| Name | CVE-2023-28709 |
| Description | The fix for CVE-2023-24998 was incomplete for Apache Tomcat 11.0.0-M2 to 11.0.0-M4, 10.1.5 to 10.1.7, 9.0.71 to 9.0.73 and 8.5.85 to 8.5.87. If non-default HTTP connector settings were used such that the maxParameterCount could be reached using query string parameters and a request was submitted that supplied exactly maxParameterCount parameters in the query string, the limit for uploaded request parts could be bypassed with the potential for a denial of service to occur. |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
| References | DSA-5521-1 |
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|---|---|---|
| tomcat10 (PTS) | bookworm | 10.1.6-1+deb12u1 | fixed |
| bookworm (security) | 10.1.6-1+deb12u2 | fixed | |
| sid, trixie | 10.1.23-1 | fixed | |
| tomcat9 (PTS) | buster | 9.0.31-1~deb10u6 | fixed |
| buster (security) | 9.0.31-1~deb10u12 | fixed | |
| bullseye | 9.0.43-2~deb11u9 | fixed | |
| bullseye (security) | 9.0.43-2~deb11u10 | fixed | |
| bookworm, sid, trixie | 9.0.70-2 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|---|---|---|---|---|---|
| tomcat10 | source | experimental | 10.1.8-1 | |||
| tomcat10 | source | bookworm | 10.1.6-1+deb12u1 | DSA-5521-1 | ||
| tomcat10 | source | (unstable) | 10.1.10-1 | |||
| tomcat9 | source | (unstable) | (not affected) |
- tomcat9 <not-affected> (Incomplete fix for CVE-2023-24998 not applied)
https://github.com/apache/tomcat/commit/ba848da71c523d94950d3c53c19ea155189df9dc (10.1.8)
https://github.com/apache/tomcat/commit/fbd81421629afe8b8a3922d59020cde81caea861 (9.0.74)