CVE-2024-23672

ANC

High

Denial of Service via incomplete cleanup vulnerability in Apache Tomcat. It was possible for WebSocket clients to keep WebSocket connection…

CVSS

7.5

High

EPSS

0.02

p81

Published

2024-01-01

Updated

2024-01-01

Description

Denial of Service via incomplete cleanup vulnerability in Apache Tomcat. It was possible for WebSocket clients to keep WebSocket connections open leading to increased resource consumption.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M16, from 10.1.0-M1 through 10.1.18, from 9.0.0-M1 through 9.0.85, from 8.5.0 through 8.5.98. Older, EOL versions may also be affected. Users are recommended to upgrade to version 11.0.0-M17, 10.1.19, 9.0.86 or 8.5.99 which fix the issue.

Tags · CWE

Pre-auth

CWE-459

Affected products

Jws5-tomcatJws5-tomcatJws5-tomcatJws6-tomcatJws6-tomcatTomcatTomcatTomcatTomcatTomcat10Tomcat10Tomcat10Tomcat10Tomcat10Tomcat10Tomcat9Tomcat9Tomcat9

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Timeline

2024-01-01

Published

2024-01-01

Updated

CVSS 3.1 breakdown

Attack Vector

AV: N

Network (N)

Attack Complexity

AC: L

Low (L)

Privileges Required

PR: N

None (N)

User Interaction

UI: N

None (N)

Scope

S: U

Unchanged (U)

Confidentiality Impact

C: N

None (N)

Integrity Impact

I: N

None (N)

Availability Impact

A: H

High (H)

Exploit indicators

EPSS

0.023 · p81

Known exploited (KEV)

Known exploits — Сканер-ВС

No Сканер-ВС checks registered for this vulnerability yet.

Affected products

Product	Vendor	Status
		Tracked
		Tracked
jws5-tomcat		Tracked
jws5-tomcat		Tracked
jws5-tomcat		Tracked
jws6-tomcat		Tracked
jws6-tomcat		Tracked
tomcat		Tracked
tomcat		Tracked
tomcat		Tracked
tomcat		Tracked
tomcat10		Tracked
tomcat10		Tracked
tomcat10		Tracked
tomcat10		Tracked
tomcat10		Tracked
tomcat10		Tracked
tomcat9		Tracked
tomcat9		Tracked
tomcat9		Tracked

Showing first 20 of 28

Source databases

ANC

DEB

CVE

RED

UBU

Related vulnerabilities

BDU:2024-02604