Incomplete Cleanup Vulnerability in Apache Tomcat Could Lead to Denial of Service
CVE-2024-23672

Currently unrated

Key Information:

Vendor: Apache
Status: Apache Tomcat
Vendor: CVE Published:; 13 March 2024

Summary

Denial of Service via incomplete cleanup vulnerability in Apache Tomcat. It was possible for WebSocket clients to keep WebSocket connections open leading to increased resource consumption.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M16, from 10.1.0-M1 through 10.1.18, from 9.0.0-M1 through 9.0.85, from 8.5.0 through 8.5.98.

Users are recommended to upgrade to version 11.0.0-M17, 10.1.19, 9.0.86 or 8.5.99 which fix the issue.

Affected Version(s)

Apache Tomcat 11.0.0-M1 <= 11.0.0-M16

Apache Tomcat 10.1.0-M1 <= 10.1.18

Apache Tomcat 9.0.0-M1 <= 9.0.85

References

https://lists.apache.org/thread/cmpswfx6tj4s7x0nxxosvfqs1...

vendor-advisory

https://security.netapp.com/advisory/ntap-20240402-0002/

https://lists.debian.org/debian-lts-announce/2024/04/msg0...

Timeline

Vulnerability published
Mar 13, 2024
Vulnerability Reserved
Jan 19, 2024