GHSA-wph7-x527-w3h5

Suggest an improvement
Source
https://github.com/advisories/GHSA-wph7-x527-w3h5
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/10/GHSA-wph7-x527-w3h5/GHSA-wph7-x527-w3h5.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-wph7-x527-w3h5
Aliases
Published
2021-10-15T18:51:34Z
Modified
2024-03-11T16:46:20.172045Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
Missing Release of Resource after Effective Lifetime in Apache Tomcat
Details

The fix for bug 63362 present in Apache Tomcat 10.1.0-M1 to 10.1.0-M5, 10.0.0-M1 to 10.0.11, 9.0.40 to 9.0.53 and 8.5.60 to 8.5.71 introduced a memory leak. The object introduced to collect metrics for HTTP upgrade connections was not released for WebSocket connections once the connection was closed. This created a memory leak that, over time, could lead to a denial of service via an OutOfMemoryError.

References

Affected packages

Maven / org.apache.tomcat:tomcat

Package

Name
org.apache.tomcat:tomcat
View open source insights on deps.dev
Purl
pkg:maven/org.apache.tomcat/tomcat

Affected ranges

Type
ECOSYSTEM
Events
Introduced
10.1.0-M1
Fixed
10.1.0-M6

Affected versions

10.*

10.1.0-M1
10.1.0-M2
10.1.0-M4
10.1.0-M5

Database specific

{
    "last_known_affected_version_range": "<= 10.1.0-M5"
}

Maven / org.apache.tomcat:tomcat

Package

Name
org.apache.tomcat:tomcat
View open source insights on deps.dev
Purl
pkg:maven/org.apache.tomcat/tomcat

Affected ranges

Type
ECOSYSTEM
Events
Introduced
10.0.0-M1
Fixed
10.0.12

Affected versions

10.*

10.0.0-M1
10.0.0-M3
10.0.0-M4
10.0.0-M5
10.0.0-M6
10.0.0-M7
10.0.0-M8
10.0.0-M9
10.0.0-M10
10.0.0
10.0.2
10.0.4
10.0.5
10.0.6
10.0.7
10.0.8
10.0.10
10.0.11

Maven / org.apache.tomcat:tomcat

Package

Name
org.apache.tomcat:tomcat
View open source insights on deps.dev
Purl
pkg:maven/org.apache.tomcat/tomcat

Affected ranges

Type
ECOSYSTEM
Events
Introduced
9.0.40
Fixed
9.0.54

Affected versions

9.*

9.0.40
9.0.41
9.0.43
9.0.44
9.0.45
9.0.46
9.0.48
9.0.50
9.0.52
9.0.53

Maven / org.apache.tomcat:tomcat

Package

Name
org.apache.tomcat:tomcat
View open source insights on deps.dev
Purl
pkg:maven/org.apache.tomcat/tomcat

Affected ranges

Type
ECOSYSTEM
Events
Introduced
8.5.60
Fixed
8.5.72

Affected versions

8.*

8.5.60
8.5.61
8.5.63
8.5.64
8.5.65
8.5.66
8.5.68
8.5.69
8.5.70
8.5.71