ID

VAR-202305-1789


CVE

CVE-2023-28709


TITLE

Apache Tomcat  of  Apache Commons FileUpload  denial of service ( DoS ) vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2023-001220

DESCRIPTION

The fix for CVE-2023-24998 was incomplete for Apache Tomcat 11.0.0-M2 to 11.0.0-M4, 10.1.5 to 10.1.7, 9.0.71 to 9.0.73 and 8.5.85 to 8.5.87. If non-default HTTP connector settings were used such that the maxParameterCount could be reached using query string parameters and a request was submitted that supplied exactly maxParameterCount parameters in the query string, the limit for uploaded request parts could be bypassed with the potential for a denial of service to occur. Apache Commons FileUpload 1.5 in versions earlier than 1 Do not limit the number of files that can be uploaded in a request, resulting in a denial of service ( DoS ) vulnerability ( CVE-2023-24998 , CVE-2023-28709 ) exists. Apache Tomcat The file upload function of Apache Commons FileUpload Since it employs a copy of the package and likewise has no file limit, it may be affected by this vulnerability.Malicious uploads by a third party and denial of service (DoS) You may be attacked. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202305-37 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Low Title: Apache Tomcat: Multiple Vulnerabilities Date: May 30, 2023 Bugs: #878911, #889596, #896370, #907387 ID: 202305-37 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======= Multiple vulnerabilities have been found in Apache Tomcat, the worst of which could result in denial of service. Affected packages ================ Package Vulnerable Unaffected ------------------ ------------ ------------ www-servers/tomcat < 10.1.8 >= 10.1.8 Description ========== Multiple vulnerabilities have been discovered in Apache Tomcat. Please review the CVE identifiers referenced below for details. Impact ===== Please review the referenced CVE identifiers for details. Workaround ========= There is no known workaround at this time. Resolution ========= All Apache Tomcat users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=www-servers/tomcat-10.1.8" References ========= [ 1 ] CVE-2022-42252 https://nvd.nist.gov/vuln/detail/CVE-2022-42252 [ 2 ] CVE-2022-45143 https://nvd.nist.gov/vuln/detail/CVE-2022-45143 [ 3 ] CVE-2023-24998 https://nvd.nist.gov/vuln/detail/CVE-2023-24998 [ 4 ] CVE-2023-28709 https://nvd.nist.gov/vuln/detail/CVE-2023-28709 Availability =========== This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202305-37 Concerns? ======== Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ====== Copyright 2023 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5 . Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Moderate: Red Hat JBoss Web Server 5.7.4 release and security update Advisory ID: RHSA-2023:4909-01 Product: Red Hat JBoss Web Server Advisory URL: https://access.redhat.com/errata/RHSA-2023:4909 Issue date: 2023-09-04 CVE Names: CVE-2022-24963 CVE-2023-24998 CVE-2023-28708 CVE-2023-28709 ==================================================================== 1. Summary: An update is now available for Red Hat JBoss Web Server 5.7.4 on Red Hat Enterprise Linux versions 7, 8, and 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat JBoss Web Server 5.7 for RHEL 7 Server - noarch, x86_64 Red Hat JBoss Web Server 5.7 for RHEL 8 - noarch, x86_64 Red Hat JBoss Web Server 5.7 for RHEL 9 - noarch, x86_64 3. Description: Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. This release of Red Hat JBoss Web Server 5.7.4 serves as a replacement for Red Hat JBoss Web Server 5.7.3. This release includes bug fixes, enhancements and component upgrades, which are documented in the Release Notes, linked to in the References section. Security Fix(es): * apr: integer overflow/wraparound in apr_encode (CVE-2022-24963) * Apache Commons FileUpload: FileUpload DoS with excessive parts (CVE-2023-24998) * tomcat: not including the secure attribute causes information disclosure (CVE-2023-28708) * tomcat: Fix for CVE-2023-24998 was incomplete (CVE-2023-28709) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: Before applying the update, back up your existing Red Hat JBoss Web Server installation (including all applications and configuration files). For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 2169465 - CVE-2022-24963 apr: integer overflow/wraparound in apr_encode 2172298 - CVE-2023-24998 Apache Commons FileUpload: FileUpload DoS with excessive parts 2180856 - CVE-2023-28708 tomcat: not including the secure attribute causes information disclosure 2210321 - CVE-2023-28709 tomcat: Fix for CVE-2023-24998 was incomplete 6. Package List: Red Hat JBoss Web Server 5.7 for RHEL 7 Server: Source: jws5-tomcat-9.0.62-15.redhat_00013.1.el7jws.src.rpm jws5-tomcat-native-1.2.31-15.redhat_15.el7jws.src.rpm noarch: jws5-tomcat-9.0.62-15.redhat_00013.1.el7jws.noarch.rpm jws5-tomcat-admin-webapps-9.0.62-15.redhat_00013.1.el7jws.noarch.rpm jws5-tomcat-docs-webapp-9.0.62-15.redhat_00013.1.el7jws.noarch.rpm jws5-tomcat-el-3.0-api-9.0.62-15.redhat_00013.1.el7jws.noarch.rpm jws5-tomcat-java-jdk11-9.0.62-15.redhat_00013.1.el7jws.noarch.rpm jws5-tomcat-java-jdk8-9.0.62-15.redhat_00013.1.el7jws.noarch.rpm jws5-tomcat-javadoc-9.0.62-15.redhat_00013.1.el7jws.noarch.rpm jws5-tomcat-jsp-2.3-api-9.0.62-15.redhat_00013.1.el7jws.noarch.rpm jws5-tomcat-lib-9.0.62-15.redhat_00013.1.el7jws.noarch.rpm jws5-tomcat-selinux-9.0.62-15.redhat_00013.1.el7jws.noarch.rpm jws5-tomcat-servlet-4.0-api-9.0.62-15.redhat_00013.1.el7jws.noarch.rpm jws5-tomcat-webapps-9.0.62-15.redhat_00013.1.el7jws.noarch.rpm x86_64: jws5-tomcat-native-1.2.31-15.redhat_15.el7jws.x86_64.rpm jws5-tomcat-native-debuginfo-1.2.31-15.redhat_15.el7jws.x86_64.rpm Red Hat JBoss Web Server 5.7 for RHEL 8: Source: jws5-tomcat-9.0.62-15.redhat_00013.1.el8jws.src.rpm jws5-tomcat-native-1.2.31-15.redhat_15.el8jws.src.rpm noarch: jws5-tomcat-9.0.62-15.redhat_00013.1.el8jws.noarch.rpm jws5-tomcat-admin-webapps-9.0.62-15.redhat_00013.1.el8jws.noarch.rpm jws5-tomcat-docs-webapp-9.0.62-15.redhat_00013.1.el8jws.noarch.rpm jws5-tomcat-el-3.0-api-9.0.62-15.redhat_00013.1.el8jws.noarch.rpm jws5-tomcat-javadoc-9.0.62-15.redhat_00013.1.el8jws.noarch.rpm jws5-tomcat-jsp-2.3-api-9.0.62-15.redhat_00013.1.el8jws.noarch.rpm jws5-tomcat-lib-9.0.62-15.redhat_00013.1.el8jws.noarch.rpm jws5-tomcat-selinux-9.0.62-15.redhat_00013.1.el8jws.noarch.rpm jws5-tomcat-servlet-4.0-api-9.0.62-15.redhat_00013.1.el8jws.noarch.rpm jws5-tomcat-webapps-9.0.62-15.redhat_00013.1.el8jws.noarch.rpm x86_64: jws5-tomcat-native-1.2.31-15.redhat_15.el8jws.x86_64.rpm jws5-tomcat-native-debuginfo-1.2.31-15.redhat_15.el8jws.x86_64.rpm Red Hat JBoss Web Server 5.7 for RHEL 9: Source: jws5-tomcat-9.0.62-15.redhat_00013.1.el9jws.src.rpm jws5-tomcat-native-1.2.31-15.redhat_15.el9jws.src.rpm noarch: jws5-tomcat-9.0.62-15.redhat_00013.1.el9jws.noarch.rpm jws5-tomcat-admin-webapps-9.0.62-15.redhat_00013.1.el9jws.noarch.rpm jws5-tomcat-docs-webapp-9.0.62-15.redhat_00013.1.el9jws.noarch.rpm jws5-tomcat-el-3.0-api-9.0.62-15.redhat_00013.1.el9jws.noarch.rpm jws5-tomcat-javadoc-9.0.62-15.redhat_00013.1.el9jws.noarch.rpm jws5-tomcat-jsp-2.3-api-9.0.62-15.redhat_00013.1.el9jws.noarch.rpm jws5-tomcat-lib-9.0.62-15.redhat_00013.1.el9jws.noarch.rpm jws5-tomcat-selinux-9.0.62-15.redhat_00013.1.el9jws.noarch.rpm jws5-tomcat-servlet-4.0-api-9.0.62-15.redhat_00013.1.el9jws.noarch.rpm jws5-tomcat-webapps-9.0.62-15.redhat_00013.1.el9jws.noarch.rpm x86_64: jws5-tomcat-native-1.2.31-15.redhat_15.el9jws.x86_64.rpm jws5-tomcat-native-debuginfo-1.2.31-15.redhat_15.el9jws.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2022-24963 https://access.redhat.com/security/cve/CVE-2023-24998 https://access.redhat.com/security/cve/CVE-2023-28708 https://access.redhat.com/security/cve/CVE-2023-28709 https://access.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2023 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJk9dawAAoJENzjgjWX9erE1ycQAIwG6w749gWsv0nN3TgCLSn+ Ag1rdPKnc9K0BEer5aj3UZWq0ILQ0U2xkIV/+f03asPHSKehS0xAVAoTOB9eqDgB f7rcxV6tDwkkOgEHlCQZXle5CzMmIIuAmzQoRI855sl3fo7m1s9w/XGfM9TuwANu AAXKNZUc1EOtCzwQPbJ+RqwxXhiZvwaD1cXa/PtNmrmcFeQPjwZUTwWrs5KcDG/P CCIugcTaD8lCFRQFHtF+GXY9A1xzQ4sgGBeSa2+MRLV2e5nVGjby+1ydLIhThdvl 7bD+wtI7WOQkVI1ZrfiVuYU6gmQB1YoaYz3l8bjY+PvxoXANIDWI2y9QzLvjHRdX Q2DraXW6xMw0utFtFe5AiLevPH18VwBsdyUMOk8hpTQsRkw/Is7rIcHstucGJYSI CBVloQ8FbPXPUlTw4eYSr22c3bEyJKTACJIN+badVjzUlu7zewqF7g8BHXJGFIfT pwyfxOUfvAvn0qD8NvwE64yQ1pCIqcq/ffxliJp98cn86VrQ+H6+hwmxWOU1yoxe jyON4uVUE+IcaPPP84SUyGZW+ZgZjrdkBv4OaBsMvQweIPXLk54/dkgDtdOMF6EJ 3AX0KKqoSTFWJ7i64DWturuhAFRTdqkxeItLWM5LMo0FKsZur8efbRRnSHQhNUib PKxvfGMcijaSUTJ0s70k =7k// -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - ------------------------------------------------------------------------- Debian Security Advisory DSA-5521-1 security@debian.org https://www.debian.org/security/ Markus Koschany October 10, 2023 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : tomcat10 CVE ID : CVE-2023-28709 CVE-2023-41080 CVE-2023-42795 CVE-2023-44487 CVE-2023-45648 Several security vulnerabilities have been discovered in the Tomcat servlet and JSP engine. CVE-2023-28709 Denial of Service. CVE-2023-41080 Open redirect. If the ROOT (default) web application is configured to use FORM authentication then it is possible that a specially crafted URL could be used to trigger a redirect to an URL of the attackers choice. CVE-2023-42795 Information Disclosure. When recycling various internal objects, including the request and the response, prior to re-use by the next request/response, an error could cause Tomcat to skip some parts of the recycling process leading to information leaking from the current request/response to the next. CVE-2023-44487 DoS caused by HTTP/2 frame overhead (Rapid Reset Attack) CVE-2023-45648 Request smuggling. Tomcat did not correctly parse HTTP trailer headers. A specially crafted, invalid trailer header could cause Tomcat to treat a single request as multiple requests leading to the possibility of request smuggling when behind a reverse proxy. For the stable distribution (bookworm), these problems have been fixed in version 10.1.6-1+deb12u1. We recommend that you upgrade your tomcat10 packages. For the detailed security status of tomcat10 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/tomcat10 Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmUlygNfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7 UeQOAw/9FphsARNkV5P4SoR3pQJ0CUaGtipdCc57ZR+w00QjR0/lbIQpoYzxrgAN zNJCDUuCDhEjyolzJ9XtkabKDzhZr/+1wM5iQQIx9A6VFELannL5ivZjT798juUx +IMCD65kMFXqLqIwS4BhYZww/W5KapZkgEeppyhpS3pjGXJ3nRtkAMpJZAJk4CCt n3I/9GzyI/8KQVBGAUPQb+feDJmDh/qSbHYTtvEweeu1WNiFGzU6MuRIOeYi6mga gzulx3NJgCHb6SGKdttqc51pSK2mRKUlQdgzwxS+jTaE4iDWv1AHaV/pJF6cS3cP xmELILWm7TqnL90on63u6Nh8UScSM0qf3ajRd2zAXDEtaGcdM92vbNLDfJTo1/wA pEH+xTkiOUpHEhsDEOW6zLoJqy0+qW9pQd3qE4Sh1CBVFylxR4L1JeDupyozH0up LLuNKslZLxUFUWYEkwFmtOoOMjlAtMsPnsgoVr/ZOPXaixLE05HgOWWWUV5YWyKW Ae2/C+Oc38P2bFNjW++okCsZTOaVdrhA/2g9cPNE17cN/o/Ff9GdbqDJMzry9z/B FSPIZ47QSzMROhc/9z5HL7Y3eqEj8kjG2LbMQ82lP5hHoYPhXwKjML8HhwmyLvD2 scn/9i/RzazIfyO+zLStzxEHIOR7xx95drm15Av1Z52oETSmsmc= =raMf -----END PGP SIGNATURE-----

Trust: 2.07

sources: NVD: CVE-2023-28709 // JVNDB: JVNDB-2023-001220 // VULMON: CVE-2023-28709 // PACKETSTORM: 172624 // PACKETSTORM: 174475 // PACKETSTORM: 174474 // PACKETSTORM: 175038

AFFECTED PRODUCTS

vendor:apachemodel:tomcatscope:lteversion:9.0.73

Trust: 1.0

vendor:apachemodel:tomcatscope:gteversion:10.1.5

Trust: 1.0

vendor:apachemodel:tomcatscope:eqversion:11.0.0

Trust: 1.0

vendor:apachemodel:tomcatscope:lteversion:10.1.7

Trust: 1.0

vendor:apachemodel:tomcatscope:gteversion:9.0.71

Trust: 1.0

vendor:apachemodel:tomcatscope:gteversion:8.5.85

Trust: 1.0

vendor:apachemodel:tomcatscope:lteversion:8.5.87

Trust: 1.0

vendor:debianmodel:linuxscope:eqversion:12.0

Trust: 1.0

vendor:netappmodel:7-mode transition toolscope:eqversion: -

Trust: 1.0

vendor:日本電気model:nec advanced analytics platform modelerscope: - version: -

Trust: 0.8

vendor:日立model:jp1/it desktop management 2 - smart device managerscope: - version: -

Trust: 0.8

vendor:日本電気model:neoface monitorscope: - version: -

Trust: 0.8

vendor:日立model:job management partner 1/it desktop management 2 - managerscope: - version: -

Trust: 0.8

vendor:日立model:hitachi tuning managerscope: - version: -

Trust: 0.8

vendor:apachemodel:tomcatscope: - version: -

Trust: 0.8

vendor:日本電気model:nec information assessment systemscope: - version: -

Trust: 0.8

vendor:日本電気model:enterpriseidentitymanagerscope: - version: -

Trust: 0.8

vendor:日本電気model:nec 自動応答scope: - version: -

Trust: 0.8

vendor:日本電気model:websam it process managementscope: - version: -

Trust: 0.8

vendor:日立model:jp1/performance managementscope: - version: -

Trust: 0.8

vendor:apachemodel:commons fileuploadscope: - version: -

Trust: 0.8

vendor:日立model:jp1/it desktop management 2 - managerscope: - version: -

Trust: 0.8

vendor:日本電気model:webotx application serverscope: - version: -

Trust: 0.8

vendor:日立model:jp1/it desktop management - managerscope: - version: -

Trust: 0.8

vendor:日立model:jp1/it desktop management 2 - operations directorscope: - version: -

Trust: 0.8

vendor:日本電気model:esmpro/servermanagerscope: - version: -

Trust: 0.8

vendor:日立model:job management partner 1/it desktop management - managerscope: - version: -

Trust: 0.8

vendor:日本電気model:connexive pfscope: - version: -

Trust: 0.8

vendor:日本電気model:actsecure ポータルscope: - version: -

Trust: 0.8

sources: JVNDB: JVNDB-2023-001220 // NVD: CVE-2023-28709

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2023-28709
value: HIGH

Trust: 1.0

NVD: CVE-2023-28709
value: HIGH

Trust: 0.8

CNNVD: CNNVD-202305-1931
value: HIGH

Trust: 0.6

nvd@nist.gov: CVE-2023-28709
baseSeverity: HIGH
baseScore: 7.5
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: HIGH
exploitabilityScore: 3.9
impactScore: 3.6
version: 3.1

Trust: 1.0

NVD: CVE-2023-28709
baseSeverity: HIGH
baseScore: 7.5
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: JVNDB: JVNDB-2023-001220 // CNNVD: CNNVD-202305-1931 // NVD: CVE-2023-28709

PROBLEMTYPE DATA

problemtype:CWE-193

Trust: 1.0

problemtype:Determination of boundary conditions (CWE-193) [ others ]

Trust: 0.8

problemtype: Allocation of resources without limits or throttling (CWE-770) [ others ]

Trust: 0.8

sources: JVNDB: JVNDB-2023-001220 // NVD: CVE-2023-28709

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202305-1931

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-202305-1931

PATCH

title:hitachi-sec-2024-119url:https://commons.apache.org/proper/commons-fileupload/security-reports.html#Fixed_in_Apache_Commons_FileUpload_1.5

Trust: 0.8

title:Apache Tomcat Security vulnerabilitiesurl:http://123.124.177.30/web/xxk/bdxqById.tag?id=239303

Trust: 0.6

sources: JVNDB: JVNDB-2023-001220 // CNNVD: CNNVD-202305-1931

EXTERNAL IDS

db:NVDid:CVE-2023-28709

Trust: 3.7

db:OPENWALLid:OSS-SECURITY/2023/05/22/1

Trust: 1.7

db:ICS CERTid:ICSA-24-046-15

Trust: 0.8

db:JVNid:JVNVU91198149

Trust: 0.8

db:JVNid:JVNVU91253151

Trust: 0.8

db:JVNDBid:JVNDB-2023-001220

Trust: 0.8

db:AUSCERTid:ESB-2023.2979

Trust: 0.6

db:AUSCERTid:ESB-2023.3113

Trust: 0.6

db:AUSCERTid:ESB-2023.3425

Trust: 0.6

db:AUSCERTid:ESB-2023.3596

Trust: 0.6

db:AUSCERTid:ESB-2023.3098

Trust: 0.6

db:CNNVDid:CNNVD-202305-1931

Trust: 0.6

db:VULMONid:CVE-2023-28709

Trust: 0.1

db:PACKETSTORMid:172624

Trust: 0.1

db:PACKETSTORMid:174475

Trust: 0.1

db:PACKETSTORMid:174474

Trust: 0.1

db:PACKETSTORMid:175038

Trust: 0.1

sources: VULMON: CVE-2023-28709 // JVNDB: JVNDB-2023-001220 // PACKETSTORM: 172624 // PACKETSTORM: 174475 // PACKETSTORM: 174474 // PACKETSTORM: 175038 // CNNVD: CNNVD-202305-1931 // NVD: CVE-2023-28709

REFERENCES

url:https://lists.apache.org/thread/7wvxonzwb7k9hx9jt3q33cmy7j97jo3j

Trust: 1.7

url:http://www.openwall.com/lists/oss-security/2023/05/22/1

Trust: 1.7

url:https://security.gentoo.org/glsa/202305-37

Trust: 1.7

url:https://security.netapp.com/advisory/ntap-20230616-0004/

Trust: 1.6

url:https://nvd.nist.gov/vuln/detail/cve-2023-28709

Trust: 1.2

url:https://nvd.nist.gov/vuln/detail/cve-2023-24998

Trust: 1.1

url:https://www.debian.org/security/2023/dsa-5521

Trust: 1.0

url:http://jvn.jp/vu/jvnvu91253151/index.html

Trust: 0.8

url:https://jvn.jp/vu/jvnvu91198149/index.html

Trust: 0.8

url:https://www.cisa.gov/news-events/ics-advisories/icsa-24-046-15

Trust: 0.8

url:https://cxsecurity.com/cveshow/cve-2023-28709/

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2023.3098

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2023.2979

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2023.3425

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2023.3596

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2023.3113

Trust: 0.6

url:https://access.redhat.com/security/team/contact/

Trust: 0.2

url:https://access.redhat.com/security/cve/cve-2022-24963

Trust: 0.2

url:https://listman.redhat.com/mailman/listinfo/rhsa-announce

Trust: 0.2

url:https://access.redhat.com/security/updates/classification/#moderate

Trust: 0.2

url:https://access.redhat.com/security/cve/cve-2023-28708

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2022-24963

Trust: 0.2

url:https://access.redhat.com/articles/11258

Trust: 0.2

url:https://bugzilla.redhat.com/):

Trust: 0.2

url:https://access.redhat.com/security/cve/cve-2023-28709

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2023-28708

Trust: 0.2

url:https://access.redhat.com/security/cve/cve-2023-24998

Trust: 0.2

url:https://cwe.mitre.org/data/definitions/193.html

Trust: 0.1

url:https://nvd.nist.gov

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2022-45143

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2022-42252

Trust: 0.1

url:https://creativecommons.org/licenses/by-sa/2.5

Trust: 0.1

url:https://security.gentoo.org/

Trust: 0.1

url:https://bugs.gentoo.org.

Trust: 0.1

url:https://access.redhat.com/errata/rhsa-2023:4910

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2022-28331

Trust: 0.1

url:https://access.redhat.com/jbossnetwork/restricted/listsoftware.html?downloadtype=securitypatches&product=webserver&version=5.7

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2022-28331

Trust: 0.1

url:https://access.redhat.com/security/team/key/

Trust: 0.1

url:https://access.redhat.com/errata/rhsa-2023:4909

Trust: 0.1

url:https://security-tracker.debian.org/tracker/tomcat10

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2023-44487

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2023-41080

Trust: 0.1

url:https://www.debian.org/security/faq

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2023-42795

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2023-45648

Trust: 0.1

url:https://www.debian.org/security/

Trust: 0.1

sources: VULMON: CVE-2023-28709 // JVNDB: JVNDB-2023-001220 // PACKETSTORM: 172624 // PACKETSTORM: 174475 // PACKETSTORM: 174474 // PACKETSTORM: 175038 // CNNVD: CNNVD-202305-1931 // NVD: CVE-2023-28709

CREDITS

Red Hat

Trust: 0.2

sources: PACKETSTORM: 174475 // PACKETSTORM: 174474

SOURCES

db:VULMONid:CVE-2023-28709
db:JVNDBid:JVNDB-2023-001220
db:PACKETSTORMid:172624
db:PACKETSTORMid:174475
db:PACKETSTORMid:174474
db:PACKETSTORMid:175038
db:CNNVDid:CNNVD-202305-1931
db:NVDid:CVE-2023-28709

LAST UPDATE DATE

2024-08-14T13:01:26.797000+00:00


SOURCES UPDATE DATE

db:VULMONid:CVE-2023-28709date:2023-05-22T00:00:00
db:JVNDBid:JVNDB-2023-001220date:2024-05-29T07:11:00
db:CNNVDid:CNNVD-202305-1931date:2023-06-25T00:00:00
db:NVDid:CVE-2023-28709date:2024-02-16T18:20:07.610

SOURCES RELEASE DATE

db:VULMONid:CVE-2023-28709date:2023-05-22T00:00:00
db:JVNDBid:JVNDB-2023-001220date:2023-02-22T00:00:00
db:PACKETSTORMid:172624date:2023-05-30T16:32:27
db:PACKETSTORMid:174475date:2023-09-04T17:29:56
db:PACKETSTORMid:174474date:2023-09-04T17:29:45
db:PACKETSTORMid:175038date:2023-10-11T15:52:01
db:CNNVDid:CNNVD-202305-1931date:2023-05-22T00:00:00
db:NVDid:CVE-2023-28709date:2023-05-22T11:15:09.423