GHSA-jm7m-8jh6-29hp

Source

https://github.com/advisories/GHSA-jm7m-8jh6-29hp

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-jm7m-8jh6-29hp/GHSA-jm7m-8jh6-29hp.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-jm7m-8jh6-29hp

Aliases

Published

2023-10-10T18:31:35Z

Modified

2024-02-16T08:11:12.833825Z

Severity

5.9 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator

Summary

Apache Tomcat Incomplete Cleanup vulnerability

Details

Incomplete Cleanup vulnerability in Apache Tomcat.

The internal fork of Commons FileUpload packaged with Apache Tomcat 9.0.70 through 9.0.80 and 8.5.85 through 8.5.93 included an unreleased, in progress refactoring that exposed a potential denial of service on Windows if a web application opened a stream for an uploaded file but failed to close the stream. The file would never be deleted from disk creating the possibility of an eventual denial of service due to the disk being full.

Users are recommended to upgrade to version 9.0.81 onwards or 8.5.94 onwards, which fixes the issue.

References

Affected packages

Maven / org.apache.tomcat:tomcat

Package

Name: org.apache.tomcat:tomcat; View open source insights on deps.dev
Purl: pkg:maven/org.apache.tomcat/tomcat

Affected ranges

Type: ECOSYSTEM
Events: Introduced

9.0.70

Fixed

9.0.81

Affected versions

9.*

9.0.70

9.0.71

9.0.72

9.0.73

9.0.74

9.0.75

9.0.76

9.0.78

9.0.79

9.0.80

Maven / org.apache.tomcat:tomcat

Package

Name: org.apache.tomcat:tomcat; View open source insights on deps.dev
Purl: pkg:maven/org.apache.tomcat/tomcat

Affected ranges

Type: ECOSYSTEM
Events: Introduced

8.5.85

Fixed

8.5.94

Affected versions

8.*

8.5.85

8.5.86

8.5.87

8.5.88

8.5.89

8.5.90

8.5.91

8.5.92

8.5.93