Apache Tomcat WebSocket DOS via Incomplete Cleanup (pre11.0.0M17)
CVE-2024-23672 Published on March 13, 2024
Apache Tomcat: WebSocket DoS with incomplete closing handshake
Denial of Service via incomplete cleanup vulnerability in Apache Tomcat. It was possible for WebSocket clients to keep WebSocket connections open leading to increased resource consumption.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M16, from 10.1.0-M1 through 10.1.18, from 9.0.0-M1 through 9.0.85, from 8.5.0 through 8.5.98.
Older, EOL versions may also be affected.
Users are recommended to upgrade to version 11.0.0-M17, 10.1.19, 9.0.86 or 8.5.99 which fix the issue.
Vulnerability Analysis
CVE-2024-23672 is exploitable with network access, and requires small amount of user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to be low. considered to have a small impact on confidentiality and integrity and availability.
Weakness Type
What is an Insufficient Cleanup Vulnerability?
The software does not properly "clean up" and remove temporary or supporting resources after they have been used.
CVE-2024-23672 has been classified to as an Insufficient Cleanup vulnerability or weakness.
Products Associated with CVE-2024-23672
You can be notified by email with stack.watch whenever vulnerabilities like CVE-2024-23672 are published in these products:
Affected Versions
Apache Software Foundation Apache Tomcat:- Version 11.0.0-M1, <= 11.0.0-M16 is affected.
- Version 10.1.0-M1, <= 10.1.18 is affected.
- Version 9.0.0-M1, <= 9.0.85 is affected.
- Version 8.5.0, <= 8.5.98 is affected.
- Version 7 and below 8.5.0 is unknown.
- Version 10.0.0-M1, <= 10.0.27 is unknown.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.