CVE-2023-28708 :: Enginsight Vulnerability Database

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	4.3 MEDIUM	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
apache	CNA	---				---
CVE	ADP	---				---
CISA-ADP	ADP	4.3 MEDIUM	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

Base Score

CVSS 3.x

EPSS Score

Percentile: 27%

Vendor	Product	Version
apache	tomcat	8.5.0 ≤ 𝑥 < 8.5.86
apache	tomcat	9.0.0 < 𝑥 < 9.0.72
apache	tomcat	10.1.0 < 𝑥 < 10.1.6
apache	tomcat	11.0.0:milestone1
apache	tomcat	11.0.0:milestone2

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

tomcat10

bookworm	10.1.6-1+deb12u2 fixed
bookworm (security)	10.1.6-1+deb12u2 fixed
sid	10.1.34-1 fixed
trixie	10.1.34-1 fixed

tomcat9

bullseye (security)	9.0.43-2~deb11u10 fixed
bullseye	9.0.43-2~deb11u10 fixed
bookworm	9.0.70-2 fixed
sid	9.0.95-1 fixed
trixie	9.0.95-1 fixed

Ubuntu Releases

Ubuntu Product

Codename

tomcat10

oracular	needs-triage
noble	needs-triage
mantic	ignored
lunar	ignored
kinetic	dne
jammy	dne
focal	dne
bionic	dne
xenial	ignored
trusty	ignored

tomcat8

kinetic	dne
jammy	dne
focal	dne
bionic	needs-triage
xenial	needs-triage
trusty	ignored

tomcat9

oracular	needs-triage
noble	needs-triage
mantic	ignored
lunar	ignored
kinetic	ignored
jammy	Fixed 9.0.58-1ubuntu0.1+esm4 released
focal	Fixed 9.0.31-1ubuntu0.8 released
bionic	Fixed 9.0.16-3ubuntu0.18.04.2+esm4 released
xenial	ignored
trusty	ignored

Common Weakness Enumeration

CWE-523 - Unprotected Transport of Credentials
Login pages do not use adequate measures to protect the user name and password while they are in transit from the client to the server.

References

https://lists.apache.org/thread/hdksc59z3s7tm39x0pp33mtwdrt8qr67

https://lists.apache.org/thread/hdksc59z3s7tm39x0pp33mtwdrt8qr67

https://security.netapp.com/advisory/ntap-20230331-0012/