Incomplete Cleanup Vulnerability in Apache Tomcat Could Lead to Denial of Service
CVE-2024-23672

6.3MEDIUM

Key Information:

Vendor: Apache
Status: Apache Tomcat
Vendor: CVE Published:; 13 March 2024

Summary

Denial of Service via incomplete cleanup vulnerability in Apache Tomcat. It was possible for WebSocket clients to keep WebSocket connections open leading to increased resource consumption.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M16, from 10.1.0-M1 through 10.1.18, from 9.0.0-M1 through 9.0.85, from 8.5.0 through 8.5.98.

Users are recommended to upgrade to version 11.0.0-M17, 10.1.19, 9.0.86 or 8.5.99 which fix the issue.

Affected Version(s)

Apache Tomcat 11.0.0-M1 <= 11.0.0-M16

Apache Tomcat 10.1.0-M1 <= 10.1.18

Apache Tomcat 9.0.0-M1 <= 9.0.85

References

https://lists.apache.org/thread/cmpswfx6tj4s7x0nxxosvfqs1...

vendor-advisory

https://security.netapp.com/advisory/ntap-20240402-0002/

https://lists.debian.org/debian-lts-announce/2024/04/msg0...

CVSS V3.1

Score:

6.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Mar 13, 2024
Vulnerability Reserved
Jan 19, 2024