[GHSA-f4qf-m5gf-8jm8] Apache Tomcat vulnerable to Generation of Error Message Containing Sensitive Information

[aruneko]

Updates

• Affected products

Comments
improve affected packages

[Copilot]

Pull request overview

Updates the GHSA advisory entry for CVE-2024-21733 (Apache Tomcat “Generation of Error Message Containing Sensitive Information”) to more accurately represent affected Maven artifacts and version ranges in the advisory database.

Changes:

• Expanded the affected list to include additional relevant Maven coordinates (Tomcat embed artifacts and an experimental embed module).
• Added explicit affected version ranges for the 8.5.x and 9.0.x lines where applicable.
• Bumped the advisory modified timestamp.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[github-actions]

👋 This pull request has been marked as stale because it has been open with no activity. You can: comment on the issue or remove the stale label to hold stale off for a while, add the Keep label to hold stale off permanently, or do nothing. If you do nothing this pull request will be closed eventually by the stale bot. Please see CONTRIBUTING.md for more policy details.

[aruneko]

How is the status of a review for this pull request?

[JonathanLEvans]

Hi @aruneko,

Could you show us how you determined that the versions of org.apache.tomcat.experimental:tomcat-embed-programmatic are affected.

[aruneko]

Hello, thank you for your confirmation.

In fact, org.apache.tomcat.experimental:tomcat-embed-programmatic contains org.apache.tomcat:tomcat-coyote. That's why, I added the package as an affected.