CVE-2023-42795

CWE-45912 documents8 sources
Severity
5.3MEDIUM
EPSS
0.7%
top 28.16%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Apache TomcatApache Software Foundation Apache TomcatDebian Debian Linux
Timeline
PublishedOct 10
Latest updateJun 9

Description

Incomplete Cleanup vulnerability in Apache Tomcat.When recycling various internal objects in Apache Tomcat from 11.0.0-M1 through 11.0.0-M11, from 10.1.0-M1 through 10.1.13, from 9.0.0-M1 through 9.0.80 and from 8.5.0 through 8.5.93, an error could cause Tomcat to skip some parts of the recycling process leading to information leaking from the current request/response to the next. Older, EOL versions may also be affected. Users are recommended to upgrade to version 11.0.0-M12 onwards, 10.1.14

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages7 packages

NVDapache/tomcat8.5.08.5.94+5
Mavenorg.apache.tomcat:tomcat9.0.0-M19.0.81+1
Mavenorg.apache.tomcat:tomcat-coyote11.0.0-M111.0.0-M12+1
Mavenorg.apache.tomcat.embed:tomcat-embed-core11.0.0-M111.0.0-M12+3
CVEListV5apache_software_foundation/apache_tomcat11.0.0-M111.0.0-M11+3

Also affects: Debian Linux 10.0, 11.0, 12.0

🔴Vulnerability Details

6
OSV
tomcat vulnerabilities2025-06-09
OSV
tomcat9 vulnerabilities2024-11-13
CVEList
Apache Tomcat: Failure during request clean-up leads to sensitive data leaking to subsequent requests2023-10-10
OSV
CVE-2023-42795: Incomplete Cleanup vulnerability in Apache Tomcat2023-10-10
GHSA
Apache Tomcat Incomplete Cleanup vulnerability2023-10-10

📋Vendor Advisories

5
Ubuntu
Tomcat vulnerabilities2025-06-09
Ubuntu
Tomcat vulnerabilities2024-11-13
Red Hat
tomcat: improper cleaning of recycled objects could lead to information leak2023-10-10
Debian
CVE-2023-42795: tomcat10 - Incomplete Cleanup vulnerability in Apache Tomcat.When recycling various interna...2023
Apache
Apache tomcat: CVE-2023-42795
CVE-2023-42795 (MEDIUM CVSS 5.3) | Incomplete Cleanup vulnerability in | cvebase.io