Lucene search

K
mageiaGentoo FoundationMGASA-2023-0319
HistoryNov 15, 2023 - 2:35 p.m.

Updated tomcat packages fix security vulnerabilities

2023-11-1514:35:09
Gentoo Foundation
advisories.mageia.org
29
tomcat
security vulnerabilities
incomplete cleanup
improper input validation
apache

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

AI Score

6.5

Confidence

High

EPSS

0.01

Percentile

83.5%

The updated packages fix security vulnerabilities: Incomplete Cleanup vulnerability in Apache Tomcat.When recycling various internal objects in Apache Tomcat from 11.0.0-M1 through 11.0.0-M11, from 10.1.0-M1 through 10.1.13, from 9.0.0-M1 through 9.0.80 and from 8.5.0 through 8.5.93, an error could cause Tomcat to skip some parts of the recycling process leading to information leaking from the current request/response to the next. (CVE-2023-42795) Improper Input Validation vulnerability in Apache Tomcat.Tomcat from 11.0.0-M1 through 11.0.0-M11, from 10.1.0-M1 through 10.1.13, from 9.0.0-M1 through 9.0.81 and from 8.5.0 through 8.5.93 did not correctly parse HTTP trailer headers. A specially crafted, invalid trailer header could cause Tomcat to treat a single request as multiple requests leading to the possibility of request smuggling when behind a reverse proxy. (CVE-2023-45648)

OSVersionArchitecturePackageVersionFilename
Mageia8noarchtomcat< 9.0.82-1tomcat-9.0.82-1.mga8
Mageia9noarchtomcat< 9.0.82-1tomcat-9.0.82-1.mga9

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

AI Score

6.5

Confidence

High

EPSS

0.01

Percentile

83.5%