CVE-2024-23672

Source
https://cve.org/CVERecord?id=CVE-2024-23672
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-23672.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2024-23672
Aliases
Downstream
Related
Published
2024-03-13T15:48:42.610Z
Modified
2026-07-11T03:55:26.408478013Z
Severity
  • 6.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L CVSS Calculator
Summary
Apache Tomcat: WebSocket DoS with incomplete closing handshake
Details

Denial of Service via incomplete cleanup vulnerability in Apache Tomcat. It was possible for WebSocket clients to keep WebSocket connections open leading to increased resource consumption.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M16, from 10.1.0-M1 through 10.1.18, from 9.0.0-M1 through 9.0.85, from 8.5.0 through 8.5.98.

Older, EOL versions may also be affected.

Users are recommended to upgrade to version 11.0.0-M17, 10.1.19, 9.0.86 or 8.5.99 which fix the issue.

Database specific
{
    "cna_assigner": "apache",
    "unresolved_ranges": [
        {
            "source": "AFFECTED_FIELD",
            "extracted_events": [
                {
                    "introduced": "11.0.0-M1"
                },
                {
                    "last_affected": "11.0.0-M16"
                },
                {
                    "introduced": "10.1.0-M1"
                },
                {
                    "last_affected": "10.1.18"
                },
                {
                    "introduced": "9.0.0-M1"
                },
                {
                    "last_affected": "9.0.85"
                },
                {
                    "introduced": "8.5.0"
                },
                {
                    "last_affected": "8.5.98"
                }
            ]
        },
        {
            "source": "DESCRIPTION",
            "extracted_events": [
                {
                    "introduced": "11.0.0-M1"
                },
                {
                    "fixed": "11.0.0-M16"
                },
                {
                    "introduced": "10.1.0-M1"
                },
                {
                    "fixed": "10.1.18"
                },
                {
                    "introduced": "9.0.0-M1"
                },
                {
                    "fixed": "9.0.85"
                },
                {
                    "introduced": "8.5.0"
                },
                {
                    "fixed": "8.5.98"
                }
            ]
        }
    ],
    "cwe_ids": [
        "CWE-459"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/23xxx/CVE-2024-23672.json"
}
References

Affected packages

Git / github.com/apache/tomcat

Affected ranges

Type
GIT
Repo
https://github.com/apache/tomcat
Events
Database specific
{
    "source": [
        "CPE_RANGE",
        "CPE_STRING"
    ],
    "cpe": [
        "cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*",
        "cpe:2.3:a:apache:tomcat:11.0.0:milestone1:*:*:*:*:*:*",
        "cpe:2.3:a:apache:tomcat:11.0.0:milestone10:*:*:*:*:*:*",
        "cpe:2.3:a:apache:tomcat:11.0.0:milestone11:*:*:*:*:*:*",
        "cpe:2.3:a:apache:tomcat:11.0.0:milestone12:*:*:*:*:*:*",
        "cpe:2.3:a:apache:tomcat:11.0.0:milestone13:*:*:*:*:*:*",
        "cpe:2.3:a:apache:tomcat:11.0.0:milestone14:*:*:*:*:*:*",
        "cpe:2.3:a:apache:tomcat:11.0.0:milestone15:*:*:*:*:*:*",
        "cpe:2.3:a:apache:tomcat:11.0.0:milestone16:*:*:*:*:*:*",
        "cpe:2.3:a:apache:tomcat:11.0.0:milestone2:*:*:*:*:*:*",
        "cpe:2.3:a:apache:tomcat:11.0.0:milestone3:*:*:*:*:*:*",
        "cpe:2.3:a:apache:tomcat:11.0.0:milestone4:*:*:*:*:*:*",
        "cpe:2.3:a:apache:tomcat:11.0.0:milestone5:*:*:*:*:*:*",
        "cpe:2.3:a:apache:tomcat:11.0.0:milestone6:*:*:*:*:*:*",
        "cpe:2.3:a:apache:tomcat:11.0.0:milestone7:*:*:*:*:*:*",
        "cpe:2.3:a:apache:tomcat:11.0.0:milestone8:*:*:*:*:*:*",
        "cpe:2.3:a:apache:tomcat:11.0.0:milestone9:*:*:*:*:*:*"
    ],
    "extracted_events": [
        {
            "introduced": "8.5.0"
        },
        {
            "fixed": "8.5.99"
        },
        {
            "introduced": "9.0.0"
        },
        {
            "fixed": "9.0.86"
        },
        {
            "introduced": "10.1.0"
        },
        {
            "fixed": "10.1.19"
        },
        {
            "introduced": "11.0.0-milestone1"
        },
        {
            "last_affected": "11.0.0-milestone1"
        },
        {
            "introduced": "11.0.0-milestone10"
        },
        {
            "last_affected": "11.0.0-milestone10"
        },
        {
            "introduced": "11.0.0-milestone11"
        },
        {
            "last_affected": "11.0.0-milestone11"
        },
        {
            "introduced": "11.0.0-milestone12"
        },
        {
            "last_affected": "11.0.0-milestone12"
        },
        {
            "introduced": "11.0.0-milestone13"
        },
        {
            "last_affected": "11.0.0-milestone13"
        },
        {
            "introduced": "11.0.0-milestone14"
        },
        {
            "last_affected": "11.0.0-milestone14"
        },
        {
            "introduced": "11.0.0-milestone15"
        },
        {
            "last_affected": "11.0.0-milestone15"
        },
        {
            "introduced": "11.0.0-milestone16"
        },
        {
            "last_affected": "11.0.0-milestone16"
        },
        {
            "introduced": "11.0.0-milestone2"
        },
        {
            "last_affected": "11.0.0-milestone2"
        },
        {
            "introduced": "11.0.0-milestone3"
        },
        {
            "last_affected": "11.0.0-milestone3"
        },
        {
            "introduced": "11.0.0-milestone4"
        },
        {
            "last_affected": "11.0.0-milestone4"
        },
        {
            "introduced": "11.0.0-milestone5"
        },
        {
            "last_affected": "11.0.0-milestone5"
        },
        {
            "introduced": "11.0.0-milestone6"
        },
        {
            "last_affected": "11.0.0-milestone6"
        },
        {
            "introduced": "11.0.0-milestone7"
        },
        {
            "last_affected": "11.0.0-milestone7"
        },
        {
            "introduced": "11.0.0-milestone8"
        },
        {
            "last_affected": "11.0.0-milestone8"
        },
        {
            "introduced": "11.0.0-milestone9"
        },
        {
            "last_affected": "11.0.0-milestone9"
        }
    ]
}

Affected versions

11.*
11.0.0-milestone1
11.0.0-milestone10
11.0.0-milestone11
11.0.0-milestone12
11.0.0-milestone13
11.0.0-milestone14
11.0.0-milestone15
11.0.0-milestone16
11.0.0-milestone2
11.0.0-milestone3
11.0.0-milestone4
11.0.0-milestone5
11.0.0-milestone6
11.0.0-milestone7
11.0.0-milestone8
11.0.0-milestone9

Database specific

source
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-23672.json"