Base Score

MEDIUM6.3

CVE-2024-23672

Denial of Service via incomplete cleanup vulnerability in Apache Tomcat. It was possible for WebSocket clients to keep WebSocket connections open leading to increased resource consumption.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M16, from 10.1.0-M1 through 10.1.18, from 9.0.0-M1 through 9.0.85, from 8.5.0 through 8.5.98. Older, EOL versions may also be affected. Users are recommended to upgrade to version 11.0.0-M17, 10.1.19, 9.0.86 or 8.5.99 which fix the issue.

VectorNETWORK

Published Bysecurity@apache.org

Published DateMar 13, 2024, 16:15

Affected Versions(8)

org.apache.tomcat:tomcat-websocket(Maven)

Introduced11.0.0-M1

Fixed11.0.0-M17

LimitN/A

org.apache.tomcat:tomcat-websocket(Maven)

Introduced10.1.0-M1

Fixed10.1.19

LimitN/A

org.apache.tomcat:tomcat-websocket(Maven)

Introduced9.0.0-M1

Fixed9.0.86

LimitN/A

org.apache.tomcat:tomcat-websocket(Maven)

Introduced8.5.0

Fixed8.5.99

LimitN/A

org.apache.tomcat.embed:tomcat-embed-websocket(Maven)

Introduced11.0.0-M1

Fixed11.0.0-M17

LimitN/A

org.apache.tomcat.embed:tomcat-embed-websocket(Maven)

Introduced10.1.0-M1

Fixed10.1.19

LimitN/A

org.apache.tomcat.embed:tomcat-embed-websocket(Maven)

Introduced9.0.0-M1

Fixed9.0.86

LimitN/A

org.apache.tomcat.embed:tomcat-embed-websocket(Maven)

Introduced8.5.0

Fixed8.5.99

LimitN/A

Package (Ecosystem)	Introduced	Fixed	Limit
org.apache.tomcat:tomcat-websocket(Maven)	11.0.0-M1	11.0.0-M17	N/A
org.apache.tomcat:tomcat-websocket(Maven)	10.1.0-M1	10.1.19	N/A
org.apache.tomcat:tomcat-websocket(Maven)	9.0.0-M1	9.0.86	N/A
org.apache.tomcat:tomcat-websocket(Maven)	8.5.0	8.5.99	N/A
org.apache.tomcat.embed:tomcat-embed-websocket(Maven)	11.0.0-M1	11.0.0-M17	N/A
org.apache.tomcat.embed:tomcat-embed-websocket(Maven)	10.1.0-M1	10.1.19	N/A
org.apache.tomcat.embed:tomcat-embed-websocket(Maven)	9.0.0-M1	9.0.86	N/A
org.apache.tomcat.embed:tomcat-embed-websocket(Maven)	8.5.0	8.5.99	N/A

Weakness Type (CWE):CWE-459

CVSS Metrics

Base Score

6.3

Vector String

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Base Severity

MEDIUM

Version

3.1

Attack Vector (AV)

NETWORK

Attack Complexity (AC)

LOW

Privileges Required (PR)

LOW

User Interaction (UI)

NONE

Scope (S)

UNCHANGED

Confidentiality (C)

LOW

Integrity (I)

LOW

Availability (A)

LOW

References

Base Score

MEDIUM6.3

Weakness Type (CWE):CWE-459

CVSS Metrics

Base Score

6.3

Vector String

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Base Severity

MEDIUM

Version

3.1

Attack Vector (AV)

NETWORK

Attack Complexity (AC)

LOW

Privileges Required (PR)

LOW

User Interaction (UI)

NONE

Scope (S)

UNCHANGED

Confidentiality (C)

LOW

Integrity (I)

LOW

Availability (A)

LOW

CVE-2024-23672

VectorNETWORK

Published Bysecurity@apache.org

Published DateMar 13, 2024, 16:15

Package (Ecosystem)

Introduced

Fixed

Limit

org.apache.tomcat:tomcat-websocket(Maven)

11.0.0-M1

11.0.0-M17

N/A

org.apache.tomcat:tomcat-websocket(Maven)

10.1.0-M1

10.1.19

N/A

org.apache.tomcat:tomcat-websocket(Maven)

9.0.0-M1

9.0.86

N/A

org.apache.tomcat:tomcat-websocket(Maven)

8.5.0

8.5.99

N/A

org.apache.tomcat.embed:tomcat-embed-websocket(Maven)

11.0.0-M1

11.0.0-M17

N/A

org.apache.tomcat.embed:tomcat-embed-websocket(Maven)

10.1.0-M1

10.1.19

N/A

org.apache.tomcat.embed:tomcat-embed-websocket(Maven)

9.0.0-M1

9.0.86

N/A

org.apache.tomcat.embed:tomcat-embed-websocket(Maven)

8.5.0

8.5.99

N/A