CVE-2023-28709

Name of the Vulnerable Software and Affected Versions Apache Tomcat versions 11.0.0-M2 through 11.0.0-M4 Apache Tomcat versions 10.1.5 through 10.1.7 Apache Tomcat versions 9.0.71 through 9.0.73 Apache Tomcat versions 8.5.85 through 8.5.87 Bamboo Data Center and Server version 8.1.12 and later, prior to 9.2.4 and 9.3.1 Confluence Data Center & Server versions 7.13.15 through 7.13.18 Confluence Data Center & Server versions 7.19.7 through 7.19.10 Confluence Data Center & Server versions 8.1.1 through 8.4.0

Description The issue is related to an incomplete fix for a vulnerability in Apache Tomcat, which can be exploited to bypass the limit for uploaded request parts, potentially leading to a denial of service. This can occur when non-default HTTP connector settings are used, allowing an attacker to reach the maxParameterCount using query string parameters. If a request is submitted with exactly maxParameterCount parameters in the query string, the limit for uploaded request parts can be bypassed.

Recommendations For Apache Tomcat versions 11.0.0-M2 through 11.0.0-M4, upgrade to a version later than 11.0.0-M4. For Apache Tomcat versions 10.1.5 through 10.1.7, upgrade to a version later than 10.1.7. For Apache Tomcat versions 9.0.71 through 9.0.73, upgrade to a version later than 9.0.73. For Apache Tomcat versions 8.5.85 through 8.5.87, upgrade to a version later than 8.5.87. For Bamboo Data Center and Server, upgrade to version 9.2.4 or 9.3.1, or later. For Confluence Data Center & Server, upgrade to version 7.13.19, 7.19.11, or 8.4.1, or later. As a temporary workaround, consider restricting access to the vulnerable maxParameterCount parameter in the HTTP connector settings until a patch is available.