VulnerableCode Vulnerability Details

Search for vulnerabilities

Vulnerability details: VCID-aznr-24qt-aaaa

Essentials
Severities (105)
References (17)
Severity details (17)
Exploits (0)
EPSS
History (0)

Vulnerability ID	VCID-aznr-24qt-aaaa
Aliases	CVE-2023-42794 GHSA-jm7m-8jh6-29hp
Summary	Incomplete Cleanup vulnerability in Apache Tomcat. The internal fork of Commons FileUpload packaged with Apache Tomcat 9.0.70 through 9.0.80 and 8.5.85 through 8.5.93 included an unreleased, in progress refactoring that exposed a potential denial of service on Windows if a web application opened a stream for an uploaded file but failed to close the stream. The file would never be deleted from disk creating the possibility of an eventual denial of service due to the disk being full. Users are recommended to upgrade to version 9.0.81 onwards or 8.5.94 onwards, which fixes the issue.
Status	Published
Exploitability	0.5
Weighted Severity	8.0
Risk	4.0
Affected and Fixed Packages	Package Details

Weaknesses (3)

CWE-459	Incomplete Cleanup
CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities

System	Score	Found at
cvssv3.1	7.5	https://access.redhat.com/errata/RHSA-2023:7247
ssvc	Track	https://access.redhat.com/errata/RHSA-2023:7247
cvssv3	5.9	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-42794.json
epss	0.00049	https://api.first.org/data/v1/epss?cve=CVE-2023-42794
epss	0.00049	https://api.first.org/data/v1/epss?cve=CVE-2023-42794
epss	0.00049	https://api.first.org/data/v1/epss?cve=CVE-2023-42794
epss	0.00049	https://api.first.org/data/v1/epss?cve=CVE-2023-42794
epss	0.00049	https://api.first.org/data/v1/epss?cve=CVE-2023-42794
epss	0.00049	https://api.first.org/data/v1/epss?cve=CVE-2023-42794
epss	0.00055	https://api.first.org/data/v1/epss?cve=CVE-2023-42794
epss	0.00059	https://api.first.org/data/v1/epss?cve=CVE-2023-42794
epss	0.00059	https://api.first.org/data/v1/epss?cve=CVE-2023-42794
epss	0.00059	https://api.first.org/data/v1/epss?cve=CVE-2023-42794
epss	0.00059	https://api.first.org/data/v1/epss?cve=CVE-2023-42794
epss	0.00059	https://api.first.org/data/v1/epss?cve=CVE-2023-42794
epss	0.00059	https://api.first.org/data/v1/epss?cve=CVE-2023-42794
epss	0.00059	https://api.first.org/data/v1/epss?cve=CVE-2023-42794
epss	0.00059	https://api.first.org/data/v1/epss?cve=CVE-2023-42794
epss	0.00059	https://api.first.org/data/v1/epss?cve=CVE-2023-42794
epss	0.00059	https://api.first.org/data/v1/epss?cve=CVE-2023-42794
epss	0.00059	https://api.first.org/data/v1/epss?cve=CVE-2023-42794
epss	0.00080	https://api.first.org/data/v1/epss?cve=CVE-2023-42794
epss	0.00080	https://api.first.org/data/v1/epss?cve=CVE-2023-42794
epss	0.00080	https://api.first.org/data/v1/epss?cve=CVE-2023-42794
epss	0.00080	https://api.first.org/data/v1/epss?cve=CVE-2023-42794
epss	0.00178	https://api.first.org/data/v1/epss?cve=CVE-2023-42794
epss	0.00178	https://api.first.org/data/v1/epss?cve=CVE-2023-42794
epss	0.00178	https://api.first.org/data/v1/epss?cve=CVE-2023-42794
epss	0.00178	https://api.first.org/data/v1/epss?cve=CVE-2023-42794
epss	0.00178	https://api.first.org/data/v1/epss?cve=CVE-2023-42794
epss	0.00178	https://api.first.org/data/v1/epss?cve=CVE-2023-42794
epss	0.00178	https://api.first.org/data/v1/epss?cve=CVE-2023-42794
epss	0.00178	https://api.first.org/data/v1/epss?cve=CVE-2023-42794
epss	0.00178	https://api.first.org/data/v1/epss?cve=CVE-2023-42794
epss	0.00178	https://api.first.org/data/v1/epss?cve=CVE-2023-42794
epss	0.00178	https://api.first.org/data/v1/epss?cve=CVE-2023-42794
epss	0.00178	https://api.first.org/data/v1/epss?cve=CVE-2023-42794
epss	0.00178	https://api.first.org/data/v1/epss?cve=CVE-2023-42794
epss	0.00178	https://api.first.org/data/v1/epss?cve=CVE-2023-42794
epss	0.00178	https://api.first.org/data/v1/epss?cve=CVE-2023-42794
epss	0.00178	https://api.first.org/data/v1/epss?cve=CVE-2023-42794
epss	0.00178	https://api.first.org/data/v1/epss?cve=CVE-2023-42794
epss	0.00178	https://api.first.org/data/v1/epss?cve=CVE-2023-42794
epss	0.00178	https://api.first.org/data/v1/epss?cve=CVE-2023-42794
epss	0.00178	https://api.first.org/data/v1/epss?cve=CVE-2023-42794
epss	0.00178	https://api.first.org/data/v1/epss?cve=CVE-2023-42794
epss	0.00178	https://api.first.org/data/v1/epss?cve=CVE-2023-42794
epss	0.00178	https://api.first.org/data/v1/epss?cve=CVE-2023-42794
epss	0.00178	https://api.first.org/data/v1/epss?cve=CVE-2023-42794
epss	0.00178	https://api.first.org/data/v1/epss?cve=CVE-2023-42794
epss	0.00178	https://api.first.org/data/v1/epss?cve=CVE-2023-42794
epss	0.00178	https://api.first.org/data/v1/epss?cve=CVE-2023-42794
epss	0.00178	https://api.first.org/data/v1/epss?cve=CVE-2023-42794
epss	0.00178	https://api.first.org/data/v1/epss?cve=CVE-2023-42794
epss	0.00178	https://api.first.org/data/v1/epss?cve=CVE-2023-42794
epss	0.00178	https://api.first.org/data/v1/epss?cve=CVE-2023-42794
epss	0.00178	https://api.first.org/data/v1/epss?cve=CVE-2023-42794
epss	0.00178	https://api.first.org/data/v1/epss?cve=CVE-2023-42794
epss	0.00178	https://api.first.org/data/v1/epss?cve=CVE-2023-42794
epss	0.00178	https://api.first.org/data/v1/epss?cve=CVE-2023-42794
epss	0.00178	https://api.first.org/data/v1/epss?cve=CVE-2023-42794
epss	0.00178	https://api.first.org/data/v1/epss?cve=CVE-2023-42794
epss	0.00178	https://api.first.org/data/v1/epss?cve=CVE-2023-42794
epss	0.00178	https://api.first.org/data/v1/epss?cve=CVE-2023-42794
epss	0.00183	https://api.first.org/data/v1/epss?cve=CVE-2023-42794
epss	0.00183	https://api.first.org/data/v1/epss?cve=CVE-2023-42794
epss	0.00183	https://api.first.org/data/v1/epss?cve=CVE-2023-42794
epss	0.00183	https://api.first.org/data/v1/epss?cve=CVE-2023-42794
epss	0.00183	https://api.first.org/data/v1/epss?cve=CVE-2023-42794
epss	0.00183	https://api.first.org/data/v1/epss?cve=CVE-2023-42794
epss	0.00183	https://api.first.org/data/v1/epss?cve=CVE-2023-42794
epss	0.00183	https://api.first.org/data/v1/epss?cve=CVE-2023-42794
epss	0.00183	https://api.first.org/data/v1/epss?cve=CVE-2023-42794
epss	0.00183	https://api.first.org/data/v1/epss?cve=CVE-2023-42794
epss	0.00183	https://api.first.org/data/v1/epss?cve=CVE-2023-42794
epss	0.00183	https://api.first.org/data/v1/epss?cve=CVE-2023-42794
epss	0.02242	https://api.first.org/data/v1/epss?cve=CVE-2023-42794
epss	0.02242	https://api.first.org/data/v1/epss?cve=CVE-2023-42794
epss	0.02242	https://api.first.org/data/v1/epss?cve=CVE-2023-42794
epss	0.02242	https://api.first.org/data/v1/epss?cve=CVE-2023-42794
epss	0.02242	https://api.first.org/data/v1/epss?cve=CVE-2023-42794
epss	0.02242	https://api.first.org/data/v1/epss?cve=CVE-2023-42794
epss	0.02242	https://api.first.org/data/v1/epss?cve=CVE-2023-42794
epss	0.02242	https://api.first.org/data/v1/epss?cve=CVE-2023-42794
epss	0.02242	https://api.first.org/data/v1/epss?cve=CVE-2023-42794
epss	0.02242	https://api.first.org/data/v1/epss?cve=CVE-2023-42794
epss	0.02242	https://api.first.org/data/v1/epss?cve=CVE-2023-42794
epss	0.02242	https://api.first.org/data/v1/epss?cve=CVE-2023-42794
epss	0.02242	https://api.first.org/data/v1/epss?cve=CVE-2023-42794
epss	0.02242	https://api.first.org/data/v1/epss?cve=CVE-2023-42794
epss	0.08231	https://api.first.org/data/v1/epss?cve=CVE-2023-42794
apache_tomcat	Low	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-42794
cvssv3.1	5.9	https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv3.1_qr	MODERATE	https://github.com/advisories/GHSA-jm7m-8jh6-29hp
cvssv3.1	5.9	https://github.com/apache/tomcat
cvssv3.1	7.5	https://github.com/apache/tomcat
generic_textual	HIGH	https://github.com/apache/tomcat
generic_textual	MODERATE	https://github.com/apache/tomcat
cvssv3.1	5.9	https://lists.apache.org/thread/vvbr2ms7lockj1hlhz5q3wmxb2mwcw82
generic_textual	MODERATE	https://lists.apache.org/thread/vvbr2ms7lockj1hlhz5q3wmxb2mwcw82
cvssv3	5.9	https://nvd.nist.gov/vuln/detail/CVE-2023-42794
cvssv3.1	5.9	https://nvd.nist.gov/vuln/detail/CVE-2023-42794
generic_textual	MODERATE	https://nvd.nist.gov/vuln/detail/CVE-2023-42794
cvssv3.1	5.9	http://www.openwall.com/lists/oss-security/2023/10/10/8
generic_textual	MODERATE	http://www.openwall.com/lists/oss-security/2023/10/10/8

Reference id	Reference type	URL
		https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-42794.json
		https://api.first.org/data/v1/epss?cve=CVE-2023-42794
		https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
		https://github.com/apache/tomcat
		https://github.com/apache/tomcat/commit/43b882b8a577684498ab9b8851aa0427216784f7
		https://github.com/apache/tomcat/commit/c99ffc30e95ddc4daede564d08cb5ea2b9a9da65
		https://lists.apache.org/thread/vvbr2ms7lockj1hlhz5q3wmxb2mwcw82
		http://www.openwall.com/lists/oss-security/2023/10/10/8
2243751		https://bugzilla.redhat.com/show_bug.cgi?id=2243751
cpe:2.3:a:apache:tomcat::::::::		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:tomcat::::::::
CVE-2023-42794		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-42794
CVE-2023-42794		https://nvd.nist.gov/vuln/detail/CVE-2023-42794
GHSA-jm7m-8jh6-29hp		https://github.com/advisories/GHSA-jm7m-8jh6-29hp
RHSA-2023:7247		https://access.redhat.com/errata/RHSA-2023:7247
RHSA-2023:7623		https://access.redhat.com/errata/RHSA-2023:7623
RHSA-2024:0125		https://access.redhat.com/errata/RHSA-2024:0125
RHSA-2024:0474		https://access.redhat.com/errata/RHSA-2024:0474

No exploits are available.

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://access.redhat.com/errata/RHSA-2023:7247

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-07-13T20:07:40Z/ Found at https://access.redhat.com/errata/RHSA-2023:7247

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-42794.json

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/apache/tomcat

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/apache/tomcat

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://lists.apache.org/thread/vvbr2ms7lockj1hlhz5q3wmxb2mwcw82

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2023-42794

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2023-42794

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H Found at http://www.openwall.com/lists/oss-security/2023/10/10/8

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Exploit Prediction Scoring System (EPSS)

Percentile	0.15407
EPSS Score	0.00049
Published At	May 1, 2025, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
There are no relevant records.