Cyber Resilience

CVE-2023-28709

High

Published: 22 May 2023

Published
22 May 2023
Modified
13 February 2025
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0052 67.1th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-28709 is a high-severity Off-by-one Error (CWE-193) vulnerability in Apache Tomcat. Its CVSS base score is 7.5 (High).

Operationally, ranked in the top 32.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

The fix for CVE-2023-24998 was incomplete for Apache Tomcat 11.0.0-M2 to 11.0.0-M4, 10.1.5 to 10.1.7, 9.0.71 to 9.0.73 and 8.5.85 to 8.5.87. If non-default HTTP connector settings were used such that the maxParameterCount could be reached using query string parameters…

more

and a request was submitted that supplied exactly maxParameterCount parameters in the query string, the limit for uploaded request parts could be bypassed with the potential for a denial of service to occur.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

apache
tomcat
11.0.0 · 8.5.85 — 8.5.87 · 9.0.71 — 9.0.73 · 10.1.5 — 10.1.7
debian
debian linux
12.0
netapp
7-mode transition tool
all versions

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References