...
| date | CVE | library | description | versions | Risk for Delft-FEWS | JIRA | upgrade strategy |
|---|---|---|---|---|---|---|---|
| Apr 2022 | CVE-2022-28085 | htmldoc (optionally supplied component not part of the Delft-FEWS binaries) | A flaw was found in htmldoc commit 31f7804. A heap buffer overflow in the function pdf_write_names in ps-pdf.cxx may lead to arbitrary code execution and Denial of Service (DoS). | Up to 2022-03-24 | Up to (excluding) 2022-03-24 | FEWS-27693 | When using htmldoc, the end-user must be supplied with updated version from https://github.com/michaelrsweet/htmldoc/releases |
Apache Tomcat CVE score Critical and High
| date | CVE | description | versions | Risk for Delft-FEWS | JIRA | upgrade strategy |
|---|---|---|---|---|---|---|
| May 2023 | CVE-2022-28079 | The fix for CVE-2023-24998 was incomplete. If non-default HTTP connector settings were used such that the maxParameterCount could be reached using query string parameters and a request was submitted that supplied exactly maxParameterCount parameters in the query string, the limit for uploaded request parts could be bypassed with the potential for a denial of service to occur. |
| Upgrade to latest version of Apache Tomcat. Note: Delft-FEWS releases < 2023.01 require Apache Tomcat 9, release >= 2023.01 require Apache Tomcat 10. |