CVE-2024-23672
Public on 2024-03-13
Modified on 2024-03-18
Description
Denial of Service via incomplete cleanup vulnerability in Apache Tomcat. It was possible for WebSocket clients to keep WebSocket connections open leading to increased resource consumption.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M16, from 10.1.0-M1 through 10.1.18, from 9.0.0-M1 through 9.0.85, from 8.5.0 through 8.5.98.
Users are recommended to upgrade to version 11.0.0-M17, 10.1.19, 9.0.86 or 8.5.99 which fix the issue.
Users are recommended to upgrade to version 11.0.0-M17, 10.1.19, 9.0.86 or 8.5.99 which fix the issue.
Severity
Important
CVSS v3 Base Score
See breakdown
Affected Packages
| Platform | Package | Release Date | Advisory | Status |
|---|---|---|---|---|
| Amazon Linux 2 - Core | tomcat | 2024-04-11 | ALAS2-2024-2514 | Fixed |
| Amazon Linux 2 - Tomcat8.5 Extra | tomcat | 2024-04-10 | ALAS2TOMCAT8.5-2024-019 | Fixed |
| Amazon Linux 2 - Tomcat9 Extra | tomcat | 2024-04-10 | ALAS2TOMCAT9-2024-013 | Fixed |
| Amazon Linux 1 | tomcat7 | No Fix Planned | ||
| Amazon Linux 1 | tomcat8 | 2024-06-19 | ALAS-2024-1941 | Fixed |
| Amazon Linux 1 | tomcat80 | No Fix Planned | ||
| Amazon Linux 2023 | tomcat9 | 2024-03-27 | ALAS2023-2024-577 | Fixed |
CVSS Scores
| Score Type | Score | Vector | |
|---|---|---|---|
| Amazon Linux | CVSSv3 | 7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
| NVD | CVSSv3 | 6.3 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L |