CVE-2023-42794 Apache Tomcat - denial of service
Severity: Low
Vendor: The Apache Software Foundation
Versions Affected:
Apache Tomcat 9.0.70 to 9.0.80
Apache Tomcat 8.5.85 to 8.5.93
Description:
Tomcat's internal fork of a Commons FileUpload included an unreleased,
in progress refactoring that exposed a potential denial of service on
Windows if a web application opened a stream for an uploaded file but
failed to close the stream. The file would never be deleted from disk
creating the possibility of an eventual denial of service due to the
disk being full.
Mitigation:
Users of the affected versions should apply one of the following
mitigations:
- Upgrade to Apache Tomcat 9.0.81 or later
- Upgrade to Apache Tomcat 8.5.94 or later
Credit:
This vulnerability was reported responsibly to the Tomcat security team
by Mohammad Khedmatgozar (cellbox).
History:
2023-10-10 Original advisory
References:
[1] https://tomcat.apache.org/security-9.html
[2] https://tomcat.apache.org/security-8.html
