CVE-2024-23672

EUVD-2024-1010
Denial of Service via incomplete cleanup vulnerability in Apache Tomcat. It was possible for WebSocket clients to keep WebSocket connections open leading to increased resource consumption.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M16, from 10.1.0-M1 through 10.1.18, from 9.0.0-M1 through 9.0.85, from 8.5.0 through 8.5.98.

Older, EOL versions may also be affected.


Users are recommended to upgrade to version 11.0.0-M17, 10.1.19, 9.0.86 or 8.5.99 which fix the issue.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
6.3 MEDIUM
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
CISA-ADPADP
6.3 MEDIUM
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Base Score
CVSS 3.x
EPSS Score
Percentile: 68%
Affected Products (NVD)
VendorProductVersion
apachetomcat
8.5.0 ≤
𝑥
< 8.5.99
apachetomcat
9.0.0 ≤
𝑥
< 9.0.86
apachetomcat
10.1.0 ≤
𝑥
< 10.1.19
apachetomcat
11.0.0:milestone1
apachetomcat
11.0.0:milestone10
apachetomcat
11.0.0:milestone11
apachetomcat
11.0.0:milestone12
apachetomcat
11.0.0:milestone13
apachetomcat
11.0.0:milestone14
apachetomcat
11.0.0:milestone15
apachetomcat
11.0.0:milestone16
apachetomcat
11.0.0:milestone2
apachetomcat
11.0.0:milestone3
apachetomcat
11.0.0:milestone4
apachetomcat
11.0.0:milestone5
apachetomcat
11.0.0:milestone6
apachetomcat
11.0.0:milestone7
apachetomcat
11.0.0:milestone8
apachetomcat
11.0.0:milestone9
debiandebian_linux
10.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
tomcat10
bookworm
10.1.34-0+deb12u2
fixed
bookworm (security)
10.1.34-0+deb12u2
fixed
forky
10.1.46-1
fixed
sid
10.1.46-1
fixed
trixie
10.1.40-1
fixed
tomcat9
bookworm
9.0.70-2
fixed
bullseye
9.0.43-2~deb11u10
fixed
bullseye (security)
9.0.107-0+deb11u1
fixed
forky
9.0.111-1
fixed
sid
9.0.111-1
fixed
trixie
9.0.95-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
tomcat6
focal
dne
jammy
dne
mantic
dne
noble
dne
oracular
dne
plucky
dne
questing
dne
trusty
not-affected
xenial
not-affected
tomcat7
bionic
needs-triage
focal
dne
jammy
dne
mantic
dne
noble
dne
oracular
dne
plucky
dne
questing
dne
trusty
needs-triage
xenial
needs-triage
tomcat8
bionic
Fixed 8.5.39-1ubuntu1~18.04.3+esm5
released
focal
dne
jammy
dne
mantic
dne
noble
dne
oracular
dne
plucky
dne
questing
dne
xenial
needs-triage
tomcat9
bionic
Fixed 9.0.16-3ubuntu0.18.04.2+esm4
released
focal
Fixed 9.0.31-1ubuntu0.8
released
jammy
Fixed 9.0.58-1ubuntu0.1+esm4
released
mantic
ignored
noble
Fixed 9.0.70-2ubuntu0.1+esm2
released
oracular
Fixed 9.0.70-2ubuntu1.24.10.2
released
plucky
Fixed 9.0.70-2ubuntu1.25.04.2
released
questing
Fixed 9.0.70-2ubuntu3
released
tomcat10
focal
dne
jammy
dne
mantic
ignored
noble
Fixed 10.1.16-1ubuntu0.1~esm2
released
oracular
not-affected
plucky
not-affected
questing
not-affected
Common Weakness Enumeration
References
https://lists.apache.org/thread/cmpswfx6tj4s7x0nxxosvfqs11lvdx2f
http://www.openwall.com/lists/oss-security/2024/03/13/4
https://lists.apache.org/thread/cmpswfx6tj4s7x0nxxosvfqs11lvdx2f
https://lists.debian.org/debian-lts-announce/2024/04/msg00001.html
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3UWIS5MMGYDZBLJYT674ZI5AWFHDZ46B/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/736G4GPZWS2DSQO5WKXO3G6OMZKFEK55/
https://security.netapp.com/advisory/ntap-20240402-0002/