If by chance you are still running a super old Tomcat version, there is a
new CVE with a high level of severity. Please upgrade to the latest
version.
---------- Forwarded message ---------
From: Mark Thomas <markt@xxxxxxxxxx>
Date: Fri, Jan 19, 2024 at 8:27 AM
Subject: Re: [SECURITY] CVE-2024-21733 Apache Tomcat - Information
Disclosure
To: users@xxxxxxxxxxxxxxxxx <users@xxxxxxxxxxxxxxxxx>
Cc: <announce@xxxxxxxxxx>, announce@xxxxxxxxxxxxxxxxx <
announce@xxxxxxxxxxxxxxxxx>, Tomcat Developers List <dev@xxxxxxxxxxxxxxxxx>
Correcting the CVE reference in the text (the subject line is correct)
Mark
On 19/01/2024 10:17, Mark Thomas wrote:
> CVE-2023-21733 Apache Tomcat - Information Disclosure
>
> Severity: Important
>
> Vendor: The Apache Software Foundation
>
> Versions Affected:
> Apache Tomcat 9.0.0-M11 to 9.0.43
> Apache Tomcat 8.5.7 to 8.5.63
>
> Description:
> Incomplete POST requests triggered an error response that could contain
> data from a previous request from another user.
>
> Mitigation:
> Users of the affected versions should apply one of the following
> mitigations:
> - Upgrade to Apache Tomcat 9.0.44 or later
> - Upgrade to Apache Tomcat 8.5.64 or later
>
> Credit:
> This vulnerability was reported responsibly to the Tomcat security team
> by xer0dayz from Sn1perSecurity LLC.
>
> History:
> 2024-01-19 Original advisory
>
> References:
> [3] https://tomcat.apache.org/security-9.html
> [4] https://tomcat.apache.org/security-8.html
--
------------------------------------------------------------------------------------
Jennifer Oxelson Ganter NSF Unidata
Software Engineer IV P.O. Box 3000
oxelson@xxxxxxxx Boulder, CO 80307
------------------------------------------------------------------------------------
