CVE-2024-23672

Name: CVE-2024-23672
Creator: NVD / NIST
Published: 2024-03-13T16:15:29.287+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

MEDIUMCVSS 6.3/10EPSS 2.31%

Last modified Jun 17, 2026

CVE-2024-23672 is a medium-severity vulnerability rated 6.3/10 on the CVSS scale. Denial of Service via incomplete cleanup vulnerability in Apache Tomcat. It was possible for WebSocket clients to keep WebSocket connections open leading to increased resource consumption.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M16, from 10.1.0-M1 through 10.1.18, from 9.0.0-M1 through 9.0.85, from 8.5.0 through 8.5.98. Older, EOL versions may also be affected. Users are recommended to upgrade to version 11.0.0-M17, 10.1.19, 9.0.86 or 8.5.99 which fix the issue.. EPSS estimates a 2.31% chance of exploitation in the next 30 days.

Description

Denial of Service via incomplete cleanup vulnerability in Apache Tomcat. It was possible for WebSocket clients to keep WebSocket connections open leading to increased resource consumption.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M16, from 10.1.0-M1 through 10.1.18, from 9.0.0-M1 through 9.0.85, from 8.5.0 through 8.5.98. Older, EOL versions may also be affected. Users are recommended to upgrade to version 11.0.0-M17, 10.1.19, 9.0.86 or 8.5.99 which fix the issue.

Metrics

CVSS 3.1

6.3/10

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

EPSS Probability

2.31%

81.2th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-459

Affected Software

Vendor	Product	Versions	Update
Apache	Tomcat	>= 8.5.0, < 8.5.99	—
Apache	Tomcat	>= 9.0.0, < 9.0.86	—
Apache	Tomcat	>= 10.1.0, < 10.1.19	—
Apache	Tomcat	11.0.0	Milestone1
Debian	Debian Linux	10.0	—
Fedoraproject	Fedora	39	—
Fedoraproject	Fedora	40	—

References

https://lists.apache.org/thread/cmpswfx6tj4s7x0nxxosvfqs11lvdx2fVendor Advisory
http://www.openwall.com/lists/oss-security/2024/03/13/4Mailing List
https://lists.apache.org/thread/cmpswfx6tj4s7x0nxxosvfqs11lvdx2fVendor Advisory
https://lists.debian.org/debian-lts-announce/2024/04/msg00001.htmlMailing List, Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3UWIS5MMGYDZBLJYT674ZI5AWFHDZ46B/Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/736G4GPZWS2DSQO5WKXO3G6OMZKFEK55/Third Party Advisory
https://security.netapp.com/advisory/ntap-20240402-0002/Third Party Advisory

Timeline

Published: Mar 13, 2024
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2024-23672?

How severe is CVE-2024-23672?

CVE-2024-23672 has a CVSS score of 6.3/10 (MEDIUM severity). The EPSS model estimates a 2.31% probability of exploitation in the next 30 days.

How do I fix CVE-2024-23672?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2024-23672?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST