| Name | CVE-2023-28709 |
| Description | The fix for CVE-2023-24998 was incomplete for Apache Tomcat 11.0.0-M2 to 11.0.0-M4, 10.1.5 to 10.1.7, 9.0.71 to 9.0.73 and 8.5.85 to 8.5.87. If non-default HTTP connector settings were used such that the maxParameterCount could be reached using query string parameters and a request was submitted that supplied exactly maxParameterCount parameters in the query string, the limit for uploaded request parts could be bypassed with the potential for a denial of service to occur.
|
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
| References | DSA-5521-1 |
Vulnerable and fixed packages
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|
| tomcat10 (PTS) | bookworm (security), bookworm | 10.1.6-1+deb12u2 | fixed |
| sid, trixie | 10.1.31-1 | fixed |
| tomcat7 (PTS) | jessie, jessie (lts) | 7.0.56-3+really7.0.109-1+deb8u6 | fixed |
| stretch | 7.0.75-1 | fixed |
| tomcat8 (PTS) | jessie, jessie (lts) | 8.0.14-1+deb8u28 | fixed |
| stretch (security) | 8.5.54-0+deb9u8 | fixed |
| stretch (lts), stretch | 8.5.54-0+deb9u15 | fixed |
| tomcat9 (PTS) | buster (security), buster, buster (lts) | 9.0.31-1~deb10u12 | fixed |
| bullseye (security), bullseye | 9.0.43-2~deb11u10 | fixed |
| bookworm | 9.0.70-2 | fixed |
| sid, trixie | 9.0.95-1 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|
| tomcat10 | source | experimental | 10.1.8-1 | | | |
| tomcat10 | source | bookworm | 10.1.6-1+deb12u1 | | DSA-5521-1 | |
| tomcat10 | source | (unstable) | 10.1.10-1 | | | |
| tomcat7 | source | (unstable) | (not affected) | | | |
| tomcat8 | source | (unstable) | (not affected) | | | |
| tomcat9 | source | (unstable) | (not affected) | | | |
Notes
- tomcat9 <not-affected> (Incomplete fix for CVE-2023-24998 not applied)
https://github.com/apache/tomcat/commit/ba848da71c523d94950d3c53c19ea155189df9dc (10.1.8)
https://github.com/apache/tomcat/commit/fbd81421629afe8b8a3922d59020cde81caea861 (9.0.74)
- tomcat7 <not-affected> (Incomplete fix for CVE-2023-24998 not applied)
- tomcat8 <not-affected> (Incomplete fix for CVE-2023-24998 not applied)