59Z

Modified

2024-04-24T19:31:03.102779Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator

Summary

Apache Tomcat - Fix for CVE-2023-24998 was incomplete

Details

The fix for CVE-2023-24998 was incomplete. If non-default HTTP connector settings were used such that the maxParameterCount could be reached using query string parameters and a request was submitted that supplied exactly maxParameterCount parameters in the query string, the limit for uploaded request parts could be bypassed with the potential for a denial of service to occur.

Database specific

{
    "nvd_published_at": "2023-05-22T11:15:09Z",
    "cwe_ids": [
        "CWE-193"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2023-07-06T23:34:50Z"
}

References

Affected packages

Maven / org.apache.tomcat.embed:tomcat-embed-core

Package

Name: org.apache.tomcat.embed:tomcat-embed-core; View open source insights on deps.dev
Purl: pkg:maven/org.apache.tomcat.embed/tomcat-embed-core

Affected ranges

Type: ECOSYSTEM
Events: Introduced

11.0.0-M2

Fixed

11.0.0-M5

Affected versions

11.*

11.0.0-M3

11.0.0-M4

Maven / org.apache.tomcat.embed:tomcat-embed-core

Package

Name: org.apache.tomcat.embed:tomcat-embed-core; View open source insights on deps.dev
Purl: pkg:maven/org.apache.tomcat.embed/tomcat-embed-core

Affected ranges

Type: ECOSYSTEM
Events: Introduced

10.1.5

Fixed

10.1.8

Affected versions

10.*

10.1.5

10.1.6

10.1.7

Maven / org.apache.tomcat.embed:tomcat-embed-core

Package

Name: org.apache.tomcat.embed:tomcat-embed-core; View open source insights on deps.dev
Purl: pkg:maven/org.apache.tomcat.embed/tomcat-embed-core

Affected ranges

Type: ECOSYSTEM
Events: Introduced

9.0.71

Fixed

9.0.74

Affected versions

9.*

9.0.71

9.0.72

9.0.73

Maven / org.apache.tomcat:tomcat-coyote

Package

Name: org.apache.tomcat:tomcat-coyote; View open source insights on deps.dev
Purl: pkg:maven/org.apache.tomcat/tomcat-coyote

Affected ranges

Type: ECOSYSTEM
Events: Introduced

8.5.85

Fixed

8.5.88

Affected versions

8.*

8.5.85

8.5.86

8.5.87