Vulnerability Description
Incomplete Cleanup vulnerability in Apache Tomcat. The internal fork of Commons FileUpload packaged with Apache Tomcat 9.0.70 through 9.0.80 and 8.5.85 through 8.5.93 included an unreleased, in progress refactoring that exposed a potential denial of service on Windows if a web application opened a stream for an uploaded file but failed to close the stream. The file would never be deleted from disk creating the possibility of an eventual denial of service due to the disk being full. Other, EOL versions may also be affected. Users are recommended to upgrade to version 9.0.81 onwards or 8.5.94 onwards, which fixes the issue.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Apache | Tomcat | >= 8.5.85, < 8.5.94 |
Related Weaknesses (CWE)
References
- https://lists.apache.org/thread/vvbr2ms7lockj1hlhz5q3wmxb2mwcw82Mailing ListVendor Advisory
- http://www.openwall.com/lists/oss-security/2023/10/10/8Mailing ListThird Party Advisory
- https://lists.apache.org/thread/vvbr2ms7lockj1hlhz5q3wmxb2mwcw82Mailing ListVendor Advisory
FAQ
What is CVE-2023-42794?
CVE-2023-42794 is a vulnerability with a CVSS score of 5.9 (MEDIUM). Incomplete Cleanup vulnerability in Apache Tomcat. The internal fork of Commons FileUpload packaged with Apache Tomcat 9.0.70 through 9.0.80 and 8.5.85 through 8.5.93 included an unreleased, in prog...
How severe is CVE-2023-42794?
CVE-2023-42794 has been rated MEDIUM with a CVSS base score of 5.9/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2023-42794?
Check the references section above for vendor advisories and patch information. Affected products include: Apache Tomcat.