CVE-2024-21733
Apache Tomcat: Leaking of unrelated request bodies in default error page
Severity Score
Exploit Likelihood
Affected Versions
19Public Exploits
2Exploited in Wild
-Decision
Descriptions
Generation of Error Message Containing Sensitive Information vulnerability in Apache Tomcat.This issue affects Apache Tomcat: from 8.5.7 through 8.5.63, from 9.0.0-M11 through 9.0.43. Users are recommended to upgrade to version 8.5.64 onwards or 9.0.44 onwards, which contain a fix for the issue.
Vulnerabilidad de generación de mensaje de error que contiene información confidencial en Apache Tomcat. Este problema afecta a Apache Tomcat: desde 8.5.7 hasta 8.5.63, desde 9.0.0-M11 hasta 9.0.43. Se recomienda a los usuarios actualizar a la versión 8.5.64 en adelante o 9.0.44 en adelante, que contienen una solución para el problema.
An information disclosure vulnerability was found in Apache Tomcat. Incomplete POST requests triggered an error response that could contain data from a previous HTTP request. This flaw allows a remote attacker to access files from another user that should be otherwise prevented by limits or authentication.
Apache Tomcat suffers from a client-side de-sync vulnerability via HTTP request smuggling. Apache Tomcat versions 8.5.7 through 8.5.63 and 9.0.0-M11 through 9.0.43 are vulnerable.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2024-01-01 CVE Reserved
- 2024-01-19 CVE Published
- 2024-02-01 First Exploit
- 2025-02-13 CVE Updated
- 2025-03-26 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-209: Generation of Error Message Containing Sensitive Information
CAPEC
References (8)
| URL | Date | SRC |
|---|---|---|
| http://www.openwall.com/lists/oss-security/2024/01/19/2 | 2024-02-16 | |
| https://lists.apache.org/thread/h9bjqdd0odj6lhs2o96qgowcc6... | 2024-02-16 |