CVE-2024-21733: Apache Tomcat Information Disclosure Vulnerability

In the vast expanse of web technology, Apache Tomcat emerges as a cornerstone, being a free and open-source implementation pivotal for the Jakarta Servlet, Jakarta Expression Language, and WebSocket technologies. As a “pure Java” HTTP web server environment, Tomcat has long been the go-to platform for running Java code, a Java web application server par excellence, albeit not a full JEE application server. However, a new high-severity vulnerability was found in Apache Tomcat.

Tracked as CVE-2024-21733, a security flaw of considerable importance, casting a shadow over Apache Tomcat’s otherwise robust architecture. This particular vulnerability unravels an alarming scenario: incomplete POST requests, a common occurrence in web communications, trigger an error response. This in itself is not unusual, but the crux of the issue lies in this error response – it could inadvertently contain data from a previous request by another user. The implications of such a breach are significant, posing potential risks of information disclosure.

Security researcher xer0dayz from Sn1perSecurity LLC has been credited for reporting this flaw.

The versions of Apache Tomcat affected by this vulnerability span a wide range, specifically from Apache Tomcat 9.0.0-M11 to 9.0.43 and Apache Tomcat 8.5.7 to 8.5.63. Users employing these versions are unwittingly exposed to CVE-2024-21733 which could potentially leak sensitive information.

Users of the affected versions should apply the patched version. One, upgrading to Apache Tomcat 9.0.44 or later. Two, for those on the 8.5.x branch, moving to Apache Tomcat 8.5.64 or later.