You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Mark Thomas <ma...@apache.org> on 2024/01/19 10:17:23 UTC
[SECURITY] CVE-2024-21733 Apache Tomcat - Information Disclosure
CVE-2023-46589 Apache Tomcat - Information Disclosure
Severity: Important
Vendor: The Apache Software Foundation
Versions Affected:
Apache Tomcat 9.0.0-M11 to 9.0.43
Apache Tomcat 8.5.7 to 8.5.63
Description:
Incomplete POST requests triggered an error response that could contain
data from a previous request from another user.
Mitigation:
Users of the affected versions should apply one of the following
mitigations:
- Upgrade to Apache Tomcat 9.0.44 or later
- Upgrade to Apache Tomcat 8.5.64 or later
Credit:
This vulnerability was reported responsibly to the Tomcat security team
by xer0dayz from Sn1perSecurity LLC.
History:
2024-01-19 Original advisory
References:
[3] https://tomcat.apache.org/security-9.html
[4] https://tomcat.apache.org/security-8.html
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: [SECURITY] CVE-2024-21733 Apache Tomcat - Information Disclosure
Posted by Mark Thomas <ma...@apache.org>.
Correcting the CVE reference in the text (the subject line is correct)
Mark
On 19/01/2024 10:17, Mark Thomas wrote:
> CVE-2023-21733 Apache Tomcat - Information Disclosure
>
> Severity: Important
>
> Vendor: The Apache Software Foundation
>
> Versions Affected:
> Apache Tomcat 9.0.0-M11 to 9.0.43
> Apache Tomcat 8.5.7 to 8.5.63
>
> Description:
> Incomplete POST requests triggered an error response that could contain
> data from a previous request from another user.
>
> Mitigation:
> Users of the affected versions should apply one of the following
> mitigations:
> - Upgrade to Apache Tomcat 9.0.44 or later
> - Upgrade to Apache Tomcat 8.5.64 or later
>
> Credit:
> This vulnerability was reported responsibly to the Tomcat security team
> by xer0dayz from Sn1perSecurity LLC.
>
> History:
> 2024-01-19 Original advisory
>
> References:
> [3] https://tomcat.apache.org/security-9.html
> [4] https://tomcat.apache.org/security-8.html
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: [SECURITY] CVE-2024-21733 Apache Tomcat - Information Disclosure
Posted by Mark Thomas <ma...@apache.org>.
Correcting the CVE reference in the text (the subject line is correct)
Mark
On 19/01/2024 10:17, Mark Thomas wrote:
> CVE-2023-21733 Apache Tomcat - Information Disclosure
>
> Severity: Important
>
> Vendor: The Apache Software Foundation
>
> Versions Affected:
> Apache Tomcat 9.0.0-M11 to 9.0.43
> Apache Tomcat 8.5.7 to 8.5.63
>
> Description:
> Incomplete POST requests triggered an error response that could contain
> data from a previous request from another user.
>
> Mitigation:
> Users of the affected versions should apply one of the following
> mitigations:
> - Upgrade to Apache Tomcat 9.0.44 or later
> - Upgrade to Apache Tomcat 8.5.64 or later
>
> Credit:
> This vulnerability was reported responsibly to the Tomcat security team
> by xer0dayz from Sn1perSecurity LLC.
>
> History:
> 2024-01-19 Original advisory
>
> References:
> [3] https://tomcat.apache.org/security-9.html
> [4] https://tomcat.apache.org/security-8.html
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: [SECURITY] CVE-2024-21733 Apache Tomcat - Information Disclosure
Posted by Mark Thomas <ma...@apache.org>.
Correcting the CVE reference in the text (the subject line is correct)
Mark
On 19/01/2024 10:17, Mark Thomas wrote:
> CVE-2023-21733 Apache Tomcat - Information Disclosure
>
> Severity: Important
>
> Vendor: The Apache Software Foundation
>
> Versions Affected:
> Apache Tomcat 9.0.0-M11 to 9.0.43
> Apache Tomcat 8.5.7 to 8.5.63
>
> Description:
> Incomplete POST requests triggered an error response that could contain
> data from a previous request from another user.
>
> Mitigation:
> Users of the affected versions should apply one of the following
> mitigations:
> - Upgrade to Apache Tomcat 9.0.44 or later
> - Upgrade to Apache Tomcat 8.5.64 or later
>
> Credit:
> This vulnerability was reported responsibly to the Tomcat security team
> by xer0dayz from Sn1perSecurity LLC.
>
> History:
> 2024-01-19 Original advisory
>
> References:
> [3] https://tomcat.apache.org/security-9.html
> [4] https://tomcat.apache.org/security-8.html
Re: [SECURITY] CVE-2024-21733 Apache Tomcat - Information Disclosure
Posted by Mark Thomas <ma...@apache.org>.
Correcting the CVE reference in the text (the subject line is correct)
Mark
On 19/01/2024 10:17, Mark Thomas wrote:
> CVE-2023-21733 Apache Tomcat - Information Disclosure
>
> Severity: Important
>
> Vendor: The Apache Software Foundation
>
> Versions Affected:
> Apache Tomcat 9.0.0-M11 to 9.0.43
> Apache Tomcat 8.5.7 to 8.5.63
>
> Description:
> Incomplete POST requests triggered an error response that could contain
> data from a previous request from another user.
>
> Mitigation:
> Users of the affected versions should apply one of the following
> mitigations:
> - Upgrade to Apache Tomcat 9.0.44 or later
> - Upgrade to Apache Tomcat 8.5.64 or later
>
> Credit:
> This vulnerability was reported responsibly to the Tomcat security team
> by xer0dayz from Sn1perSecurity LLC.
>
> History:
> 2024-01-19 Original advisory
>
> References:
> [3] https://tomcat.apache.org/security-9.html
> [4] https://tomcat.apache.org/security-8.html