GHSA-jm7m-8jh6-29hp

Suggest an improvement
Source
https://github.com/advisories/GHSA-jm7m-8jh6-29hp
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-jm7m-8jh6-29hp/GHSA-jm7m-8jh6-29hp.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-jm7m-8jh6-29hp
Aliases
Published
2023-10-10T18:31:35Z
Modified
2023-12-11T21:30:50.291054Z
Severity
  • 5.9 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
Apache Tomcat Incomplete Cleanup vulnerability
Details

Incomplete Cleanup vulnerability in Apache Tomcat.

The internal fork of Commons FileUpload packaged with Apache Tomcat 9.0.70 through 9.0.80 and 8.5.85 through 8.5.93 included an unreleased, in progress refactoring that exposed a potential denial of service on Windows if a web application opened a stream for an uploaded file but failed to close the stream. The file would never be deleted from disk creating the possibility of an eventual denial of service due to the disk being full.

Users are recommended to upgrade to version 9.0.81 onwards or 8.5.94 onwards, which fixes the issue.

References

Affected packages

Maven / org.apache.tomcat:tomcat

Package

Name
org.apache.tomcat:tomcat
View open source insights on deps.dev
Purl
pkg:maven/org.apache.tomcat/tomcat

Affected ranges

Type
ECOSYSTEM
Events
Introduced
9.0.70
Fixed
9.0.81

Affected versions

9.*

9.0.70
9.0.71
9.0.72
9.0.73
9.0.74
9.0.75
9.0.76
9.0.78
9.0.79
9.0.80

Maven / org.apache.tomcat:tomcat

Package

Name
org.apache.tomcat:tomcat
View open source insights on deps.dev
Purl
pkg:maven/org.apache.tomcat/tomcat

Affected ranges

Type
ECOSYSTEM
Events
Introduced
8.5.85
Fixed
8.5.94

Affected versions

8.*

8.5.85
8.5.86
8.5.87
8.5.88
8.5.89
8.5.90
8.5.91
8.5.92
8.5.93