GHSA-v682-8vv8-vpwr

Source

https://github.com/advisories/GHSA-v682-8vv8-vpwr

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/03/GHSA-v682-8vv8-vpwr/GHSA-v682-8vv8-vpwr.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-v682-8vv8-vpwr

Aliases

BIT-tomcat-2024-23672
CVE-2024-23672

Related

CGA-3pvg-mvwc-5c76

Published

2024-03-13T18:31:34Z

Modified

2024-06-25T02:32:58.520013Z

Summary

Denial of Service via incomplete cleanup vulnerability in Apache Tomcat

Details

Denial of Service via incomplete cleanup vulnerability in Apache Tomcat. It was possible for WebSocket clients to keep WebSocket connections open leading to increased resource consumption.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M16, from 10.1.0-M1 through 10.1.18, from 9.0.0-M1 through 9.0.85, from 8.5.0 through 8.5.98.

Users are recommended to upgrade to version 11.0.0-M17, 10.1.19, 9.0.86 or 8.5.99 which fix the issue.

References

Affected packages

Maven / org.apache.tomcat:tomcat-websocket

Package

Name: org.apache.tomcat:tomcat-websocket; View open source insights on deps.dev
Purl: pkg:maven/org.apache.tomcat/tomcat-websocket

Affected ranges

Type: ECOSYSTEM
Events: Introduced

11.0.0-M1

Fixed

11.0.0-M17

Affected versions

11.*

11.0.0-M1

11.0.0-M3

11.0.0-M4

11.0.0-M5

11.0.0-M6

11.0.0-M7

11.0.0-M9

11.0.0-M10

11.0.0-M11

11.0.0-M12

11.0.0-M13

11.0.0-M14

11.0.0-M15

11.0.0-M16

Database specific

{
    "last_known_affected_version_range": "<= 11.0.0-M16"
}

Maven / org.apache.tomcat:tomcat-websocket

Package

Name: org.apache.tomcat:tomcat-websocket; View open source insights on deps.dev
Purl: pkg:maven/org.apache.tomcat/tomcat-websocket

Affected ranges

Type: ECOSYSTEM
Events: Introduced

10.1.0-M1

Fixed

10.1.19

Affected versions

10.*

10.1.0-M1

10.1.0-M2

10.1.0-M4

10.1.0-M5

10.1.0-M6

10.1.0-M7

10.1.0-M8

10.1.0-M10

10.1.0-M11

10.1.0-M12

10.1.0-M14

10.1.0-M15

10.1.0-M16

10.1.0-M17

10.1.0

10.1.1

10.1.2

10.1.4

10.1.5

10.1.6

10.1.7

10.1.8

10.1.9

10.1.10

10.1.11

10.1.12

10.1.13

10.1.14

10.1.15

10.1.16

10.1.17

10.1.18

Database specific

{
    "last_known_affected_version_range": "<= 10.1.18"
}

Maven / org.apache.tomcat:tomcat-websocket

Package

Name: org.apache.tomcat:tomcat-websocket; View open source insights on deps.dev
Purl: pkg:maven/org.apache.tomcat/tomcat-websocket

Affected ranges

Type: ECOSYSTEM
Events: Introduced

9.0.0-M1

Fixed

9.0.86

Affected versions

9.*

9.0.0.M1

9.0.0.M3

9.0.0.M4

9.0.0.M6

9.0.0.M8

9.0.0.M9

9.0.0.M10

9.0.0.M11

9.0.0.M13

9.0.0.M15

9.0.0.M17

9.0.0.M18

9.0.0.M19

9.0.0.M20

9.0.0.M21

9.0.0.M22

9.0.0.M25

9.0.0.M26

9.0.0.M27

9.0.1

9.0.2

9.0.4

9.0.5

9.0.6

9.0.7

9.0.8

9.0.10

9.0.11

9.0.12

9.0.13

9.0.14

9.0.16

9.0.17

9.0.19

9.0.20

9.0.21

9.0.22

9.0.24

9.0.26

9.0.27

9.0.29

9.0.30

9.0.31

9.0.33

9.0.34

9.0.35

9.0.36

9.0.37

9.0.38

9.0.39

9.0.40

9.0.41

9.0.43

9.0.44

9.0.45

9.0.46

9.0.48

9.0.50

9.0.52

9.0.53

9.0.54

9.0.55

9.0.56

9.0.58

9.0.59

9.0.60

9.0.62

9.0.63

9.0.64

9.0.65

9.0.67

9.0.68

9.0.69

9.0.70

9.0.71

9.0.72

9.0.73

9.0.74

9.0.75

9.0.76

9.0.78

9.0.79

9.0.80

9.0.81

9.0.82

9.0.83

9.0.84

9.0.85

Database specific

{
    "last_known_affected_version_range": "<= 9.0.85"
}

Maven / org.apache.tomcat:tomcat-websocket

Package

Name: org.apache.tomcat:tomcat-websocket; View open source insights on deps.dev
Purl: pkg:maven/org.apache.tomcat/tomcat-websocket

Affected ranges

Type: ECOSYSTEM
Events: Introduced

8.5.0

Fixed

8.5.99

Affected versions

8.*

8.5.0

8.5.2

8.5.3

8.5.4

8.5.5

8.5.6

8.5.8

8.5.9

8.5.11

8.5.12

8.5.13

8.5.14

8.5.15

8.5.16

8.5.19

8.5.20

8.5.21

8.5.23

8.5.24

8.5.27

8.5.28

8.5.29

8.5.30

8.5.31

8.5.32

8.5.33

8.5.34

8.5.35

8.5.37

8.5.38

8.5.39

8.5.40

8.5.41

8.5.42

8.5.43

8.5.45

8.5.46

8.5.47

8.5.49

8.5.50

8.5.51

8.5.53

8.5.54

8.5.55

8.5.56

8.5.57

8.5.58

8.5.59

8.5.60

8.5.61

8.5.63

8.5.64

8.5.65

8.5.66

8.5.68

8.5.69

8.5.70

8.5.71

8.5.72

8.5.73

8.5.75

8.5.76

8.5.77

8.5.78

8.5.79

8.5.81

8.5.82

8.5.83

8.5.84

8.5.85

8.5.86

8.5.87

8.5.88

8.5.89

8.5.90

8.5.91

8.5.92

8.5.93

8.5.94

8.5.95

8.5.96

8.5.97

8.5.98

Database specific

{
    "last_known_affected_version_range": "<= 8.5.98"
}

Maven / org.apache.tomcat.embed:tomcat-embed-websocket

Package

Name: org.apache.tomcat.embed:tomcat-embed-websocket; View open source insights on deps.dev
Purl: pkg:maven/org.apache.tomcat.embed/tomcat-embed-websocket

Affected ranges

Type: ECOSYSTEM
Events: Introduced

11.0.0-M1

Fixed

11.0.0-M17

Affected versions

11.*

11.0.0-M1

11.0.0-M3

11.0.0-M4

11.0.0-M5

11.0.0-M6

11.0.0-M7

11.0.0-M9

11.0.0-M10

11.0.0-M11

11.0.0-M12

11.0.0-M13

11.0.0-M14

11.0.0-M15

11.0.0-M16

Database specific

{
    "last_known_affected_version_range": "<= 11.0.0-M16"
}

Maven / org.apache.tomcat.embed:tomcat-embed-websocket

Package

Name: org.apache.tomcat.embed:tomcat-embed-websocket; View open source insights on deps.dev
Purl: pkg:maven/org.apache.tomcat.embed/tomcat-embed-websocket

Affected ranges

Type: ECOSYSTEM
Events: Introduced

10.1.0-M1

Fixed

10.1.19

Affected versions

10.*

10.1.0-M1

10.1.0-M2

10.1.0-M4

10.1.0-M5

10.1.0-M6

10.1.0-M7

10.1.0-M8

10.1.0-M10

10.1.0-M11

10.1.0-M12

10.1.0-M14

10.1.0-M15

10.1.0-M16

10.1.0-M17

10.1.0

10.1.1

10.1.2

10.1.4

10.1.5

10.1.6

10.1.7

10.1.8

10.1.9

10.1.10

10.1.11

10.1.12

10.1.13

10.1.14

10.1.15

10.1.16

10.1.17

10.1.18

Database specific

{
    "last_known_affected_version_range": "<= 10.1.18"
}

Maven / org.apache.tomcat.embed:tomcat-embed-websocket

Package

Name: org.apache.tomcat.embed:tomcat-embed-websocket; View open source insights on deps.dev
Purl: pkg:maven/org.apache.tomcat.embed/tomcat-embed-websocket

Affected ranges

Type: ECOSYSTEM
Events: Introduced

9.0.0-M1

Fixed

9.0.86

Affected versions

9.*

9.0.0.M1

9.0.0.M3

9.0.0.M4

9.0.0.M6

9.0.0.M8

9.0.0.M9

9.0.0.M10

9.0.0.M11

9.0.0.M13

9.0.0.M15

9.0.0.M17

9.0.0.M18

9.0.0.M19

9.0.0.M20

9.0.0.M21

9.0.0.M22

9.0.0.M25

9.0.0.M26

9.0.0.M27

9.0.1

9.0.2

9.0.4

9.0.5

9.0.6

9.0.7

9.0.8

9.0.10

9.0.11

9.0.12

9.0.13

9.0.14

9.0.16

9.0.17

9.0.19

9.0.20

9.0.21

9.0.22

9.0.24

9.0.26

9.0.27

9.0.29

9.0.30

9.0.31

9.0.33

9.0.34

9.0.35

9.0.36

9.0.37

9.0.38

9.0.39

9.0.40

9.0.41

9.0.43

9.0.44

9.0.45

9.0.46

9.0.48

9.0.50

9.0.52

9.0.53

9.0.54

9.0.55

9.0.56

9.0.58

9.0.59

9.0.60

9.0.62

9.0.63

9.0.64

9.0.65

9.0.67

9.0.68

9.0.69

9.0.70

9.0.71

9.0.72

9.0.73

9.0.74

9.0.75

9.0.76

9.0.78

9.0.79

9.0.80

9.0.81

9.0.82

9.0.83

9.0.84

9.0.85

Database specific

{
    "last_known_affected_version_range": "<= 9.0.85"
}

Maven / org.apache.tomcat.embed:tomcat-embed-websocket

Package

Name: org.apache.tomcat.embed:tomcat-embed-websocket; View open source insights on deps.dev
Purl: pkg:maven/org.apache.tomcat.embed/tomcat-embed-websocket

Affected ranges

Type: ECOSYSTEM
Events: Introduced

8.5.0

Fixed

8.5.99

Affected versions

8.*

8.5.0

8.5.2

8.5.3

8.5.4

8.5.5

8.5.6

8.5.8

8.5.9

8.5.11

8.5.12

8.5.13

8.5.14

8.5.15

8.5.16

8.5.19

8.5.20

8.5.21

8.5.23

8.5.24

8.5.27

8.5.28

8.5.29

8.5.30

8.5.31

8.5.32

8.5.33

8.5.34

8.5.35

8.5.37

8.5.38

8.5.39

8.5.40

8.5.41

8.5.42

8.5.43

8.5.45

8.5.46

8.5.47

8.5.49

8.5.50

8.5.51

8.5.53

8.5.54

8.5.55

8.5.56

8.5.57

8.5.58

8.5.59

8.5.60

8.5.61

8.5.63

8.5.64

8.5.65

8.5.66

8.5.68

8.5.69

8.5.70

8.5.71

8.5.72

8.5.73

8.5.75

8.5.76

8.5.77

8.5.78

8.5.79

8.5.81

8.5.82

8.5.83

8.5.84

8.5.85

8.5.86

8.5.87

8.5.88

8.5.89

8.5.90

8.5.91

8.5.92

8.5.93

8.5.94

8.5.95

8.5.96

8.5.97

8.5.98

Database specific

{
    "last_known_affected_version_range": "<= 8.5.98"
}