CVE-2024-23672

MEDIUM

Apache Tomcat < 8.5.99 - Denial of Service

Title source: rule

Description

Denial of Service via incomplete cleanup vulnerability in Apache Tomcat. It was possible for WebSocket clients to keep WebSocket connections open leading to increased resource consumption.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M16, from 10.1.0-M1 through 10.1.18, from 9.0.0-M1 through 9.0.85, from 8.5.0 through 8.5.98. Older, EOL versions may also be affected. Users are recommended to upgrade to version 11.0.0-M17, 10.1.19, 9.0.86 or 8.5.99 which fix the issue.

References (6)

[Mailing List] http://www.openwall.com/lists/oss-security/2024/03/13/4

[Mailing List, Third Party Advisory] https://lists.debian.org/debian-lts-announce/2024/04/msg00001.html

[Third Party Advisory] https://lists.fedoraproject.org/archives/list/[email protected]/message/3UWIS5MMGYDZBLJYT674ZI5AWFHDZ46B/

[Third Party Advisory] https://lists.fedoraproject.org/archives/list/[email protected]/message/736G4GPZWS2DSQO5WKXO3G6OMZKFEK55/

[Third Party Advisory] https://security.netapp.com/advisory/ntap-20240402-0002/

[Vendor Advisory] https://lists.apache.org/thread/cmpswfx6tj4s7x0nxxosvfqs11lvdx2f

Scores

CVSS v3 6.3

EPSS 0.0132

EPSS Percentile 80.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-459

Status published

Products (7)

apache/tomcat 11.0.0 milestone1 (16 CPE variants)

apache/tomcat 8.5.0 - 8.5.99

debian/debian_linux 10.0

fedoraproject/fedora 39

fedoraproject/fedora 40

org.apache.tomcat/tomcat-websocket 11.0.0-M1 - 11.0.0-M17Maven

org.apache.tomcat.embed/tomcat-embed-websocket 11.0.0-M1 - 11.0.0-M17Maven

Published Mar 13, 2024

Tracked Since Feb 18, 2026