Incomplete Cleanup Vulnerability in Apache Tomcat Could Lead to Denial of Service
CVE-2024-23672

6.3MEDIUM

Key Information:

Vendor: Apache
Status: Apache Tomcat
Vendor: CVE Published:; 13 March 2024

What is CVE-2024-23672?

Denial of Service via incomplete cleanup vulnerability in Apache Tomcat. It was possible for WebSocket clients to keep WebSocket connections open leading to increased resource consumption.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M16, from 10.1.0-M1 through 10.1.18, from 9.0.0-M1 through 9.0.85, from 8.5.0 through 8.5.98.

Users are recommended to upgrade to version 11.0.0-M17, 10.1.19, 9.0.86 or 8.5.99 which fix the issue.

Affected Version(s)

Apache Tomcat 11.0.0-M1 <= 11.0.0-M16

Apache Tomcat 10.1.0-M1 <= 10.1.18

Apache Tomcat 9.0.0-M1 <= 9.0.85

References

https://lists.apache.org/thread/cmpswfx6tj4s7x0nxxosvfqs1...

vendor-advisory

https://security.netapp.com/advisory/ntap-20240402-0002/

https://lists.debian.org/debian-lts-announce/2024/04/msg0...

CVSS V3.1

Score:

6.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 13, 2024
Vulnerability Reserved
Jan 19, 2024