Bugzilla – Bug 1219023
VUL-0: CVE-2024-21733: tomcat,tomcat10: leaking of unrelated request bodies in default error page
Last modified: 2024-07-08 10:35:32 UTC
Generation of Error Message Containing Sensitive Information vulnerability in Apache Tomcat.This issue affects Apache Tomcat: from 8.5.7 through 8.5.63, from 9.0.0-M11 through 9.0.43. Users are recommended to upgrade to version 8.5.64 onwards or 9.0.44 onwards, which contain a fix for the issue. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-21733 https://seclists.org/oss-sec/2024/q1/34 https://www.cve.org/CVERecord?id=CVE-2024-21733 https://lists.apache.org/thread/h9bjqdd0odj6lhs2o96qgowcc6hb0cfz http://www.openwall.com/lists/oss-security/2024/01/19/2 https://bugzilla.redhat.com/show_bug.cgi?id=2259204 Patch: 8.5.x - https://github.com/apache/tomcat/commit/9b44626e136c89a107dd4458ad4bde6123359fd6 9.x - https://github.com/apache/tomcat/commit/ce4b154e7b48f66bd98858626347747cd2514311 10.x - https://github.com/apache/tomcat/commit/86ccc43940861703c2be96a5f35384407522125a
Tracking as affected: -SUSE:SLE-15-SP2:Update/tomcat
(In reply to Andrea Mattiazzo from comment #2) > Tracking as affected: > -SUSE:SLE-15-SP2:Update/tomcat Miss typed, SUSE:SLE-12-SP4:Update/tomcat
A customer is asking for the fix of CVE-2024-21733 on sles12-sp5. Is there an estimated date of release in the next MU.
SUSE-SU-2024:0829-1: An update that solves one vulnerability and has one security fix can now be installed. Category: security (important) Bug References: 1219023, 1220503 CVE References: CVE-2024-21733 Sources used: SUSE Linux Enterprise High Performance Computing 12 SP5 (src): tomcat-9.0.36-3.121.1 SUSE Linux Enterprise Server 12 SP5 (src): tomcat-9.0.36-3.121.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src): tomcat-9.0.36-3.121.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
fixed