What is CVE-2023-28709?

CVE-2023-28709 is a vulnerability in Apache Software Foundation Tomcat, classified under Off-by-one Error. Published 2023-05-22.

Is CVE-2023-28709 known to be exploited?

2 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

Vulnerability in Apache Software Foundation Tomcat

CVE-2023-28709

The fix for CVE-2023-24998 was incomplete for Apache Tomcat 11.0.0-M2 to 11.0.0-M4, 10.1.5 to 10.1.7, 9.0.71 to 9.0.73 and 8.5.85 to 8.5.87. If non-default HTTP connector settings were used such that the maxParameterCount could be re…

EPSS: 0.515 (98.8th percentile) — read the EPSS interpretation.

Affected products

Apache Software Foundation Tomcat — versions 11.0.0-M2, 10.1.5, 9.0.71

Weakness classification (CWE)

CWE-193 — Off-by-one Error

Public proof-of-concept exploits

Dzmitry-Basiachenka/dist-foreign-aliakh
seal-community/patches

References

lists.apache.org/thread/7wvxonzwb7k9hx9jt3q33cmy7j97jo3j (vendor-advisory)
www.openwall.com/lists/oss-security/2023/05/22/1
security.gentoo.org/glsa/202305-37
security.netapp.com/advisory/ntap-20230616-0004/
www.debian.org/security/2023/dsa-5521

Frequently asked questions

What is CVE-2023-28709?: CVE-2023-28709 is a vulnerability in Apache Software Foundation Tomcat, classified under Off-by-one Error. Published 2023-05-22.
Is CVE-2023-28709 known to be exploited?: 2 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.