CVE-2023-28709

HIGH

Apache Tomcat <11.0.0-M4, 10.1.7, 9.0.73, 8.5.87 - DoS

Title source: llm

Description

The fix for CVE-2023-24998 was incomplete for Apache Tomcat 11.0.0-M2 to 11.0.0-M4, 10.1.5 to 10.1.7, 9.0.71 to 9.0.73 and 8.5.85 to 8.5.87. If non-default HTTP connector settings were used such that the maxParameterCount could be reached using query string parameters and a request was submitted that supplied exactly maxParameterCount parameters in the query string, the limit for uploaded request parts could be bypassed with the potential for a denial of service to occur.

References (5)

[Mailing List, Third Party Advisory] http://www.openwall.com/lists/oss-security/2023/05/22/1

[Third Party Advisory] https://security.gentoo.org/glsa/202305-37

[Third Party Advisory] https://security.netapp.com/advisory/ntap-20230616-0004/

[Third Party Advisory] https://www.debian.org/security/2023/dsa-5521

[Mailing List, Vendor Advisory] https://lists.apache.org/thread/7wvxonzwb7k9hx9jt3q33cmy7j97jo3j

Scores

CVSS v3 7.5

EPSS 0.0038

EPSS Percentile 59.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-193

Status published

Products (6)

apache/tomcat 11.0.0 milestone2 (3 CPE variants)

apache/tomcat 8.5.85 - 8.5.87

debian/debian_linux 12.0

netapp/7-mode_transition_tool

org.apache.tomcat/tomcat-coyote 8.5.85 - 8.5.88Maven

org.apache.tomcat.embed/tomcat-embed-core 11.0.0-M2 - 11.0.0-M5Maven

Published May 22, 2023

Tracked Since Feb 18, 2026