CVE-2024-23672Incomplete Cleanup in Apache Tomcat

CWE-459Incomplete Cleanup12 documents9 sources
Severity
6.3MEDIUMNVD
EPSS
1.1%
top 22.32%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
Apache TomcatApache Software Foundation Apache TomcatDebian Linux+1 more
Timeline
PublishedMar 13
Latest updateJun 9

Description

Denial of Service via incomplete cleanup vulnerability in Apache Tomcat. It was possible for WebSocket clients to keep WebSocket connections open leading to increased resource consumption.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M16, from 10.1.0-M1 through 10.1.18, from 9.0.0-M1 through 9.0.85, from 8.5.0 through 8.5.98. Older, EOL versions may also be affected. Users are recommended to upgrade to version 11.0.0-M17, 10.1.19, 9.0.86 or 8.5.99 which fix the issue.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:LExploitability: 2.8 | Impact: 3.4

Affected Packages2 packages

NVDapache/tomcat8.5.08.5.99+3
CVEListV5apache_software_foundation/apache_tomcat11.0.0-M111.0.0-M16+3

Also affects: Debian Linux 10.0, Fedora 39, 40

🔴Vulnerability Details

4
CVEList
Apache Tomcat: WebSocket DoS with incomplete closing handshake2024-03-13
OSV
Denial of Service via incomplete cleanup vulnerability in Apache Tomcat2024-03-13
OSV
CVE-2024-23672: Denial of Service via incomplete cleanup vulnerability in Apache Tomcat2024-03-13
GHSA
Denial of Service via incomplete cleanup vulnerability in Apache Tomcat2024-03-13

📋Vendor Advisories

7
Ubuntu
Tomcat vulnerabilities2025-06-09
Ubuntu
Tomcat vulnerabilities2024-11-13
Oracle
Oracle Oracle Communications Risk Matrix: CMP (Apache Tomcat) — CVE-2024-236722024-10-15
Oracle
Oracle Oracle Communications Risk Matrix: Patches (Apache Tomcat) — CVE-2024-236722024-07-15
Red Hat
Tomcat: WebSocket DoS with incomplete closing handshake2024-03-13
CVE-2024-23672 — Incomplete Cleanup in Apache Tomcat | cvebase