The fix for CVE-2023-24998 was incomplete. If non-default HTTP connector settings were used such that the maxParameterCount could be reached using query string parameters and a request was submitted that supplied exactly maxParameterCount parameters in the query string, the limit for uploaded request parts could be bypassed with the potential for a denial of service to occur.

Affected Packages

Maven org.apache.tomcat.embed:tomcat-embed-core

Affected versions: 11.0.0-M2 (fixed in 11.0.0-M5)

Maven org.apache.tomcat.embed:tomcat-embed-core

Affected versions: 10.1.5 (fixed in 10.1.8)

Maven org.apache.tomcat.embed:tomcat-embed-core

Affected versions: 9.0.71 (fixed in 9.0.74)

Maven org.apache.tomcat:tomcat-coyote

Affected versions: 8.5.85 (fixed in 8.5.88)

Related CVEs

CVE-2023-28709

Key Information

GHSA ID

GHSA-cx6h-86xw-9x34

Published

July 6, 2023 9:14 PM

Last Modified

April 24, 2024 7:16 PM

CVSS Score

7.5 /10

Primary Ecosystem

Maven

Primary Package

org.apache.tomcat.embed:tomcat-embed-core

GitHub Reviewed

✓ Yes

Dataset

Last updated: July 27, 2025 6:35 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.