VAR-202305-1789 — Vulnetix

VAR-202305-1789 PUBLISHED

The fix for CVE-2023-24998 was incomplete for Apache Tomcat 11.0.0-M2 to 11.0.0-M4, 10.1.5 to 10.1.7, 9.0.71 to 9.0.73 and 8.5.85 to 8.5.87. If non-default HTTP connector settings were used such that the maxParameterCount could be reached using query string parameters and a request was submitted that supplied exactly maxParameterCount parameters in the query string, the limit for uploaded request parts could be bypassed with the potential for a denial of service to occur.

Affected Products

Vendor	Product	Versions
Apache Software Foundation	Apache Tomcat	10.1.5, 9.0.71, 8.5.85

Timeline

Sep 15, 2019 CVE Published
Apr 28, 2025 PoC Published
Apr 1, 2026 Distribution Patch

References

https://lists.apache.org/thread/7wvxonzwb7k9hx9jt3q33cmy7j97jo3j vendor-advisory
http://www.openwall.com/lists/oss-security/2023/05/22/1 url
https://security.gentoo.org/glsa/202305-37 url
https://security.netapp.com/advisory/ntap-20230616-0004/ url
https://www.debian.org/security/2023/dsa-5521 url

Open in Interactive Console →