7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2023-28709

GHSA ID

GHSA-cx6h-86xw-9x34

EPSS Score

0.48561%

CWE

CWE-193

Published

7/6/2023

Updated

4/24/2024

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2023-28709

CVE-2023-28709:
Apache Tomcat - Fix for CVE-2023-24998 was incomplete

The fix for CVE-2023-24998 was incomplete. If non-default HTTP connector settings were used such that the maxParameterCount could be reached using query string parameters and a request was submitted that supplied exactly maxParameterCount parameters in the query string, the limit for uploaded request parts could be bypassed with the potential for a denial of service to occur.

(GitHub Advisory)

7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2023-28709

GHSA ID

GHSA-cx6h-86xw-9x34

EPSS Score

0.48561%

CWE

CWE-193

Published

7/6/2023

Updated

4/24/2024

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.apache.tomcat.embed:tomcat-embed-core	maven	>= 11.0.0-M2, < 11.0.0-M5	11.0.0-M5
org.apache.tomcat.embed:tomcat-embed-core	maven	>= 10.1.5, < 10.1.8	10.1.8
org.apache.tomcat.embed:tomcat-embed-core	maven	>= 9.0.71, < 9.0.74	9.0.74
org.apache.tomcat:tomcat-coyote	maven	>= 8.5.85, < 8.5.88	8.5.88

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from an off-by-one error in parameter counting logic. The commit diff shows the fix moved 'parameterCount++' after the limit check and changed the condition to 'parameterCount >= limit'. In the original code, incrementing before checking meant that when exactly maxParameterCount parameters were sent, the count would reach limit+1 only after processing, failing to trigger the protection. This allowed bypassing uploaded parts limits via precisely maxParameterCount query parameters.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** *ix *or *V*-****-***** w*s in*ompl*t*. I* non-****ult *TTP *onn**tor s*ttin*s w*r* us** su** t**t t** m*xP*r*m*t*r*ount *oul* ** r****** usin* qu*ry strin* p*r*m*t*rs *n* * r*qu*st w*s su*mitt** t**t suppli** *x**tly m*xP*r*m*t*r*ount p*r*m*t*rs

Reasoning

T** vuln*r**ility st*ms *rom *n o**-*y-on* *rror in p*r*m*t*r *ountin* lo*i*. T** *ommit *i** s*ows t** *ix mov** 'p*r*m*t*r*ount++' **t*r t** limit ****k *n* ***n*** t** *on*ition to 'p*r*m*t*r*ount >= limit'. In t** ori*in*l *o**, in*r*m*ntin* ***o

7.5

Basic Information

Concerned about an active attack path?

CVE-2023-28709: Apache Tomcat - Fix for CVE-2023-24998 was incomplete

7.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2023-28709:
Apache Tomcat - Fix for CVE-2023-24998 was incomplete

Vulnerability Intelligence
Miggo AI