12 Jul 2023 13:23:32 Prodan, Andreea Adriana <andreea.pro...@siemens.com.INVALID>:


In regard to CVE-2023-28709<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28709> we would like to know if the vulnerability caused by the incomplete fix, "If non-default HTTP connector settings were used such that the maxParameterCount could be reached using query string parameters and a request was submitted that supplied exactly maxParameterCount parameters in the query string, the limit for uploaded request parts could be bypassed with the potential for a denial of service to occur",  was completely fixed in the release 9.0.74 and thus is enough just to do an upgrade to a version >= 9.0.74 to solve the issue.

Regards,> Andreea Prodan

What part of https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.74 is not sufficiently clear?


To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to