Search for vulnerabilities
Vulnerability details: VCID-n7bs-a67w-3bhg
Vulnerability ID VCID-n7bs-a67w-3bhg
Aliases CVE-2023-42794
GHSA-jm7m-8jh6-29hp
Summary Apache Tomcat Incomplete Cleanup vulnerability Incomplete Cleanup vulnerability in Apache Tomcat. The internal fork of Commons FileUpload packaged with Apache Tomcat 9.0.70 through 9.0.80 and 8.5.85 through 8.5.93 included an unreleased, in progress refactoring that exposed a potential denial of service on Windows if a web application opened a stream for an uploaded file but failed to close the stream. The file would never be deleted from disk creating the possibility of an eventual denial of service due to the disk being full. Users are recommended to upgrade to version 9.0.81 onwards or 8.5.94 onwards, which fixes the issue.
Status Published
Exploitability 0.5
Weighted Severity 6.2
Risk 3.1
Affected and Fixed Packages Package Details
Weaknesses (3)
System Score Found at
cvssv3 5.9 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-42794.json
epss 0.00178 https://api.first.org/data/v1/epss?cve=CVE-2023-42794
epss 0.00178 https://api.first.org/data/v1/epss?cve=CVE-2023-42794
epss 0.00178 https://api.first.org/data/v1/epss?cve=CVE-2023-42794
epss 0.00178 https://api.first.org/data/v1/epss?cve=CVE-2023-42794
epss 0.00178 https://api.first.org/data/v1/epss?cve=CVE-2023-42794
epss 0.00178 https://api.first.org/data/v1/epss?cve=CVE-2023-42794
epss 0.00178 https://api.first.org/data/v1/epss?cve=CVE-2023-42794
epss 0.00178 https://api.first.org/data/v1/epss?cve=CVE-2023-42794
epss 0.00178 https://api.first.org/data/v1/epss?cve=CVE-2023-42794
epss 0.00178 https://api.first.org/data/v1/epss?cve=CVE-2023-42794
epss 0.00178 https://api.first.org/data/v1/epss?cve=CVE-2023-42794
epss 0.00178 https://api.first.org/data/v1/epss?cve=CVE-2023-42794
epss 0.00178 https://api.first.org/data/v1/epss?cve=CVE-2023-42794
apache_tomcat Low https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-42794
cvssv3.1 5.9 https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv3.1_qr MODERATE https://github.com/advisories/GHSA-jm7m-8jh6-29hp
cvssv3.1 5.9 https://github.com/apache/tomcat
generic_textual MODERATE https://github.com/apache/tomcat
cvssv3.1 5.9 https://lists.apache.org/thread/vvbr2ms7lockj1hlhz5q3wmxb2mwcw82
generic_textual MODERATE https://lists.apache.org/thread/vvbr2ms7lockj1hlhz5q3wmxb2mwcw82
cvssv3.1 5.9 https://nvd.nist.gov/vuln/detail/CVE-2023-42794
generic_textual MODERATE https://nvd.nist.gov/vuln/detail/CVE-2023-42794
cvssv3.1 5.9 http://www.openwall.com/lists/oss-security/2023/10/10/8
generic_textual MODERATE http://www.openwall.com/lists/oss-security/2023/10/10/8
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-42794.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/apache/tomcat
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://lists.apache.org/thread/vvbr2ms7lockj1hlhz5q3wmxb2mwcw82
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2023-42794
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H Found at http://www.openwall.com/lists/oss-security/2023/10/10/8
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Exploit Prediction Scoring System (EPSS)
Percentile 0.3997
EPSS Score 0.00178
Published At June 30, 2025, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2025-07-01T12:13:42.038926+00:00 GithubOSV Importer Import https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-jm7m-8jh6-29hp/GHSA-jm7m-8jh6-29hp.json 36.1.3