PT-2024-2566 · Apache+11 · Apache Tomcat+12

Mark Thomas

·

Published

2024-02-19

·

Updated

2026-03-26

·

CVE-2024-23672

CVSS v2.0

7.8

High

VectorAV:N/AC:L/Au:N/C:N/I:N/A:C
Name of the Vulnerable Software and Affected Versions Apache Tomcat versions 11.0.0-M1 through 11.0.0-M16 Apache Tomcat versions 10.1.0-M1 through 10.1.18 Apache Tomcat versions 9.0.0-M1 through 9.0.85 Apache Tomcat versions 8.5.0 through 8.5.98
Description The issue is related to a Denial of Service via incomplete cleanup vulnerability in Apache Tomcat. It was possible for WebSocket clients to keep WebSocket connections open, leading to increased resource consumption.
Recommendations Upgrade to version 11.0.0-M17 to fix the issue for versions 11.0.0-M1 through 11.0.0-M16. Upgrade to version 10.1.19 to fix the issue for versions 10.1.0-M1 through 10.1.18. Upgrade to version 9.0.86 to fix the issue for versions 9.0.0-M1 through 9.0.85. Upgrade to version 8.5.99 to fix the issue for versions 8.5.0 through 8.5.98.

Exploit

Fix

DoS

Resource Exhaustion

Weakness Enumeration

CWE-459CWE-400

Related Identifiers

ALSA-2024:3307
ALSA-2024:3666
ALT-PU-2025-1726
ALT-PU-2025-2379
ALT-PU-2025-9797
BDU:2024-02604
BIT-TOMCAT-2024-23672
CESA-2024_3666
CVE-2024-23672
DLA-3779-1
DSA-5665-1
DSA-5667-1
GHSA-V682-8VV8-VPWR
INFSA-2024_3307
INFSA-2024_3666
MGASA-2024-0090
OESA-2024-2402
OESA-2024-2403
OESA-2024-2404
OESA-2024-2405
OESA-2024-2460
OPENSUSE-SU-2024:13832-1
OPENSUSE-SU-2024:13833-1
OPENSUSE-SU-2024_1204-1
OPENSUSE-SU-2024_1345-1
RHSA-2024:1913
RHSA-2024:1916
RHSA-2024:3307
RHSA-2024:3308
RHSA-2024:3666
RHSA-2024:3814
RHSA-2024_3307
RHSA-2024_3666
RLSA-2024:3307
RLSA-2024:3666
SUSE-SU-2024:1204-1
SUSE-SU-2024:1205-1
SUSE-SU-2024:1345-1
SUSE-SU-2026:1058-1
USN-7106-1
USN-7562-1

Affected Products

Alt Linux
Almalinux
Apache Tomcat
Astra Linux
Centos
Confluence
Jira
Linuxmint
Red Hat
Red Os
Rocky Linux
Suse
Ubuntu