QwikSec

Security Database

CVE

CWE

Training

CVE Database
/

CVE-2023-28709

Back to search

CVE-2023-28709

Published: May 22, 2023

Modified: Feb 13, 2025

PUBLISHED

Description

The fix for CVE-2023-24998 was incomplete for Apache Tomcat 11.0.0-M2 to 11.0.0-M4, 10.1.5 to 10.1.7, 9.0.71 to 9.0.73 and 8.5.85 to 8.5.87. If non-default HTTP connector settings were used such that the maxParameterCount could be reached using query string parameters and a request was submitted that supplied exactly maxParameterCount parameters in the query string, the limit for uploaded request parts could be bypassed with the potential for a denial of service to occur.

VendorProductVersions

Apache Software Foundation

Apache Tomcat

affected
11.0.0-M2 - <= 11.0.0-M4
affected
10.1.5 - <= 10.1.7
affected
9.0.71 - <= 9.0.73
affected
8.5.85 - <= 8.5.87

Weaknesses (CWE)

CWE-193

References

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now