{"id":"CVE-2023-28709","details":"The fix for CVE-2023-24998 was incomplete for Apache Tomcat 11.0.0-M2 to 11.0.0-M4, 10.1.5 to 10.1.7, 9.0.71 to 9.0.73 and 8.5.85 to 8.5.87. If non-default HTTP       connector settings were used such that the maxParameterCount could be reached using query string parameters and a request was       submitted that supplied exactly maxParameterCount parameters in the query string, the limit for uploaded request parts could be bypassed with the potential for a denial of service to occur.","aliases":["BIT-tomcat-2023-28709","GHSA-cx6h-86xw-9x34"],"modified":"2026-04-10T04:56:59.889499Z","published":"2023-05-22T11:15:09.423Z","related":["ALSA-2023:6570","ALSA-2023:7065","MGASA-2023-0191","SUSE-SU-2023:2318-1","SUSE-SU-2023:2319-1","SUSE-SU-2023:2504-1","SUSE-SU-2023:2505-1","SUSE-SU-2026:1058-1","openSUSE-SU-2024:12953-1","openSUSE-SU-2024:13441-1"],"references":[{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20230616-0004/"},{"type":"ADVISORY","url":"https://www.debian.org/security/2023/dsa-5521"},{"type":"ADVISORY","url":"http://www.openwall.com/lists/oss-security/2023/05/22/1"},{"type":"ADVISORY","url":"https://lists.apache.org/thread/7wvxonzwb7k9hx9jt3q33cmy7j97jo3j"},{"type":"ADVISORY","url":"https://security.gentoo.org/glsa/202305-37"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/apache/tomcat","events":[{"introduced":"7b1f4ce0b82641bf76a3d763bd97d5522513b57b"},{"last_affected":"9179f3c22aead8702936eace5c46e8860b644b3c"},{"introduced":"83ff421c4725bccfd7bec1a16b8ca3cb61bedd2a"},{"last_affected":"5452041bb674b46ea1390ee86b8f846728ec1236"},{"introduced":"f6eebe2ef959503150432dc2700181bd29a5ebc9"},{"last_affected":"473ef42c637c97eb17b38c5580a6b854dfe27a02"},{"introduced":"0"},{"last_affected":"4b03c23ad60e678c1d1a85df815fb6cd8d14ca67"},{"introduced":"0"},{"last_affected":"8afe2647d7801172cc304f4a47d8aad9646d2985"},{"introduced":"0"},{"last_affected":"3b6de549bdf4f6486c39daa0ae8e4d4b7475b1f6"}],"database_specific":{"versions":[{"introduced":"8.5.85"},{"last_affected":"8.5.87"},{"introduced":"9.0.71"},{"last_affected":"9.0.73"},{"introduced":"10.1.5"},{"last_affected":"10.1.7"},{"introduced":"0"},{"last_affected":"11.0.0-milestone2"},{"introduced":"0"},{"last_affected":"11.0.0-milestone3"},{"introduced":"0"},{"last_affected":"11.0.0-milestone4"}]}}],"versions":["10.1.7","11.0.0-M2","11.0.0-M3","11.0.0-M4","8.5.87","9.0.73"],"database_specific":{"unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"12.0"}]}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-28709.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}