Описание
The fix for CVE-2023-24998 was incomplete for Apache Tomcat 11.0.0-M2 to 11.0.0-M4, 10.1.5 to 10.1.7, 9.0.71 to 9.0.73 and 8.5.85 to 8.5.87. If non-default HTTP connector settings were used such that the maxParameterCount could be reached using query string parameters and a request was submitted that supplied exactly maxParameterCount parameters in the query string, the limit for uploaded request parts could be bypassed with the potential for a denial of service to occur.
A flaw was found in Apache Tomcat due to an incomplete fix for CVE-2023-24998, which aims to limit the uploaded request parts that can be bypassed in a request. This issue may allow an attacker to use a malicious upload or series of uploads to trigger a denial of service.
Отчет
The impact for this flaw is considered moderate to match the Apache Software Foundation impact, considering the non-default configuration in CVE description. pki-servlet-engine has been obsoleted in Red Hat Enterprise Linux 8.9 and later by Tomcat, so no additional fixes for the engine would be made available.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 6 | tomcat6 | Out of support scope | ||
| Red Hat Enterprise Linux 7 | tomcat | Out of support scope | ||
| Red Hat Enterprise Linux 8 | pki-deps:10.6/pki-servlet-engine | Affected | ||
| Red Hat Enterprise Linux 8 | pki-servlet-container | Not affected | ||
| Red Hat Enterprise Linux 8 | pki-servlet-engine | Will not fix | ||
| Red Hat Enterprise Linux 9 | pki-servlet-engine | Will not fix | ||
| Red Hat JBoss Web Server 3 | tomcat | Will not fix | ||
| Red Hat JBoss Web Server 3 | tomcat7 | Will not fix | ||
| Red Hat JBoss Web Server 3 | tomcat8 | Will not fix | ||
| JWS 5.7.4 release | tomcat | Fixed | RHSA-2023:4910 | 04.09.2023 |
Показывать по
Дополнительная информация
Статус:
EPSS
7.5 High
CVSS3
Связанные уязвимости
The fix for CVE-2023-24998 was incomplete for Apache Tomcat 11.0.0-M2 to 11.0.0-M4, 10.1.5 to 10.1.7, 9.0.71 to 9.0.73 and 8.5.85 to 8.5.87. If non-default HTTP connector settings were used such that the maxParameterCount could be reached using query string parameters and a request was submitted that supplied exactly maxParameterCount parameters in the query string, the limit for uploaded request parts could be bypassed with the potential for a denial of service to occur.
The fix for CVE-2023-24998 was incomplete for Apache Tomcat 11.0.0-M2 to 11.0.0-M4, 10.1.5 to 10.1.7, 9.0.71 to 9.0.73 and 8.5.85 to 8.5.87. If non-default HTTP connector settings were used such that the maxParameterCount could be reached using query string parameters and a request was submitted that supplied exactly maxParameterCount parameters in the query string, the limit for uploaded request parts could be bypassed with the potential for a denial of service to occur.
The fix for CVE-2023-24998 was incomplete for Apache Tomcat 11.0.0-M2 ...
EPSS
7.5 High
CVSS3