Vulnerability DatabaseCVE-2024-23672
Mend.io Vulnerability Database
The largest open source vulnerability database
What is a Vulnerability ID?
New vulnerability? Tell us about it!
CVE-2024-23672
March 13, 2024
Denial of Service via incomplete cleanup vulnerability in Apache Tomcat. It was possible for WebSocket clients to keep WebSocket connections open leading to increased resource consumption.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M16, from 10.1.0-M1 through 10.1.18, from 9.0.0-M1 through 9.0.85, from 8.5.0 through 8.5.98. Older, EOL versions may also be affected. Users are recommended to upgrade to version 11.0.0-M17, 10.1.19, 9.0.86 or 8.5.99 which fix the issue.
Affected Packages
org.apache.tomcat:tomcat-websocket (JAVA):
Affected version(s) >=9.0.0.M1 <9.0.86
Fix Suggestion:
Update to version 9.0.86
org.apache.tomcat:tomcat-websocket (JAVA):
Affected version(s) >=11.0.0-M1 <11.0.0-M17
Fix Suggestion:
Update to version 11.0.0-M17
org.apache.tomcat:tomcat-websocket (JAVA):
Affected version(s) >=10.1.0-M1 <10.1.19
Fix Suggestion:
Update to version 10.1.19
org.apache.tomcat:tomcat-websocket (JAVA):
Affected version(s) >=8.5.0 <8.5.99
Fix Suggestion:
Update to version 8.5.99
org.apache.tomcat.embed:tomcat-embed-websocket (JAVA):
Affected version(s) >=11.0.0-M1 <11.0.0-M17
Fix Suggestion:
Update to version 11.0.0-M17
org.apache.tomcat.embed:tomcat-embed-websocket (JAVA):
Affected version(s) >=9.0.0.M1 <9.0.86
Fix Suggestion:
Update to version 9.0.86
org.apache.tomcat.embed:tomcat-embed-websocket (JAVA):
Affected version(s) >=10.1.0-M1 <10.1.19
Fix Suggestion:
Update to version 10.1.19
org.apache.tomcat.embed:tomcat-embed-websocket (JAVA):
Affected version(s) >=8.5.0 <8.5.99
Fix Suggestion:
Update to version 8.5.99
Additional Notes
The description of this vulnerability differs from MITRE.
Related ResourcesĀ (15)
https://github.com/apache/tomcat/commit/3631adb1342d8bbd8598802a12b63ad02c37d591
https://github.com/apache/tomcat/commit/b0e3b1bd78de270d53e319d7cb79eb282aa53cb9
https://lists.apache.org/thread/cmpswfx6tj4s7x0nxxosvfqs11lvdx2f
https://lists.debian.org/debian-lts-announce/2024/04/msg00001.html
https://nvd.nist.gov/vuln/detail/CVE-2024-23672
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/736G4GPZWS2DSQO5WKXO3G6OMZKFEK55/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/736G4GPZWS2DSQO5WKXO3G6OMZKFEK55
https://security.netapp.com/advisory/ntap-20240402-0002
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3UWIS5MMGYDZBLJYT674ZI5AWFHDZ46B/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3UWIS5MMGYDZBLJYT674ZI5AWFHDZ46B
https://github.com/apache/tomcat/commit/52d6650e062d880704898d7d8c1b2b7a3efe8068
https://github.com/apache/tomcat/commit/0052b374684b613b0c849899b325ebe334ac6501
http://www.openwall.com/lists/oss-security/2024/03/13/4
https://github.com/apache/tomcat
https://security.netapp.com/advisory/ntap-20240402-0002/
Do you need more information?
Contact Us
CVSS v4
Base Score:
5.3
Attack Vector
NETWORK
Attack Complexity
LOW
Attack Requirements
NONE
Privileges Required
LOW
User Interaction
NONE
Vulnerable System Confidentiality
LOW
Vulnerable System Integrity
LOW
Vulnerable System Availability
LOW
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
CVSS v3
Base Score:
6.3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
LOW
Integrity
LOW
Availability
LOW
Weakness Type (CWE)
Incomplete Cleanup
CWE-459
EPSS
Base Score:
0.6