{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-21733", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "state": "PUBLISHED", "assignerShortName": "apache", "dateReserved": "2024-01-01T10:42:14.573Z", "datePublished": "2024-01-19T10:29:04.694Z", "dateUpdated": "2025-02-13T17:33:16.811Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Apache Tomcat", "vendor": "Apache Software Foundation", "versions": [{"lessThanOrEqual": "8.5.63", "status": "affected", "version": "8.5.7", "versionType": "semver"}, {"lessThanOrEqual": "9.0.43", "status": "affected", "version": "9.0.0-M11", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "value": "xer0dayz from company Sn1perSecurity LLC"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Generation of Error Message Containing Sensitive Information vulnerability in Apache Tomcat.<p>This issue affects Apache Tomcat: from 8.5.7 through 8.5.63, from 9.0.0-M11 through 9.0.43.</p><p>Users are recommended to upgrade to version 8.5.64 onwards or 9.0.44 onwards, which contain a fix for the issue.</p>"}], "value": "Generation of Error Message Containing Sensitive Information vulnerability in Apache Tomcat.This issue affects Apache Tomcat: from 8.5.7 through 8.5.63, from 9.0.0-M11 through 9.0.43.\n\nUsers are recommended to upgrade to version 8.5.64 onwards or 9.0.44 onwards, which contain a fix for the issue."}], "metrics": [{"other": {"content": {"text": "important"}, "type": "Textual description of severity"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-209", "description": "CWE-209 Generation of Error Message Containing Sensitive Information", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2024-02-16T13:05:59.665Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://lists.apache.org/thread/h9bjqdd0odj6lhs2o96qgowcc6hb0cfz"}, {"url": "http://www.openwall.com/lists/oss-security/2024/01/19/2"}, {"url": "http://packetstormsecurity.com/files/176951/Apache-Tomcat-8.5.63-9.0.43-HTTP-Response-Smuggling.html"}, {"url": "https://security.netapp.com/advisory/ntap-20240216-0005/"}], "source": {"discovery": "UNKNOWN"}, "title": "Apache Tomcat: Leaking of unrelated request bodies in default error page", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T22:27:36.206Z"}, "title": "CVE Program Container", "references": [{"tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.apache.org/thread/h9bjqdd0odj6lhs2o96qgowcc6hb0cfz"}, {"url": "http://www.openwall.com/lists/oss-security/2024/01/19/2", "tags": ["x_transferred"]}, {"url": "http://packetstormsecurity.com/files/176951/Apache-Tomcat-8.5.63-9.0.43-HTTP-Response-Smuggling.html", "tags": ["x_transferred"]}, {"url": "https://security.netapp.com/advisory/ntap-20240216-0005/", "tags": ["x_transferred"]}]}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*", "matchCriteriaId": "2FC8F5FF-3E97-49CE-BF17-9ECFD0786E8F", "versionEndExcluding": "8.5.64", "versionStartIncluding": "8.5.7", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*", "matchCriteriaId": "51D2E845-77E6-4D63-B3AA-E5C819589BAD", "versionEndExcluding": "9.0.44", "versionStartIncluding": "9.0.1", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone11:*:*:*:*:*:*", "matchCriteriaId": "8B6787B6-54A8-475E-BA1C-AB99334B2535", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone12:*:*:*:*:*:*", "matchCriteriaId": "EABB6FBC-7486-44D5-A6AD-FFF1D3F677E1", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone13:*:*:*:*:*:*", "matchCriteriaId": "E10C03BC-EE6B-45B2-83AE-9E8DFB58D7DB", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone14:*:*:*:*:*:*", "matchCriteriaId": "8A6DA0BE-908C-4DA8-A191-A0113235E99A", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone15:*:*:*:*:*:*", "matchCriteriaId": "39029C72-28B4-46A4-BFF5-EC822CFB2A4C", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone16:*:*:*:*:*:*", "matchCriteriaId": "1A2E05A3-014F-4C4D-81E5-88E725FBD6AD", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone17:*:*:*:*:*:*", "matchCriteriaId": "166C533C-0833-41D5-99B6-17A4FAB3CAF0", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone18:*:*:*:*:*:*", "matchCriteriaId": "D3768C60-21FA-4B92-B98C-C3A2602D1BC4", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone19:*:*:*:*:*:*", "matchCriteriaId": "DDD510FA-A2E4-4BAF-A0DE-F4E5777E9325", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone20:*:*:*:*:*:*", "matchCriteriaId": "C2409CC7-6A85-4A66-A457-0D62B9895DC1", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone21:*:*:*:*:*:*", "matchCriteriaId": "B392A7E5-4455-4B1C-8FAC-AE6DDC70689E", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone22:*:*:*:*:*:*", "matchCriteriaId": "EF411DDA-2601-449A-9046-D250419A0E1A", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone23:*:*:*:*:*:*", "matchCriteriaId": "D7D8F2F4-AFE2-47EA-A3FD-79B54324DE02", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone24:*:*:*:*:*:*", "matchCriteriaId": "1B4FBF97-DE16-4E5E-BE19-471E01818D40", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone25:*:*:*:*:*:*", "matchCriteriaId": "3B266B1E-24B5-47EE-A421-E0E3CC0C7471", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone26:*:*:*:*:*:*", "matchCriteriaId": "29614C3A-6FB3-41C7-B56E-9CC3F45B04F0", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone27:*:*:*:*:*:*", "matchCriteriaId": "C6AB156C-8FF6-4727-AF75-590D0DCB3F9D", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Generation of Error Message Containing Sensitive Information vulnerability in Apache Tomcat.This issue affects Apache Tomcat: from 8.5.7 through 8.5.63, from 9.0.0-M11 through 9.0.43.\n\nUsers are recommended to upgrade to version 8.5.64 onwards or 9.0.44 onwards, which contain a fix for the issue."}, {"lang": "es", "value": "Vulnerabilidad de generaci\u00f3n de mensaje de error que contiene informaci\u00f3n confidencial en Apache Tomcat. Este problema afecta a Apache Tomcat: desde 8.5.7 hasta 8.5.63, desde 9.0.0-M11 hasta 9.0.43. Se recomienda a los usuarios actualizar a la versi\u00f3n 8.5.64 en adelante o 9.0.44 en adelante, que contienen una soluci\u00f3n para el problema."}], "id": "CVE-2024-21733", "lastModified": "2025-02-13T18:16:43.363", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-01-19T11:15:08.043", "references": [{"source": "security@apache.org", "url": "http://packetstormsecurity.com/files/176951/Apache-Tomcat-8.5.63-9.0.43-HTTP-Response-Smuggling.html"}, {"source": "security@apache.org", "tags": ["Mailing List", "Patch", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2024/01/19/2"}, {"source": "security@apache.org", "tags": ["Mailing List", "Patch", "Vendor Advisory"], "url": "https://lists.apache.org/thread/h9bjqdd0odj6lhs2o96qgowcc6hb0cfz"}, {"source": "security@apache.org", "url": "https://security.netapp.com/advisory/ntap-20240216-0005/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://packetstormsecurity.com/files/176951/Apache-Tomcat-8.5.63-9.0.43-HTTP-Response-Smuggling.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Patch", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2024/01/19/2"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Patch", "Vendor Advisory"], "url": "https://lists.apache.org/thread/h9bjqdd0odj6lhs2o96qgowcc6hb0cfz"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://security.netapp.com/advisory/ntap-20240216-0005/"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-209"}], "source": "security@apache.org", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2024:2707", "cpe": "cpe:/a:redhat:apache-camel-spring-boot:4.4.0", "package": "tomcat", "product_name": "Red Hat build of Apache Camel 4.4.0 for Spring Boot", "release_date": "2024-05-06T00:00:00Z"}, {"advisory": "RHSA-2024:3354", "cpe": "cpe:/a:redhat:jboss_fuse:7", "package": "tomcat", "product_name": "Red Hat Fuse 7.13.0", "release_date": "2024-05-23T00:00:00Z"}], "bugzilla": {"description": "tomcat: Leaking of unrelated request bodies in default error page", "id": "2259204", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2259204"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.3", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "status": "verified"}, "cwe": "CWE-209", "details": ["Generation of Error Message Containing Sensitive Information vulnerability in Apache Tomcat.This issue affects Apache Tomcat: from 8.5.7 through 8.5.63, from 9.0.0-M11 through 9.0.43.\nUsers are recommended to upgrade to version 8.5.64 onwards or 9.0.44 onwards, which contain a fix for the issue.", "An information disclosure vulnerability was found in Apache Tomcat. Incomplete POST requests triggered an error response that could contain data from a previous HTTP request. This flaw allows a remote attacker to access files from another user that should be otherwise prevented by limits or authentication."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2024-21733", "package_state": [{"cpe": "cpe:/a:redhat:a_mq_clients:2", "fix_state": "Not affected", "package_name": "tomcat", "product_name": "A-MQ Clients 2"}, {"cpe": "cpe:/a:redhat:amq_broker:7", "fix_state": "Not affected", "package_name": "tomcat", "product_name": "Red Hat AMQ Broker 7"}, {"cpe": "cpe:/a:redhat:camel_spring_boot:3", "fix_state": "Not affected", "package_name": "tomcat", "product_name": "Red Hat build of Apache Camel for Spring Boot 3"}, {"cpe": "cpe:/a:redhat:build_keycloak:", "fix_state": "Not affected", "package_name": "tomcat", "product_name": "Red Hat Build of Keycloak"}, {"cpe": "cpe:/a:redhat:optaplanner:::el6", "fix_state": "Not affected", "package_name": "tomcat", "product_name": "Red Hat build of OptaPlanner 8"}, {"cpe": "cpe:/a:redhat:jboss_data_grid:8", "fix_state": "Not affected", "package_name": "tomcat", "product_name": "Red Hat Data Grid 8"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_brms_platform:7", "fix_state": "Not affected", "package_name": "tomcat", "product_name": "Red Hat Decision Manager 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "tomcat6", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "tomcat", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "pki-deps:10.6/pki-servlet-engine", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "tomcat", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Will not fix", "package_name": "pki-servlet-engine", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "tomcat", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:integration:1", "fix_state": "Not affected", "package_name": "tomcat", "product_name": "Red Hat Integration Camel K"}, {"cpe": "cpe:/a:redhat:jboss_data_grid:7", "fix_state": "Not affected", "package_name": "tomcat", "product_name": "Red Hat JBoss Data Grid 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:6", "fix_state": "Not affected", "package_name": "org.keycloak-keycloak-parent", "product_name": "Red Hat JBoss Enterprise Application Platform 6"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:6", "fix_state": "Not affected", "package_name": "tomcat", "product_name": "Red Hat JBoss Enterprise Application Platform 6"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7", "fix_state": "Not affected", "package_name": "tomcat", "product_name": "Red Hat JBoss Enterprise Application Platform 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8", "fix_state": "Not affected", "package_name": "tomcat", "product_name": "Red Hat JBoss Enterprise Application Platform 8"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Not affected", "package_name": "tomcat", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_web_server:5", "fix_state": "Not affected", "package_name": "jws5-tomcat", "product_name": "Red Hat JBoss Web Server 5"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_web_server:6", "fix_state": "Not affected", "package_name": "jws6-tomcat", "product_name": "Red Hat JBoss Web Server 6"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_bpms_platform:7", "fix_state": "Not affected", "package_name": "tomcat", "product_name": "Red Hat Process Automation 7"}, {"cpe": "cpe:/a:redhat:red_hat_single_sign_on:7", "fix_state": "Not affected", "package_name": "tomcat", "product_name": "Red Hat Single Sign-On 7"}, {"cpe": "cpe:/a:redhat:openshift_application_runtimes:1.0", "fix_state": "Not affected", "package_name": "tomcat", "product_name": "Red Hat support for Spring Boot"}, {"cpe": "cpe:/a:redhat:amq_streams:1", "fix_state": "Not affected", "package_name": "tomcat", "product_name": "streams for Apache Kafka"}], "public_date": "2024-01-19T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-21733\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-21733\nhttps://lists.apache.org/thread/h9bjqdd0odj6lhs2o96qgowcc6hb0cfz\nhttps://www.openwall.com/lists/oss-security/2024/01/19/2"], "statement": "Red Hat Enterprise Linux remains unaffected as the vulnerable version of Tomcat (e.g., versions 8.5.7 through 8.5.63 and 9.0.0 through 9.0.43) has not been shipped or included.", "threat_severity": "Important", "upstream_fix": "tomcat 9.0.44, tomcat 8.5.64"}