2259204 – (CVE-2024-21733) CVE-2024-21733 tomcat: Leaking of unrelated request bodies in default error page

Bug 2259204 (CVE-2024-21733) - CVE-2024-21733 tomcat: Leaking of unrelated request bodies in default error page

Summary: CVE-2024-21733 tomcat: Leaking of unrelated request bodies in default error page

Keywords:
Status:	NEW
Alias:	CVE-2024-21733
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2259223 2259224
Blocks:	2259227
TreeView+	depends on / blocked

Reported:	2024-01-19 14:00 UTC by Mauro Matteo Cascella
Modified:	2024-05-06 14:10 UTC (History)
CC List:	68 users (show)
Fixed In Version:	tomcat 9.0.44, tomcat 8.5.64
Doc Type:	If docs needed, set a value
Doc Text:	An information disclosure vulnerability was found in Apache Tomcat. Incomplete POST requests triggered an error response that could contain data from a previous HTTP request. This flaw allows a remote attacker to access files from another user that should be otherwise prevented by limits or authentication.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2024:2707	0	None	None	None	2024-05-06 14:10:36 UTC

Description Mauro Matteo Cascella 2024-01-19 14:00:57 UTC

Generation of Error Message Containing Sensitive Information vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 8.5.7 through 8.5.63, from 9.0.0-M11 through 9.0.43. Users are recommended to upgrade to version 8.5.64 onwards or 9.0.44 onwards, which contain a fix for the issue.

References:
http://www.openwall.com/lists/oss-security/2024/01/19/2
https://lists.apache.org/thread/h9bjqdd0odj6lhs2o96qgowcc6hb0cfz

Comment 1 Mauro Matteo Cascella 2024-01-19 14:06:41 UTC

Tomcat security advisories:
https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.44
https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.64

Upstream fix:
https://github.com/apache/tomcat/commit/86ccc43940861703c2be96a5f35384407522125a [9.0.44]
https://github.com/apache/tomcat/commit/ce4b154e7b48f66bd98858626347747cd2514311 [8.5.64]

Comment 6 errata-xmlrpc 2024-05-06 14:10:32 UTC

This issue has been addressed in the following products:

  Red Hat build of Apache Camel 4.4.0 for Spring Boot

Via RHSA-2024:2707 https://access.redhat.com/errata/RHSA-2024:2707

Note You need to log in before you can comment on or make changes to this bug.

adupliak
aileenc
anstephe
asoldano
ataylor
avibelli
bbaranow
bgeorges
bmaxwell
boliveir
brian.stansberry
cdewolf
chazlett
chfoley
cmiranda
cmoulliard
csutherl
darran.lofthouse
dhanak
dkreling
dosoudil
drichtar
fjuma
fmariani
gmalinko
ibek
ikanello
ivassile
iweiss
janstey
jclere
jpoth
jrokos
jross
jscholz
kaycoth
kverlaen
lgao
lthon
mmadzin
mnovotny
mosmerov
msochure
mstefank
msvehla
mulliken
nwallace
pcongius
pdelbell
pdrozd
peholase
pgallagh
pjindal
pmackay
pskopek
rguimara
rkieley
rowaters
rruss
rstancel
saroy
smaestri
sthorger
swoodman
szappis
tcunning
tom.jenkinson
yfang