...
| date | CVE | description | versions | Risk for Delft-FEWS | JIRA | upgrade strategy |
|---|---|---|---|---|---|---|
| June 2023 | CVE-2023-34981 | A regression in the fix for bug 66512 in Apache Tomcat 11.0.0-M5, 10.1.8, 9.0.74 and 8.5.88 meant that, if a response did not include any HTTP headers no AJP SEND_HEADERS messare woudl be sent for the response which in turn meant that at least one AJP proxy (mod_proxy_ajp) would use the response headers from the previous request leading to an information leak. |
| None, we do not use AJP proxy | Upgrade to latest version of Apache Tomcat. Note: Delft-FEWS releases < 2023.01 require Apache Tomcat 9, release >= 2023.01 require Apache Tomcat 10. | |
| May 2023 | CVE-2022-28079 | The fix for CVE-2023-24998 was incomplete. If non-default HTTP connector settings were used such that the maxParameterCount could be reached using query string parameters and a request was submitted that supplied exactly maxParameterCount parameters in the query string, the limit for uploaded request parts could be bypassed with the potential for a denial of service to occur. |
| Upgrade to latest version of Apache Tomcat. Note: Delft-FEWS releases < 2023.01 require Apache Tomcat 9, release >= 2023.01 require Apache Tomcat 10. |
...