Vulnerability Description
Denial of Service via incomplete cleanup vulnerability in Apache Tomcat. It was possible for WebSocket clients to keep WebSocket connections open leading to increased resource consumption.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M16, from 10.1.0-M1 through 10.1.18, from 9.0.0-M1 through 9.0.85, from 8.5.0 through 8.5.98. Older, EOL versions may also be affected. Users are recommended to upgrade to version 11.0.0-M17, 10.1.19, 9.0.86 or 8.5.99 which fix the issue.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Apache | Tomcat | >= 8.5.0, < 8.5.99 |
| Debian | Debian Linux | 10.0 |
| Fedoraproject | Fedora | 39 |
Related Weaknesses (CWE)
References
- https://lists.apache.org/thread/cmpswfx6tj4s7x0nxxosvfqs11lvdx2fVendor Advisory
- http://www.openwall.com/lists/oss-security/2024/03/13/4Mailing List
- https://lists.apache.org/thread/cmpswfx6tj4s7x0nxxosvfqs11lvdx2fVendor Advisory
- https://lists.debian.org/debian-lts-announce/2024/04/msg00001.htmlMailing ListThird Party Advisory
- https://lists.fedoraproject.org/archives/list/[email protected]Third Party Advisory
- https://lists.fedoraproject.org/archives/list/[email protected]Third Party Advisory
- https://security.netapp.com/advisory/ntap-20240402-0002/Third Party Advisory
FAQ
What is CVE-2024-23672?
CVE-2024-23672 is a vulnerability with a CVSS score of 6.3 (MEDIUM). Denial of Service via incomplete cleanup vulnerability in Apache Tomcat. It was possible for WebSocket clients to keep WebSocket connections open leading to increased resource consumption.This issue a...
How severe is CVE-2024-23672?
CVE-2024-23672 has been rated MEDIUM with a CVSS base score of 6.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2024-23672?
Check the references section above for vendor advisories and patch information. Affected products include: Apache Tomcat, Debian Debian Linux, Fedoraproject Fedora.