Django REST framework

Lookup for vulnerable packages by Package URL.

Purl pkg:maven/org.apache.tomcat.embed/tomcat-embed-core@8.5.85

Type maven

Namespace org.apache.tomcat.embed

Name tomcat-embed-core

Version 8.5.85

Qualifiers

Subpath

Is_vulnerable true

Next_non_vulnerable_version 8.5.86

Latest_non_vulnerable_version 11.0.18

Affected_by_vulnerabilities

url VCID-kbpn-7esm-77ew

vulnerability_id VCID-kbpn-7esm-77ew

summary

Incomplete Cleanup vulnerability in Apache Tomcat.

The internal fork of Commons FileUpload packaged with Apache Tomcat 9.0.70 through 9.0.80 and 8.5.85 through 8.5.93 included an unreleased, 
in progress refactoring that exposed a potential denial of service on 
Windows if a web application opened a stream for an uploaded file but 
failed to close the stream. The file would never be deleted from disk 
creating the possibility of an eventual denial of service due to the 
disk being full.

Users are recommended to upgrade to version 9.0.81 onwards or 8.5.94 onwards, which fixes the issue.

references

reference_url	https://lists.apache.org/thread/vvbr2ms7lockj1hlhz5q3wmxb2mwcw82
reference_id
reference_type
scores
url	https://lists.apache.org/thread/vvbr2ms7lockj1hlhz5q3wmxb2mwcw82

reference_url	http://www.openwall.com/lists/oss-security/2023/10/10/8
reference_id
reference_type
scores
url	http://www.openwall.com/lists/oss-security/2023/10/10/8

reference_url	https://nvd.nist.gov/vuln/detail/CVE-2023-42794
reference_id	CVE-2023-42794
reference_type
scores
url	https://nvd.nist.gov/vuln/detail/CVE-2023-42794

reference_url	https://github.com/advisories/GHSA-jm7m-8jh6-29hp
reference_id	GHSA-jm7m-8jh6-29hp
reference_type
scores
url	https://github.com/advisories/GHSA-jm7m-8jh6-29hp

fixed_packages

url	pkg:maven/org.apache.tomcat.embed/tomcat-embed-core@8.5.94
purl	pkg:maven/org.apache.tomcat.embed/tomcat-embed-core@8.5.94
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat.embed/tomcat-embed-core@8.5.94

url	pkg:maven/org.apache.tomcat.embed/tomcat-embed-core@9.0.81
purl	pkg:maven/org.apache.tomcat.embed/tomcat-embed-core@9.0.81
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat.embed/tomcat-embed-core@9.0.81

aliases CVE-2023-42794, GHSA-jm7m-8jh6-29hp

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-kbpn-7esm-77ew

url VCID-ryby-gbcx-33ec

vulnerability_id VCID-ryby-gbcx-33ec

summary

Off-by-one Error
The fix for CVE-2023-24998 was incomplete for Apache Tomcat 11.0.0-M2 to 11.0.0-M4, 10.1.5 to 10.1.7, 9.0.71 to 9.0.73 and 8.5.85 to 8.5.87. If non-default HTTP connector settings were used such that the maxParameterCount could be reached using query string parameters and a request was submitted that supplied exactly maxParameterCount parameters in the query string, the limit for uploaded request parts could be bypassed with the potential for a denial of service to occur.

references

reference_url	https://lists.apache.org/thread/7wvxonzwb7k9hx9jt3q33cmy7j97jo3j
reference_id
reference_type
scores
url	https://lists.apache.org/thread/7wvxonzwb7k9hx9jt3q33cmy7j97jo3j

reference_url	http://www.openwall.com/lists/oss-security/2023/05/22/1
reference_id
reference_type
scores
url	http://www.openwall.com/lists/oss-security/2023/05/22/1

reference_url	https://nvd.nist.gov/vuln/detail/CVE-2023-28709
reference_id	CVE-2023-28709
reference_type
scores
url	https://nvd.nist.gov/vuln/detail/CVE-2023-28709

fixed_packages

url pkg:maven/org.apache.tomcat.embed/tomcat-embed-core@8.5.88

purl pkg:maven/org.apache.tomcat.embed/tomcat-embed-core@8.5.88

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-5g79-2c83-v7dq

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat.embed/tomcat-embed-core@8.5.88

url pkg:maven/org.apache.tomcat.embed/tomcat-embed-core@9.0.74

purl pkg:maven/org.apache.tomcat.embed/tomcat-embed-core@9.0.74

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-5g79-2c83-v7dq

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat.embed/tomcat-embed-core@9.0.74

url pkg:maven/org.apache.tomcat.embed/tomcat-embed-core@10.1.8

purl pkg:maven/org.apache.tomcat.embed/tomcat-embed-core@10.1.8

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-5g79-2c83-v7dq

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat.embed/tomcat-embed-core@10.1.8

aliases CVE-2023-28709

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-ryby-gbcx-33ec

Fixing_vulnerabilities

Risk_score null

Resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat.embed/tomcat-embed-core@8.5.85

Package Instance