Description
The fix for bug 63362 present in Apache Tomcat 10.1.0-M1 to 10.1.0-M5, 10.0.0-M1 to 10.0.11, 9.0.40 to 9.0.53 and 8.5.60 to 8.5.71 introduced a memory leak. The object introduced to collect metrics for HTTP upgrade connections was not released for WebSocket connections once the connection was closed. This created a memory leak that, over time, could lead to a denial of service via an OutOfMemoryError.
References (9)
Scores
CVSS v3
7.5
EPSS
0.0428
EPSS Percentile
88.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Details
CWE
CWE-772
Status
published
Products (32)
apache/tomcat
10.0.0 milestone10
apache/tomcat
10.1.0 milestone1 (5 CPE variants)
apache/tomcat
8.5.60 - 8.5.72
debian/debian_linux
11.0
netapp/hci
netapp/management_services_for_element_software
oracle/agile_engineering_data_management
6.2.1.0
oracle/big_data_spatial_and_graph
< 23.1
oracle/communications_diameter_signaling_router
8.0.0.0 - 8.5.0.2
oracle/hospitality_cruise_shipboard_property_management_system
20.1.0
... and 22 more
Published
Oct 14, 2021
Tracked Since
Feb 18, 2026