DSA-5667-1 tomcat9 -- tomcat9ID: oval:org.secpod.oval:def:613063 | Date: (C)2024-04-26 (M)2024-04-26 |
Class: PATCH | Family: unix |
Several security vulnerabilities have been discovered in the Tomcat servlet and JSP engine. CVE-2023-46589 Tomcat 9 did not correctly parse HTTP trailer headers. A trailer header that exceeded the header size limit could cause Tomcat to treat a single request as multiple requests leading to the possibility of request smuggling when behind a reverse proxy. CVE-2024-24549 Denial of Service due to improper input validation vulnerability for HTTP/2. When processing an HTTP/2 request, if the request exceeded any of the configured limits for headers, the associated HTTP/2 stream was not reset until after all of the headers had been processed. CVE-2024-23672 Denial of Service via incomplete cleanup vulnerability. It was possible for WebSocket clients to keep WebSocket connections open leading to increased resource consumption.
Product: |
libtomcat9-embed-java |
libtomcat9-java |
tomcat9 |