Lucene search

K
redhatRedHatRHSA-2024:0125
HistoryJan 10, 2024 - 9:29 a.m.

(RHSA-2024:0125) Moderate: tomcat security update

2024-01-1009:29:51
access.redhat.com
12
apache tomcat
security update
open redirect
dos
information leak
request smuggling
cve-2023-41080
cve-2023-42794
cve-2023-42795
cve-2023-45648
java servlet
javaserver pages

CVSS3

6.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

AI Score

7.3

Confidence

High

EPSS

0.01

Percentile

83.5%

Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies.

Security Fix(es):

  • tomcat: Open Redirect vulnerability in FORM authentication (CVE-2023-41080)

  • tomcat: FileUpload: DoS due to accumulation of temporary files on Windows (CVE-2023-42794)

  • tomcat: improper cleaning of recycled objects could lead to information leak (CVE-2023-42795)

  • tomcat: incorrectly parsed http trailer headers can cause request smuggling (CVE-2023-45648)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVSS3

6.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

AI Score

7.3

Confidence

High

EPSS

0.01

Percentile

83.5%