CVE-2024-23672

Denial of Service via incomplete cleanup vulnerability in Apache Tomcat. It was possible for WebSocket clients to keep WebSocket connections open leading to increased resource consumption.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M16, from 10.1.0-M1 through 10.1.18, from 9.0.0-M1 through 9.0.85, from 8.5.0 through 8.5.98.

Users are recommended to upgrade to version 11.0.0-M17, 10.1.19, 9.0.86 or 8.5.99 which fix the issue.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
6.3 MEDIUM
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
apacheCNA
---
---
CISA-ADPADP
6.3 MEDIUM
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 61%
VendorProductVersion
apachetomcat
8.5.0 ≤
𝑥
< 8.5.99
apachetomcat
9.0.0 ≤
𝑥
< 9.0.86
apachetomcat
10.1.0 ≤
𝑥
< 10.1.19
apachetomcat
11.0.0:milestone1
apachetomcat
11.0.0:milestone10
apachetomcat
11.0.0:milestone11
apachetomcat
11.0.0:milestone12
apachetomcat
11.0.0:milestone13
apachetomcat
11.0.0:milestone14
apachetomcat
11.0.0:milestone15
apachetomcat
11.0.0:milestone16
apachetomcat
11.0.0:milestone2
apachetomcat
11.0.0:milestone3
apachetomcat
11.0.0:milestone4
apachetomcat
11.0.0:milestone5
apachetomcat
11.0.0:milestone6
apachetomcat
11.0.0:milestone7
apachetomcat
11.0.0:milestone8
apachetomcat
11.0.0:milestone9
debiandebian_linux
10.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
tomcat10
bookworm
10.1.34-0+deb12u2
fixed
bookworm (security)
10.1.34-0+deb12u2
fixed
sid
10.1.40-1
fixed
trixie
10.1.40-1
fixed
tomcat9
bullseye
9.0.43-2~deb11u10
fixed
bullseye (security)
9.0.43-2~deb11u12
fixed
bookworm
9.0.70-2
fixed
sid
9.0.95-1
fixed
trixie
9.0.95-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
tomcat10
plucky
needs-triage
oracular
needs-triage
noble
needs-triage
mantic
ignored
jammy
dne
focal
dne
tomcat6
plucky
dne
oracular
dne
noble
dne
mantic
dne
jammy
dne
focal
dne
xenial
needs-triage
trusty
needs-triage
tomcat7
plucky
dne
oracular
dne
noble
dne
mantic
dne
jammy
dne
focal
dne
bionic
needs-triage
xenial
needs-triage
trusty
needs-triage
tomcat8
plucky
dne
oracular
dne
noble
dne
mantic
dne
jammy
dne
focal
dne
bionic
needs-triage
xenial
needs-triage
tomcat9
plucky
needs-triage
oracular
needs-triage
noble
needs-triage
mantic
ignored
jammy
Fixed 9.0.58-1ubuntu0.1+esm4
released
focal
Fixed 9.0.31-1ubuntu0.8
released
bionic
Fixed 9.0.16-3ubuntu0.18.04.2+esm4
released
Common Weakness Enumeration
References
http://www.openwall.com/lists/oss-security/2024/03/13/4
https://lists.apache.org/thread/cmpswfx6tj4s7x0nxxosvfqs11lvdx2f
https://lists.debian.org/debian-lts-announce/2024/04/msg00001.html
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3UWIS5MMGYDZBLJYT674ZI5AWFHDZ46B/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/736G4GPZWS2DSQO5WKXO3G6OMZKFEK55/
https://security.netapp.com/advisory/ntap-20240402-0002/
http://www.openwall.com/lists/oss-security/2024/03/13/4
https://lists.apache.org/thread/cmpswfx6tj4s7x0nxxosvfqs11lvdx2f
https://lists.debian.org/debian-lts-announce/2024/04/msg00001.html
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3UWIS5MMGYDZBLJYT674ZI5AWFHDZ46B/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/736G4GPZWS2DSQO5WKXO3G6OMZKFEK55/
https://security.netapp.com/advisory/ntap-20240402-0002/