Hey all, Sonatype are of the opinion that CVE-2023-42794 is also applicable to the 10.x and 11.x streams of Tomcat and issued the notice: The Sonatype Security Research team discovered that this vulnerability is also present and remains unfixed in the 10.x and 11.x branches of Apache Tomcat.
I assume they are basing that on the 10.1.x branch missing this commit: https://github.com/apache/tomcat/commit/43b882b8a577684498ab9b8851aa0427216784f7 https://github.com/apache/tomcat/commits/10.1.x/java/org/apache/tomcat/util/http/fileupload/disk/DiskFileItem.java Are the 10.x and 11.x streams vulnerable to CVE-2023-42794? Thanks, *Donal Anglin* -- This message contains proprietary information from Equifax which may be confidential. If you are not an intended recipient, please refrain from any disclosure, copying, distribution or use of this information and note that such actions are prohibited. If you have received this transmission in error, please notify by e-mail postmas...@equifax.com <mailto:postmas...@equifax.com>. Equifax® is a registered trademark of Equifax Inc. All rights reserved.