Lucene search

K
rosalinuxROSA LABROSA-SA-2024-2418
HistoryMay 14, 2024 - 8:49 a.m.

Advisory ROSA-SA-2024-2418

2024-05-1408:49:00
ROSA LAB
abf.rosalinux.ru
9
apache tomcat 9.0.37
vulnerabilities
resolved
denial of service
url redirection
incomplete clearing
input validation
http/2 protocol
unix

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

AI Score

7.3

Confidence

High

EPSS

0.708

Percentile

98.1%

software: tomcat 9.0.37
WASP: ROSA-CHROME

package_evr_string: tomcat-9.0.37-4

CVE-ID: CVE-2023-28709
BDU-ID: 2023-05380
CVE-Crit: HIGH
CVE-DESC.: An Apache Tomcat application server vulnerability is associated with a single offset error. Exploitation of the vulnerability could allow an attacker acting remotely to cause a denial of service
CVE-STATUS: Resolved
CVE-REV: To close, run the command: sudo dnf update tomcat

CVE-ID: CVE-2023-41080
BDU-ID: 2023-04989
CVE-Crit: MEDIUM
CVE-DESC.: A vulnerability in the Apache Tomcat application server is related to URL redirection to an untrusted site. Exploitation of the vulnerability could allow an attacker acting remotely to redirect a user to an arbitrary URL
CVE-STATUS: Fixed
CVE-REV: To close, run the command: sudo dnf update tomcat

CVE-ID: CVE-2023-42794
BDU-ID: 2023-06729
CVE-Crit: HIGH
CVE-DESC.: A vulnerability in the Commons FileUpload component of the Apache Tomcat application server exists due to incomplete clearing of temporary or auxiliary resources. Exploitation of the vulnerability could allow an attacker acting remotely to cause a denial of service.
CVE-STATUS: Resolved
CVE-REV: To close, run the command: sudo dnf update tomcat

CVE-ID: CVE-2023-42795
BDU-ID: 2023-06728
CVE-Crit: HIGH
CVE-DESC.: An Apache Tomcat application server vulnerability exists due to incomplete clearing of temporary or auxiliary resources. Exploitation of the vulnerability could allow an attacker acting remotely to disclose protected information
CVE-STATUS: Resolved
CVE-REV: To close, run the command: sudo dnf update tomcat

CVE-ID: CVE-2023-45648
BDU-ID: 2023-07041
CVE-Crit: MEDIUM
CVE-DESC.: A vulnerability in the Apache Tomcat application server is related to insufficient input validation. Exploitation of the vulnerability could allow an attacker acting remotely to cause a denial of service
CVE-STATUS: Resolved
CVE-REV: To close, run the command: sudo dnf update tomcat

CVE-ID: CVE-2023-44487
BDU-ID: 2023-06559
CVE-Crit: HIGH
CVE-DESC.: A vulnerability in the HTTP/2 protocol implementation is related to the ability to generate a stream of requests within an already established network connection, without opening new network connections and without acknowledging packet receipt. Exploitation of the vulnerability could allow an attacker acting remotely to cause a denial of service
CVE-STATUS: Resolved
CVE-REV: To close, run the command: sudo dnf update tomcat

OSVersionArchitecturePackageVersionFilename
ROSAanynoarchtomcat< 9.0.37UNKNOWN

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

AI Score

7.3

Confidence

High

EPSS

0.708

Percentile

98.1%