CVE-2023-28709: 
Java vulnerability analysis and mitigation

The vulnerability (CVE-2023-28709) was identified in Apache Tomcat versions 11.0.0-M2 to 11.0.0-M4, 10.1.5 to 10.1.7, 9.0.71 to 9.0.73, and 8.5.85 to 8.5.87. This vulnerability stems from an incomplete fix for a previous vulnerability (CVE-2023-24998). The issue was discovered by Chenwei Jiang, Chenfeng Nie, and Yue Yang from the Huawei Nebula Security Lab and was publicly disclosed on May 22, 2023 (OSS Security).

The vulnerability occurs when non-default HTTP connector settings are used such that the maxParameterCount could be reached using query string parameters. When a request is submitted that supplies exactly maxParameterCount parameters in the query string, the limit for uploaded request parts could be bypassed. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (NVD).

The successful exploitation of this vulnerability could lead to a Denial of Service (DoS) condition. The vulnerability affects the availability of the system while not impacting confidentiality or integrity (NetApp Advisory).

Users of affected versions should upgrade to Apache Tomcat 11.0.0-M5 or later, 10.1.8 or later, 9.0.74 or later, or 8.5.88 or later to address this vulnerability. No alternative workarounds have been provided (OSS Security).