Django REST framework

Lookup for vulnerabilities affecting packages.

Vulnerability_id VCID-kbpn-7esm-77ew

Summary

Incomplete Cleanup vulnerability in Apache Tomcat.

The internal fork of Commons FileUpload packaged with Apache Tomcat 9.0.70 through 9.0.80 and 8.5.85 through 8.5.93 included an unreleased, 
in progress refactoring that exposed a potential denial of service on 
Windows if a web application opened a stream for an uploaded file but 
failed to close the stream. The file would never be deleted from disk 
creating the possibility of an eventual denial of service due to the 
disk being full.

Users are recommended to upgrade to version 9.0.81 onwards or 8.5.94 onwards, which fixes the issue.

Aliases

alias	CVE-2023-42794

alias	GHSA-jm7m-8jh6-29hp

Fixed_packages

url	pkg:apache/tomcat@8.5.94
purl	pkg:apache/tomcat@8.5.94
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:apache/tomcat@8.5.94

url	pkg:apache/tomcat@9.0.81
purl	pkg:apache/tomcat@9.0.81
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:apache/tomcat@9.0.81

url	pkg:deb/debian/tomcat10@0?distro=trixie
purl	pkg:deb/debian/tomcat10@0?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/tomcat10@0%3Fdistro=trixie

url pkg:deb/debian/tomcat10@10.1.52-1~deb12u1?distro=trixie

purl pkg:deb/debian/tomcat10@10.1.52-1~deb12u1?distro=trixie

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-1qsf-yxnk-fqhy

vulnerability	VCID-2s6w-bbfa-afb8

vulnerability	VCID-2ym4-frda-dbbe

vulnerability	VCID-84a8-y1hg-vuep

vulnerability	VCID-8qk1-ufax-eugz

vulnerability	VCID-cugj-j48z-jub5

vulnerability	VCID-gw94-yyjd-17er

vulnerability	VCID-j493-xan3-myfm

vulnerability	VCID-j7w8-ean1-33b8

vulnerability	VCID-nqgv-hbwa-d3en

vulnerability	VCID-nsp7-e9m6-juhv

vulnerability	VCID-qjqr-axrq-xkcf

vulnerability	VCID-ud36-sb2d-8ych

vulnerability	VCID-w9nk-wv5n-2kg9

vulnerability	VCID-xtdv-ygus-xuds

vulnerability	VCID-z8df-aq4y-ubet

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/tomcat10@10.1.52-1~deb12u1%3Fdistro=trixie

url pkg:deb/debian/tomcat10@10.1.52-1~deb13u1?distro=trixie

purl pkg:deb/debian/tomcat10@10.1.52-1~deb13u1?distro=trixie

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-1qsf-yxnk-fqhy

vulnerability	VCID-2s6w-bbfa-afb8

vulnerability	VCID-2ym4-frda-dbbe

vulnerability	VCID-84a8-y1hg-vuep

vulnerability	VCID-8qk1-ufax-eugz

vulnerability	VCID-cugj-j48z-jub5

vulnerability	VCID-gw94-yyjd-17er

vulnerability	VCID-j493-xan3-myfm

vulnerability	VCID-j7w8-ean1-33b8

vulnerability	VCID-nqgv-hbwa-d3en

vulnerability	VCID-nsp7-e9m6-juhv

vulnerability	VCID-qjqr-axrq-xkcf

vulnerability	VCID-ud36-sb2d-8ych

vulnerability	VCID-w9nk-wv5n-2kg9

vulnerability	VCID-xtdv-ygus-xuds

vulnerability	VCID-z8df-aq4y-ubet

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/tomcat10@10.1.52-1~deb13u1%3Fdistro=trixie

url pkg:deb/debian/tomcat10@10.1.54-1?distro=trixie

purl pkg:deb/debian/tomcat10@10.1.54-1?distro=trixie

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2ym4-frda-dbbe

vulnerability	VCID-84a8-y1hg-vuep

vulnerability	VCID-j7w8-ean1-33b8

vulnerability	VCID-qjqr-axrq-xkcf

vulnerability	VCID-ud36-sb2d-8ych

vulnerability	VCID-w9nk-wv5n-2kg9

vulnerability	VCID-xtdv-ygus-xuds

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/tomcat10@10.1.54-1%3Fdistro=trixie

url	pkg:deb/debian/tomcat10@10.1.55-1?distro=trixie
purl	pkg:deb/debian/tomcat10@10.1.55-1?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/tomcat10@10.1.55-1%3Fdistro=trixie

url	pkg:deb/debian/tomcat9@0?distro=trixie
purl	pkg:deb/debian/tomcat9@0?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/tomcat9@0%3Fdistro=trixie

url	pkg:deb/debian/tomcat9@9.0.43-2~deb11u10?distro=trixie
purl	pkg:deb/debian/tomcat9@9.0.43-2~deb11u10?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/tomcat9@9.0.43-2~deb11u10%3Fdistro=trixie

url	pkg:deb/debian/tomcat9@9.0.70-2?distro=trixie
purl	pkg:deb/debian/tomcat9@9.0.70-2?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/tomcat9@9.0.70-2%3Fdistro=trixie

url	pkg:deb/debian/tomcat9@9.0.95-1?distro=trixie
purl	pkg:deb/debian/tomcat9@9.0.95-1?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/tomcat9@9.0.95-1%3Fdistro=trixie

url	pkg:deb/debian/tomcat9@9.0.118-1?distro=trixie
purl	pkg:deb/debian/tomcat9@9.0.118-1?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/tomcat9@9.0.118-1%3Fdistro=trixie

url pkg:maven/org.apache.tomcat/tomcat@8.5.94

purl pkg:maven/org.apache.tomcat/tomcat@8.5.94

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-5udv-rheh-kqfy

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat/tomcat@8.5.94

url	pkg:maven/org.apache.tomcat/tomcat@9.0.81
purl	pkg:maven/org.apache.tomcat/tomcat@9.0.81
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat/tomcat@9.0.81

url	pkg:maven/org.apache.tomcat/tomcat-coyote@8.5.94
purl	pkg:maven/org.apache.tomcat/tomcat-coyote@8.5.94
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat/tomcat-coyote@8.5.94

url	pkg:maven/org.apache.tomcat/tomcat-coyote@9.0.81
purl	pkg:maven/org.apache.tomcat/tomcat-coyote@9.0.81
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat/tomcat-coyote@9.0.81

url	pkg:maven/org.apache.tomcat.embed/tomcat-embed-core@8.5.94
purl	pkg:maven/org.apache.tomcat.embed/tomcat-embed-core@8.5.94
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat.embed/tomcat-embed-core@8.5.94

url	pkg:maven/org.apache.tomcat.embed/tomcat-embed-core@9.0.81
purl	pkg:maven/org.apache.tomcat.embed/tomcat-embed-core@9.0.81
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat.embed/tomcat-embed-core@9.0.81

Affected_packages

url pkg:apache/tomcat@8.5.85

purl pkg:apache/tomcat@8.5.85

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-kbpn-7esm-77ew

vulnerability	VCID-paqj-ye46-8bdb

vulnerability	VCID-ryby-gbcx-33ec

resource_url http://public2.vulnerablecode.io/packages/pkg:apache/tomcat@8.5.85

url pkg:apache/tomcat@8.5.93

purl pkg:apache/tomcat@8.5.93

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-h6f2-qgnu-bqf4

vulnerability	VCID-jsyt-cmxf-gbh3

vulnerability	VCID-kbpn-7esm-77ew

vulnerability	VCID-y4a2-mamb-yqg6

resource_url http://public2.vulnerablecode.io/packages/pkg:apache/tomcat@8.5.93

url pkg:apache/tomcat@9.0.70

purl pkg:apache/tomcat@9.0.70

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-kbpn-7esm-77ew

vulnerability	VCID-m1k8-9pwc-1qb9

resource_url http://public2.vulnerablecode.io/packages/pkg:apache/tomcat@9.0.70

url pkg:apache/tomcat@9.0.80

purl pkg:apache/tomcat@9.0.80

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-h6f2-qgnu-bqf4

vulnerability	VCID-jsyt-cmxf-gbh3

vulnerability	VCID-kbpn-7esm-77ew

vulnerability	VCID-y4a2-mamb-yqg6

resource_url http://public2.vulnerablecode.io/packages/pkg:apache/tomcat@9.0.80

url pkg:maven/org.apache.tomcat/coyote@8.5.85

purl pkg:maven/org.apache.tomcat/coyote@8.5.85

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-kbpn-7esm-77ew

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat/coyote@8.5.85

url pkg:maven/org.apache.tomcat/coyote@9.0.70

purl pkg:maven/org.apache.tomcat/coyote@9.0.70

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-kbpn-7esm-77ew

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat/coyote@9.0.70

url pkg:maven/org.apache.tomcat/tomcat@8.5.85

purl pkg:maven/org.apache.tomcat/tomcat@8.5.85

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-5udv-rheh-kqfy

vulnerability	VCID-kbpn-7esm-77ew

vulnerability	VCID-paqj-ye46-8bdb

vulnerability	VCID-ryby-gbcx-33ec

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat/tomcat@8.5.85

url pkg:maven/org.apache.tomcat/tomcat@8.5.93

purl pkg:maven/org.apache.tomcat/tomcat@8.5.93

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-5udv-rheh-kqfy

vulnerability	VCID-h6f2-qgnu-bqf4

vulnerability	VCID-jsyt-cmxf-gbh3

vulnerability	VCID-kbpn-7esm-77ew

vulnerability	VCID-y4a2-mamb-yqg6

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat/tomcat@8.5.93

url pkg:maven/org.apache.tomcat/tomcat@9.0.70

purl pkg:maven/org.apache.tomcat/tomcat@9.0.70

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-kbpn-7esm-77ew

vulnerability	VCID-m1k8-9pwc-1qb9

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat/tomcat@9.0.70

url pkg:maven/org.apache.tomcat/tomcat@9.0.80

purl pkg:maven/org.apache.tomcat/tomcat@9.0.80

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-h6f2-qgnu-bqf4

vulnerability	VCID-jsyt-cmxf-gbh3

vulnerability	VCID-kbpn-7esm-77ew

vulnerability	VCID-y4a2-mamb-yqg6

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat/tomcat@9.0.80

url pkg:maven/org.apache.tomcat.embed/tomcat-embed-core@8.5.85

purl pkg:maven/org.apache.tomcat.embed/tomcat-embed-core@8.5.85

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-kbpn-7esm-77ew

vulnerability	VCID-ryby-gbcx-33ec

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat.embed/tomcat-embed-core@8.5.85

url pkg:maven/org.apache.tomcat.embed/tomcat-embed-core@9.0.70

purl pkg:maven/org.apache.tomcat.embed/tomcat-embed-core@9.0.70

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-kbpn-7esm-77ew

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat.embed/tomcat-embed-core@9.0.70

url pkg:rpm/redhat/tomcat@1:9.0.62-27.el8_9?arch=2

purl pkg:rpm/redhat/tomcat@1:9.0.62-27.el8_9?arch=2

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-h6f2-qgnu-bqf4

vulnerability	VCID-jsyt-cmxf-gbh3

vulnerability	VCID-kbpn-7esm-77ew

vulnerability	VCID-urhs-6aus-syb1

resource_url http://public2.vulnerablecode.io/packages/pkg:rpm/redhat/tomcat@1:9.0.62-27.el8_9%3Farch=2

url pkg:rpm/redhat/tomcat@1:9.0.62-37.el9_3?arch=1

purl pkg:rpm/redhat/tomcat@1:9.0.62-37.el9_3?arch=1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-h6f2-qgnu-bqf4

vulnerability	VCID-jsyt-cmxf-gbh3

vulnerability	VCID-kbpn-7esm-77ew

vulnerability	VCID-urhs-6aus-syb1

resource_url http://public2.vulnerablecode.io/packages/pkg:rpm/redhat/tomcat@1:9.0.62-37.el9_3%3Farch=1

References

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-42794.json

reference_id

reference_type

scores

value	5.9
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-42794.json

reference_url

https://github.com/apache/tomcat

reference_id

reference_type

scores

value	5.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/apache/tomcat

reference_url	https://github.com/apache/tomcat/commit/43b882b8a577684498ab9b8851aa0427216784f7
reference_id
reference_type
scores
url	https://github.com/apache/tomcat/commit/43b882b8a577684498ab9b8851aa0427216784f7

reference_url	https://github.com/apache/tomcat/commit/c99ffc30e95ddc4daede564d08cb5ea2b9a9da65
reference_id
reference_type
scores
url	https://github.com/apache/tomcat/commit/c99ffc30e95ddc4daede564d08cb5ea2b9a9da65

reference_url

https://lists.apache.org/thread/vvbr2ms7lockj1hlhz5q3wmxb2mwcw82

reference_id

reference_type

scores

value	5.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://lists.apache.org/thread/vvbr2ms7lockj1hlhz5q3wmxb2mwcw82

reference_url

http://www.openwall.com/lists/oss-security/2023/10/10/8

reference_id

reference_type

scores

value	5.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

http://www.openwall.com/lists/oss-security/2023/10/10/8

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2243751
reference_id	2243751
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2243751

reference_url

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-42794

reference_id

CVE-2023-42794

reference_type

scores

value	Low
scoring_system	apache_tomcat
scoring_elements

url

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-42794

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2023-42794

reference_id

CVE-2023-42794

reference_type

scores

value	5.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2023-42794

reference_url	https://github.com/advisories/GHSA-jm7m-8jh6-29hp
reference_id	GHSA-jm7m-8jh6-29hp
reference_type
scores
url	https://github.com/advisories/GHSA-jm7m-8jh6-29hp

reference_url	https://access.redhat.com/errata/RHSA-2023:7247
reference_id	RHSA-2023:7247
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2023:7247

reference_url	https://access.redhat.com/errata/RHSA-2023:7623
reference_id	RHSA-2023:7623
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2023:7623

reference_url	https://access.redhat.com/errata/RHSA-2024:0125
reference_id	RHSA-2024:0125
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2024:0125

reference_url	https://access.redhat.com/errata/RHSA-2024:0474
reference_id	RHSA-2024:0474
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2024:0474

Weaknesses

cwe_id	1035
name	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
description	Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017.

cwe_id	459
name	Incomplete Cleanup
description	The product does not properly clean up and remove temporary or supporting resources after they have been used.

cwe_id	937
name	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
description	Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013.

Exploits

Severity_range_score 0.1 - 6.9

Exploitability 0.5

Weighted_severity 6.2

Risk_score 3.1

Resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-kbpn-7esm-77ew

Vulnerability Instance