{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/46179?format=json","vulnerability_id":"VCID-kbpn-7esm-77ew","summary":"Incomplete Cleanup vulnerability in Apache Tomcat.\n\nThe internal fork of Commons FileUpload packaged with Apache Tomcat 9.0.70 through 9.0.80 and 8.5.85 through 8.5.93 included an unreleased, \nin progress refactoring that exposed a potential denial of service on \nWindows if a web application opened a stream for an uploaded file but \nfailed to close the stream. The file would never be deleted from disk \ncreating the possibility of an eventual denial of service due to the \ndisk being full.\n\nUsers are recommended to upgrade to version 9.0.81 onwards or 8.5.94 onwards, which fixes the issue.","aliases":[{"alias":"CVE-2023-42794"},{"alias":"GHSA-jm7m-8jh6-29hp"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/86941?format=json","purl":"pkg:apache/tomcat@8.5.94","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:apache/tomcat@8.5.94"},{"url":"http://public2.vulnerablecode.io/api/packages/86840?format=json","purl":"pkg:apache/tomcat@9.0.81","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:apache/tomcat@9.0.81"},{"url":"http://public2.vulnerablecode.io/api/packages/132615?format=json","purl":"pkg:deb/debian/tomcat10@0?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/tomcat10@0%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/132607?format=json","purl":"pkg:deb/debian/tomcat10@10.1.52-1~deb12u1?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1qsf-yxnk-fqhy"},{"vulnerability":"VCID-2s6w-bbfa-afb8"},{"vulnerability":"VCID-2ym4-frda-dbbe"},{"vulnerability":"VCID-84a8-y1hg-vuep"},{"vulnerability":"VCID-8qk1-ufax-eugz"},{"vulnerability":"VCID-cugj-j48z-jub5"},{"vulnerability":"VCID-gw94-yyjd-17er"},{"vulnerability":"VCID-j493-xan3-myfm"},{"vulnerability":"VCID-j7w8-ean1-33b8"},{"vulnerability":"VCID-nqgv-hbwa-d3en"},{"vulnerability":"VCID-nsp7-e9m6-juhv"},{"vulnerability":"VCID-qjqr-axrq-xkcf"},{"vulnerability":"VCID-ud36-sb2d-8ych"},{"vulnerability":"VCID-w9nk-wv5n-2kg9"},{"vulnerability":"VCID-xtdv-ygus-xuds"},{"vulnerability":"VCID-z8df-aq4y-ubet"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/tomcat10@10.1.52-1~deb12u1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/132611?format=json","purl":"pkg:deb/debian/tomcat10@10.1.52-1~deb13u1?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1qsf-yxnk-fqhy"},{"vulnerability":"VCID-2s6w-bbfa-afb8"},{"vulnerability":"VCID-2ym4-frda-dbbe"},{"vulnerability":"VCID-84a8-y1hg-vuep"},{"vulnerability":"VCID-8qk1-ufax-eugz"},{"vulnerability":"VCID-cugj-j48z-jub5"},{"vulnerability":"VCID-gw94-yyjd-17er"},{"vulnerability":"VCID-j493-xan3-myfm"},{"vulnerability":"VCID-j7w8-ean1-33b8"},{"vulnerability":"VCID-nqgv-hbwa-d3en"},{"vulnerability":"VCID-nsp7-e9m6-juhv"},{"vulnerability":"VCID-qjqr-axrq-xkcf"},{"vulnerability":"VCID-ud36-sb2d-8ych"},{"vulnerability":"VCID-w9nk-wv5n-2kg9"},{"vulnerability":"VCID-xtdv-ygus-xuds"},{"vulnerability":"VCID-z8df-aq4y-ubet"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/tomcat10@10.1.52-1~deb13u1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/132609?format=json","purl":"pkg:deb/debian/tomcat10@10.1.54-1?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2ym4-frda-dbbe"},{"vulnerability":"VCID-84a8-y1hg-vuep"},{"vulnerability":"VCID-j7w8-ean1-33b8"},{"vulnerability":"VCID-qjqr-axrq-xkcf"},{"vulnerability":"VCID-ud36-sb2d-8ych"},{"vulnerability":"VCID-w9nk-wv5n-2kg9"},{"vulnerability":"VCID-xtdv-ygus-xuds"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/tomcat10@10.1.54-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/132610?format=json","purl":"pkg:deb/debian/tomcat10@10.1.55-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/tomcat10@10.1.55-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/132688?format=json","purl":"pkg:deb/debian/tomcat9@0?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/tomcat9@0%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/132689?format=json","purl":"pkg:deb/debian/tomcat9@9.0.43-2~deb11u10?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/tomcat9@9.0.43-2~deb11u10%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/132687?format=json","purl":"pkg:deb/debian/tomcat9@9.0.70-2?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/tomcat9@9.0.70-2%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/132691?format=json","purl":"pkg:deb/debian/tomcat9@9.0.95-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/tomcat9@9.0.95-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/132690?format=json","purl":"pkg:deb/debian/tomcat9@9.0.118-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/tomcat9@9.0.118-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/67245?format=json","purl":"pkg:maven/org.apache.tomcat/tomcat@8.5.94","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5udv-rheh-kqfy"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat/tomcat@8.5.94"},{"url":"http://public2.vulnerablecode.io/api/packages/67244?format=json","purl":"pkg:maven/org.apache.tomcat/tomcat@9.0.81","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat/tomcat@9.0.81"},{"url":"http://public2.vulnerablecode.io/api/packages/67288?format=json","purl":"pkg:maven/org.apache.tomcat/tomcat-coyote@8.5.94","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat/tomcat-coyote@8.5.94"},{"url":"http://public2.vulnerablecode.io/api/packages/67289?format=json","purl":"pkg:maven/org.apache.tomcat/tomcat-coyote@9.0.81","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat/tomcat-coyote@9.0.81"},{"url":"http://public2.vulnerablecode.io/api/packages/67251?format=json","purl":"pkg:maven/org.apache.tomcat.embed/tomcat-embed-core@8.5.94","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat.embed/tomcat-embed-core@8.5.94"},{"url":"http://public2.vulnerablecode.io/api/packages/67252?format=json","purl":"pkg:maven/org.apache.tomcat.embed/tomcat-embed-core@9.0.81","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat.embed/tomcat-embed-core@9.0.81"}],"affected_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/86942?format=json","purl":"pkg:apache/tomcat@8.5.85","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-kbpn-7esm-77ew"},{"vulnerability":"VCID-paqj-ye46-8bdb"},{"vulnerability":"VCID-ryby-gbcx-33ec"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:apache/tomcat@8.5.85"},{"url":"http://public2.vulnerablecode.io/api/packages/86940?format=json","purl":"pkg:apache/tomcat@8.5.93","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-h6f2-qgnu-bqf4"},{"vulnerability":"VCID-jsyt-cmxf-gbh3"},{"vulnerability":"VCID-kbpn-7esm-77ew"},{"vulnerability":"VCID-y4a2-mamb-yqg6"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:apache/tomcat@8.5.93"},{"url":"http://public2.vulnerablecode.io/api/packages/86841?format=json","purl":"pkg:apache/tomcat@9.0.70","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-kbpn-7esm-77ew"},{"vulnerability":"VCID-m1k8-9pwc-1qb9"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:apache/tomcat@9.0.70"},{"url":"http://public2.vulnerablecode.io/api/packages/86839?format=json","purl":"pkg:apache/tomcat@9.0.80","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-h6f2-qgnu-bqf4"},{"vulnerability":"VCID-jsyt-cmxf-gbh3"},{"vulnerability":"VCID-kbpn-7esm-77ew"},{"vulnerability":"VCID-y4a2-mamb-yqg6"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:apache/tomcat@9.0.80"},{"url":"http://public2.vulnerablecode.io/api/packages/67278?format=json","purl":"pkg:maven/org.apache.tomcat/coyote@8.5.85","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-kbpn-7esm-77ew"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat/coyote@8.5.85"},{"url":"http://public2.vulnerablecode.io/api/packages/67279?format=json","purl":"pkg:maven/org.apache.tomcat/coyote@9.0.70","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-kbpn-7esm-77ew"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat/coyote@9.0.70"},{"url":"http://public2.vulnerablecode.io/api/packages/65156?format=json","purl":"pkg:maven/org.apache.tomcat/tomcat@8.5.85","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5udv-rheh-kqfy"},{"vulnerability":"VCID-kbpn-7esm-77ew"},{"vulnerability":"VCID-paqj-ye46-8bdb"},{"vulnerability":"VCID-ryby-gbcx-33ec"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat/tomcat@8.5.85"},{"url":"http://public2.vulnerablecode.io/api/packages/66688?format=json","purl":"pkg:maven/org.apache.tomcat/tomcat@8.5.93","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5udv-rheh-kqfy"},{"vulnerability":"VCID-h6f2-qgnu-bqf4"},{"vulnerability":"VCID-jsyt-cmxf-gbh3"},{"vulnerability":"VCID-kbpn-7esm-77ew"},{"vulnerability":"VCID-y4a2-mamb-yqg6"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat/tomcat@8.5.93"},{"url":"http://public2.vulnerablecode.io/api/packages/67274?format=json","purl":"pkg:maven/org.apache.tomcat/tomcat@9.0.70","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-kbpn-7esm-77ew"},{"vulnerability":"VCID-m1k8-9pwc-1qb9"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat/tomcat@9.0.70"},{"url":"http://public2.vulnerablecode.io/api/packages/66687?format=json","purl":"pkg:maven/org.apache.tomcat/tomcat@9.0.80","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-h6f2-qgnu-bqf4"},{"vulnerability":"VCID-jsyt-cmxf-gbh3"},{"vulnerability":"VCID-kbpn-7esm-77ew"},{"vulnerability":"VCID-y4a2-mamb-yqg6"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat/tomcat@9.0.80"},{"url":"http://public2.vulnerablecode.io/api/packages/65184?format=json","purl":"pkg:maven/org.apache.tomcat.embed/tomcat-embed-core@8.5.85","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-kbpn-7esm-77ew"},{"vulnerability":"VCID-ryby-gbcx-33ec"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat.embed/tomcat-embed-core@8.5.85"},{"url":"http://public2.vulnerablecode.io/api/packages/67273?format=json","purl":"pkg:maven/org.apache.tomcat.embed/tomcat-embed-core@9.0.70","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-kbpn-7esm-77ew"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat.embed/tomcat-embed-core@9.0.70"},{"url":"http://public2.vulnerablecode.io/api/packages/116135?format=json","purl":"pkg:rpm/redhat/tomcat@1:9.0.62-27.el8_9?arch=2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-h6f2-qgnu-bqf4"},{"vulnerability":"VCID-jsyt-cmxf-gbh3"},{"vulnerability":"VCID-kbpn-7esm-77ew"},{"vulnerability":"VCID-urhs-6aus-syb1"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:rpm/redhat/tomcat@1:9.0.62-27.el8_9%3Farch=2"},{"url":"http://public2.vulnerablecode.io/api/packages/116140?format=json","purl":"pkg:rpm/redhat/tomcat@1:9.0.62-37.el9_3?arch=1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-h6f2-qgnu-bqf4"},{"vulnerability":"VCID-jsyt-cmxf-gbh3"},{"vulnerability":"VCID-kbpn-7esm-77ew"},{"vulnerability":"VCID-urhs-6aus-syb1"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:rpm/redhat/tomcat@1:9.0.62-37.el9_3%3Farch=1"}],"references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-42794.json","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-42794.json"},{"reference_url":"https://github.com/apache/tomcat","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/tomcat"},{"reference_url":"https://github.com/apache/tomcat/commit/43b882b8a577684498ab9b8851aa0427216784f7","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/apache/tomcat/commit/43b882b8a577684498ab9b8851aa0427216784f7"},{"reference_url":"https://github.com/apache/tomcat/commit/c99ffc30e95ddc4daede564d08cb5ea2b9a9da65","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/apache/tomcat/commit/c99ffc30e95ddc4daede564d08cb5ea2b9a9da65"},{"reference_url":"https://lists.apache.org/thread/vvbr2ms7lockj1hlhz5q3wmxb2mwcw82","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread/vvbr2ms7lockj1hlhz5q3wmxb2mwcw82"},{"reference_url":"http://www.openwall.com/lists/oss-security/2023/10/10/8","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.openwall.com/lists/oss-security/2023/10/10/8"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2243751","reference_id":"2243751","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2243751"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-42794","reference_id":"CVE-2023-42794","reference_type":"","scores":[{"value":"Low","scoring_system":"apache_tomcat","scoring_elements":""}],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-42794"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-42794","reference_id":"CVE-2023-42794","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-42794"},{"reference_url":"https://github.com/advisories/GHSA-jm7m-8jh6-29hp","reference_id":"GHSA-jm7m-8jh6-29hp","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-jm7m-8jh6-29hp"},{"reference_url":"https://access.redhat.com/errata/RHSA-2023:7247","reference_id":"RHSA-2023:7247","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2023:7247"},{"reference_url":"https://access.redhat.com/errata/RHSA-2023:7623","reference_id":"RHSA-2023:7623","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2023:7623"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:0125","reference_id":"RHSA-2024:0125","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:0125"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:0474","reference_id":"RHSA-2024:0474","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:0474"}],"weaknesses":[{"cwe_id":1035,"name":"OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities","description":"Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017."},{"cwe_id":459,"name":"Incomplete Cleanup","description":"The product does not properly clean up and remove temporary or supporting resources after they have been used."},{"cwe_id":937,"name":"OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities","description":"Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013."}],"exploits":[],"severity_range_score":"0.1 - 6.9","exploitability":"0.5","weighted_severity":"6.2","risk_score":3.1,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-kbpn-7esm-77ew"}