Missing CVE-2023-44487 advisory for Apache Tomcat

[biehl1]

Hello,

It came to attention that maven org.apache.tomcat:tomcat and org.apache.tomcat.embed:tomcat-embed-core are not part of any advisory related to CVE-2023-44487.

As there is no existing GHSA specific to tomcat and this CVE, how to contribute one?

Refs:
https://tomcat.apache.org/security-11.html#Fixed_in_Apache_Tomcat_11.0.0-M12
https://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.1.14
https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.81
https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.94

Thanks

[biehl1]

Looks like there is really no GHSA initiated by National Vulnerability Database on this CVE.
https://github.com/advisories?query=CVE-2023-44487

NIST CPEs map tons of components: https://nvd.nist.gov/vuln/detail/CVE-2023-44487

[darakian]

I went ahead and genericized GHSA-qppj-fm5r-hxr3 so that it's primarily discussing the HTTP/2 rapid reset attack rather than being specific to one swift package. That OG description is preserved but is at the end of the advisory now. The tomcats have been added so you should start seeing alerts now 👍

Please feel free to yell furiously if anything looks amiss, but I'm going to close this issue out on the assumption that everything is good 😄

[biehl1]

Perfect, many thanks!!