| Package | tomcat8 |
|---|---|
| Version | 8.0.14-1+deb8u26 (jessie), 8.5.54-0+deb9u11 (stretch) |
| Related CVEs | CVE-2023-24998 CVE-2023-41080 |
Two security vulnerabilities were discovered in Apache Tomcat, a servlet and JSP engine.
CVE-2023-24998
Apache Tomcat uses a packaged renamed copy of Apache Commons FileUpload to
provide the file upload functionality defined in the Jakarta Servlet
specification. Apache Tomcat was, therefore, also vulnerable to the Apache
Commons FileUpload vulnerability CVE-2023-24998 as there was no limit to
the number of request parts processed. This resulted in the possibility of
an attacker triggering a DoS with a malicious upload or series of uploads.
CVE-2023-41080
If the ROOT (default) web application is configured to use FORM
authentication then it is possible that a specially crafted URL could be
used to trigger a redirect to an URL of the attacker's choice.
For Debian 8 jessie, these problems have been fixed in version 8.0.14-1+deb8u26.
For Debian 9 stretch, these problems have been fixed in version 8.5.54-0+deb9u11.
We recommend that you upgrade your tomcat8 packages.
Further information about Extended LTS security advisories can be found in the dedicated section of our website.