Due to the current gap in continued funding from the U.S. National Science Foundation (NSF), the NSF Unidata Program Center has temporarily paused most operations. See NSF Unidata Pause in Most Operations for details.

[thredds] Fwd: [SECURITY] CVE-2024-21733 Apache Tomcat - Information Disclosure

  • To: THREDDS community <thredds@xxxxxxxxxxxxxxxx>
  • Subject: [thredds] Fwd: [SECURITY] CVE-2024-21733 Apache Tomcat - Information Disclosure
  • From: Jennifer Oxelson Ganter <oxelson@xxxxxxxx>
  • Date: Fri, 19 Jan 2024 10:11:58 -0700
If by chance you are still running a super old Tomcat version, there is a
new CVE with a high level of severity.  Please upgrade to the latest
version.

---------- Forwarded message ---------
From: Mark Thomas <markt@xxxxxxxxxx>
Date: Fri, Jan 19, 2024 at 8:27 AM
Subject: Re: [SECURITY] CVE-2024-21733 Apache Tomcat - Information
Disclosure
To: users@xxxxxxxxxxxxxxxxx <users@xxxxxxxxxxxxxxxxx>
Cc: <announce@xxxxxxxxxx>, announce@xxxxxxxxxxxxxxxxx <
announce@xxxxxxxxxxxxxxxxx>, Tomcat Developers List <dev@xxxxxxxxxxxxxxxxx>


Correcting the CVE reference in the text (the subject line is correct)

Mark


On 19/01/2024 10:17, Mark Thomas wrote:
> CVE-2023-21733 Apache Tomcat - Information Disclosure
>
> Severity: Important
>
> Vendor: The Apache Software Foundation
>
> Versions Affected:
> Apache Tomcat 9.0.0-M11 to 9.0.43
> Apache Tomcat 8.5.7 to 8.5.63
>
> Description:
> Incomplete POST requests triggered an error response that could contain
> data from a previous request from another user.
>
> Mitigation:
> Users of the affected versions should apply one of the following
> mitigations:
> - Upgrade to Apache Tomcat 9.0.44 or later
> - Upgrade to Apache Tomcat 8.5.64 or later
>
> Credit:
> This vulnerability was reported responsibly to the Tomcat security team
> by xer0dayz from Sn1perSecurity LLC.
>
> History:
> 2024-01-19 Original advisory
>
> References:
> [3] https://tomcat.apache.org/security-9.html
> [4] https://tomcat.apache.org/security-8.html


-- 
------------------------------------------------------------------------------------
Jennifer Oxelson Ganter                                       NSF Unidata
Software Engineer IV                                          P.O. Box 3000
oxelson@xxxxxxxx                                       Boulder, CO 80307
------------------------------------------------------------------------------------
  • 2024 messages navigation, sorted by:
    1. Thread
    2. Subject
    3. Author
    4. Date
    5. ↑ Table Of Contents
  • Search the thredds archives: