CVE-2024-23672

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2024-23672
Denial of Service via incomplete cleanup vulnerability in Apache Tomcat. It was possible for WebSocket clients to keep WebSocket connections open leading to increased resource consumption.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M16, from 10.1.0-M1 through 10.1.18, from 9.0.0-M1 through 9.0.85, from 8.5.0 through 8.5.98. Older, EOL versions may also be affected. Users are recommended to upgrade to version 11.0.0-M17, 10.1.19, 9.0.86 or 8.5.99 which fix the issue.
CVSS

No CVSS.

References
Link Resource
https://lists.apache.org/thread/cmpswfx6tj4s7x0nxxosvfqs11lvdx2f Vendor Advisory
https://lists.debian.org/debian-lts-announce/2024/04/msg00001.html Mailing List Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3UWIS5MMGYDZBLJYT674ZI5AWFHDZ46B/ Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/736G4GPZWS2DSQO5WKXO3G6OMZKFEK55/ Third Party Advisory
https://security.netapp.com/advisory/ntap-20240402-0002/ Third Party Advisory
http://www.openwall.com/lists/oss-security/2024/03/13/4 Mailing List
https://lists.apache.org/thread/cmpswfx6tj4s7x0nxxosvfqs11lvdx2f Vendor Advisory
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:apache:tomcat:11.0.0:milestone1:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:11.0.0:milestone2:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:11.0.0:milestone4:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:11.0.0:milestone3:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:11.0.0:milestone5:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:11.0.0:milestone7:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:11.0.0:milestone10:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:11.0.0:milestone11:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:11.0.0:milestone12:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:11.0.0:milestone13:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:11.0.0:milestone14:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:11.0.0:milestone15:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:11.0.0:milestone16:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:11.0.0:milestone6:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:11.0.0:milestone8:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:11.0.0:milestone9:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*

Configuration 2 (hide)

cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*

Configuration 3 (hide)

OR cpe:2.3:o:fedoraproject:fedora:39:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:40:*:*:*:*:*:*:*
History

07 Aug 2025, 12:15

Type Values Removed Values Added
Summary Denial of Service via incomplete cleanup vulnerability in Apache Tomcat. It was possible for WebSocket clients to keep WebSocket connections open leading to increased resource consumption.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M16, from 10.1.0-M1 through 10.1.18, from 9.0.0-M1 through 9.0.85, from 8.5.0 through 8.5.98. Users are recommended to upgrade to version 11.0.0-M17, 10.1.19, 9.0.86 or 8.5.99 which fix the issue. Denial of Service via incomplete cleanup vulnerability in Apache Tomcat. It was possible for WebSocket clients to keep WebSocket connections open leading to increased resource consumption.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M16, from 10.1.0-M1 through 10.1.18, from 9.0.0-M1 through 9.0.85, from 8.5.0 through 8.5.98. Older, EOL versions may also be affected. Users are recommended to upgrade to version 11.0.0-M17, 10.1.19, 9.0.86 or 8.5.99 which fix the issue.

19 May 2025, 13:00

Type Values Removed Values Added
CPE cpe:2.3:a:apache:tomcat:11.0.0:milestone16:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:11.0.0:milestone7:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:11.0.0:milestone3:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:40:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:11.0.0:milestone5:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:11.0.0:milestone11:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:11.0.0:milestone10:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:11.0.0:milestone9:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:11.0.0:milestone15:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:11.0.0:milestone14:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:11.0.0:milestone12:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:11.0.0:milestone6:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:11.0.0:milestone8:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:11.0.0:milestone1:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:11.0.0:milestone13:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:39:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:11.0.0:milestone2:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:11.0.0:milestone4:*:*:*:*:*:*
References () http://www.openwall.com/lists/oss-security/2024/03/13/4 - () http://www.openwall.com/lists/oss-security/2024/03/13/4 - Mailing List
References () https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/736G4GPZWS2DSQO5WKXO3G6OMZKFEK55/ - () https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/736G4GPZWS2DSQO5WKXO3G6OMZKFEK55/ - Third Party Advisory
References () https://lists.apache.org/thread/cmpswfx6tj4s7x0nxxosvfqs11lvdx2f - () https://lists.apache.org/thread/cmpswfx6tj4s7x0nxxosvfqs11lvdx2f - Vendor Advisory
References () https://security.netapp.com/advisory/ntap-20240402-0002/ - () https://security.netapp.com/advisory/ntap-20240402-0002/ - Third Party Advisory
References () https://lists.debian.org/debian-lts-announce/2024/04/msg00001.html - () https://lists.debian.org/debian-lts-announce/2024/04/msg00001.html - Mailing List, Third Party Advisory
References () https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3UWIS5MMGYDZBLJYT674ZI5AWFHDZ46B/ - () https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3UWIS5MMGYDZBLJYT674ZI5AWFHDZ46B/ - Third Party Advisory
First Time Apache
Fedoraproject
Debian debian Linux
Apache tomcat
Fedoraproject fedora
Debian

13 Feb 2025, 18:17

Type Values Removed Values Added
CWE CWE-459
Summary Denial of Service via incomplete cleanup vulnerability in Apache Tomcat. It was possible for WebSocket clients to keep WebSocket connections open leading to increased resource consumption.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M16, from 10.1.0-M1 through 10.1.18, from 9.0.0-M1 through 9.0.85, from 8.5.0 through 8.5.98. Users are recommended to upgrade to version 11.0.0-M17, 10.1.19, 9.0.86 or 8.5.99 which fix the issue. Denial of Service via incomplete cleanup vulnerability in Apache Tomcat. It was possible for WebSocket clients to keep WebSocket connections open leading to increased resource consumption.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M16, from 10.1.0-M1 through 10.1.18, from 9.0.0-M1 through 9.0.85, from 8.5.0 through 8.5.98. Users are recommended to upgrade to version 11.0.0-M17, 10.1.19, 9.0.86 or 8.5.99 which fix the issue.

23 Jun 2024, 09:15

Type Values Removed Values Added
References
  • () https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3UWIS5MMGYDZBLJYT674ZI5AWFHDZ46B/ -

13 Jun 2024, 04:15

Type Values Removed Values Added
References
  • () https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/736G4GPZWS2DSQO5WKXO3G6OMZKFEK55/ -

01 May 2024, 18:15

Type Values Removed Values Added
References
  • () http://www.openwall.com/lists/oss-security/2024/03/13/4 -

06 Apr 2024, 06:15

Type Values Removed Values Added
References
  • () https://lists.debian.org/debian-lts-announce/2024/04/msg00001.html -

02 Apr 2024, 23:15

Type Values Removed Values Added
References
  • () https://security.netapp.com/advisory/ntap-20240402-0002/ -

13 Mar 2024, 16:15

Type Values Removed Values Added
New CVE
Information

Published : 2024-03-13 16:15

Updated : 2025-08-07 12:15

NVD link : CVE-2024-23672

Mitre link : CVE-2024-23672

JSON object : View

Products Affected

debian

  • debian_linux

apache

  • tomcat

fedoraproject

  • fedora
CWE

No CWE.