CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2024-21733: Apache Tomcat: Leaking of unrelated request bodies in default error page

Description

Generation of Error Message Containing Sensitive Information vulnerability in Apache Tomcat.This issue affects Apache Tomcat: from 8.5.7 through 8.5.63, from 9.0.0-M11 through 9.0.43.

Users are recommended to upgrade to version 8.5.64 onwards or 9.0.44 onwards, which contain a fix for the issue.

Classification

CVE ID: CVE-2024-21733

Affected Products

Vendor: Apache Software Foundation

Product: Apache Tomcat

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.53% (probability of being exploited)

EPSS Percentile: 77.29% (scored less or equal to compared to others)

EPSS Date: 2025-03-14 (when was this score calculated)

References

https://lists.apache.org/thread/h9bjqdd0odj6lhs2o96qgowcc6hb0cfz
http://www.openwall.com/lists/oss-security/2024/01/19/2
http://packetstormsecurity.com/files/176951/Apache-Tomcat-8.5.63-9.0.43-HTTP-Response-Smuggling.html
https://security.netapp.com/advisory/ntap-20240216-0005/

Timeline