{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-42795", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "state": "PUBLISHED", "assignerShortName": "apache", "dateReserved": "2023-09-14T12:11:26.550Z", "datePublished": "2023-10-10T17:42:16.705Z", "dateUpdated": "2025-02-13T17:09:44.254Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Apache Tomcat", "vendor": "Apache Software Foundation", "versions": [{"lessThanOrEqual": "11.0.0-M11", "status": "affected", "version": "11.0.0-M1", "versionType": "semver"}, {"lessThanOrEqual": "10.1.13", "status": "affected", "version": "10.1.0-M1", "versionType": "semver"}, {"lessThanOrEqual": "9.0.80", "status": "affected", "version": "9.0.0-M1", "versionType": "semver"}, {"lessThanOrEqual": "8.5.93", "status": "affected", "version": "8.5.0", "versionType": "semver"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Incomplete Cleanup vulnerability in Apache Tomcat.<p>When recycling various internal objects in Apache Tomcat from 11.0.0-M1 through 11.0.0-M11, from 10.1.0-M1 through 10.1.13, from 9.0.0-M1 through 9.0.80 and from 8.5.0 through 8.5.93, an error could \ncause Tomcat to skip some parts of the recycling process leading to \ninformation leaking from the current request/response to the next.<br></p><p>Users are recommended to upgrade to version 11.0.0-M12 onwards, 10.1.14 onwards, 9.0.81 onwards or 8.5.94 onwards, which fixes the issue.</p>"}], "value": "Incomplete Cleanup vulnerability in Apache Tomcat.When recycling various internal objects in Apache Tomcat from 11.0.0-M1 through 11.0.0-M11, from 10.1.0-M1 through 10.1.13, from 9.0.0-M1 through 9.0.80 and from 8.5.0 through 8.5.93, an error could \ncause Tomcat to skip some parts of the recycling process leading to \ninformation leaking from the current request/response to the next.\n\nUsers are recommended to upgrade to version 11.0.0-M12 onwards, 10.1.14 onwards, 9.0.81 onwards or 8.5.94 onwards, which fixes the issue."}], "metrics": [{"other": {"content": {"text": "important"}, "type": "Textual description of severity"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-459", "description": "CWE-459 Incomplete Cleanup", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2023-11-04T05:06:48.348Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://lists.apache.org/thread/065jfyo583490r9j2v73nhpyxdob56lw"}, {"url": "http://www.openwall.com/lists/oss-security/2023/10/10/9"}, {"url": "https://www.debian.org/security/2023/dsa-5522"}, {"url": "https://www.debian.org/security/2023/dsa-5521"}, {"url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00020.html"}, {"url": "https://security.netapp.com/advisory/ntap-20231103-0007/"}], "source": {"discovery": "INTERNAL"}, "title": "Apache Tomcat: Failure during request clean-up leads to sensitive data leaking to subsequent requests", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T19:30:24.387Z"}, "title": "CVE Program Container", "references": [{"tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.apache.org/thread/065jfyo583490r9j2v73nhpyxdob56lw"}, {"url": "http://www.openwall.com/lists/oss-security/2023/10/10/9", "tags": ["x_transferred"]}, {"url": "https://www.debian.org/security/2023/dsa-5522", "tags": ["x_transferred"]}, {"url": "https://www.debian.org/security/2023/dsa-5521", "tags": ["x_transferred"]}, {"url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00020.html", "tags": ["x_transferred"]}, {"url": "https://security.netapp.com/advisory/ntap-20231103-0007/", "tags": ["x_transferred"]}]}, {"affected": [{"vendor": "apache", "product": "accumulo", "cpes": ["cpe:2.3:a:apache:accumulo:-:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "11.0.0-m1", "status": "affected"}, {"version": "10.10-m1", "status": "affected", "lessThanOrEqual": "10.1.13", "versionType": "semver"}, {"version": "9.0.0-m1", "status": "affected", "lessThanOrEqual": "9.0.80", "versionType": "semver"}, {"version": "8.5.0", "status": "affected", "lessThanOrEqual": "8.5.93", "versionType": "semver"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-09-18T16:23:53.651535Z", "id": "CVE-2023-42795", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-18T16:26:54.828Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://lists.apache.org/thread/065jfyo583490r9j2v73nhpyxdob56lw", "tags": ["vendor-advisory", "x_transferred"]}, {"url": "http://www.openwall.com/lists/oss-security/2023/10/10/9", "tags": ["x_transferred"]}, {"url": "https://www.debian.org/security/2023/dsa-5522", "tags": ["x_transferred"]}, {"url": "https://www.debian.org/security/2023/dsa-5521", "tags": ["x_transferred"]}, {"url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00020.html", "tags": ["x_transferred"]}, {"url": "https://security.netapp.com/advisory/ntap-20231103-0007/", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T19:30:24.387Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-42795", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-18T16:23:53.651535Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:apache:accumulo:-:*:*:*:*:*:*:*"], "vendor": "apache", "product": "accumulo", "versions": [{"status": "affected", "version": "11.0.0-m1"}, {"status": "affected", "version": "10.10-m1", "versionType": "semver", "lessThanOrEqual": "10.1.13"}, {"status": "affected", "version": "9.0.0-m1", "versionType": "semver", "lessThanOrEqual": "9.0.80"}, {"status": "affected", "version": "8.5.0", "versionType": "semver", "lessThanOrEqual": "8.5.93"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-18T16:26:46.735Z"}}], "cna": {"title": "Apache Tomcat: Failure during request clean-up leads to sensitive data leaking to subsequent requests", "source": {"discovery": "INTERNAL"}, "metrics": [{"other": {"type": "Textual description of severity", "content": {"text": "important"}}}], "affected": [{"vendor": "Apache Software Foundation", "product": "Apache Tomcat", "versions": [{"status": "affected", "version": "11.0.0-M1", "versionType": "semver", "lessThanOrEqual": "11.0.0-M11"}, {"status": "affected", "version": "10.1.0-M1", "versionType": "semver", "lessThanOrEqual": "10.1.13"}, {"status": "affected", "version": "9.0.0-M1", "versionType": "semver", "lessThanOrEqual": "9.0.80"}, {"status": "affected", "version": "8.5.0", "versionType": "semver", "lessThanOrEqual": "8.5.93"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://lists.apache.org/thread/065jfyo583490r9j2v73nhpyxdob56lw", "tags": ["vendor-advisory"]}, {"url": "http://www.openwall.com/lists/oss-security/2023/10/10/9"}, {"url": "https://www.debian.org/security/2023/dsa-5522"}, {"url": "https://www.debian.org/security/2023/dsa-5521"}, {"url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00020.html"}, {"url": "https://security.netapp.com/advisory/ntap-20231103-0007/"}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "Incomplete Cleanup vulnerability in Apache Tomcat.When recycling various internal objects in Apache Tomcat from 11.0.0-M1 through 11.0.0-M11, from 10.1.0-M1 through 10.1.13, from 9.0.0-M1 through 9.0.80 and from 8.5.0 through 8.5.93, an error could \ncause Tomcat to skip some parts of the recycling process leading to \ninformation leaking from the current request/response to the next.\n\nUsers are recommended to upgrade to version 11.0.0-M12 onwards, 10.1.14 onwards, 9.0.81 onwards or 8.5.94 onwards, which fixes the issue.", "supportingMedia": [{"type": "text/html", "value": "Incomplete Cleanup vulnerability in Apache Tomcat.<p>When recycling various internal objects in Apache Tomcat from 11.0.0-M1 through 11.0.0-M11, from 10.1.0-M1 through 10.1.13, from 9.0.0-M1 through 9.0.80 and from 8.5.0 through 8.5.93, an error could \ncause Tomcat to skip some parts of the recycling process leading to \ninformation leaking from the current request/response to the next.<br></p><p>Users are recommended to upgrade to version 11.0.0-M12 onwards, 10.1.14 onwards, 9.0.81 onwards or 8.5.94 onwards, which fixes the issue.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-459", "description": "CWE-459 Incomplete Cleanup"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2023-11-04T05:06:48.348Z"}}}, "cveMetadata": {"cveId": "CVE-2023-42795", "state": "PUBLISHED", "dateUpdated": "2025-02-13T17:09:44.254Z", "dateReserved": "2023-09-14T12:11:26.550Z", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "datePublished": "2023-10-10T17:42:16.705Z", "assignerShortName": "apache"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*", "matchCriteriaId": "FE1F7111-22BD-489A-B2C9-E67E0D601824", "versionEndExcluding": "8.5.94", "versionStartIncluding": "8.5.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*", "matchCriteriaId": "37FCE624-DD65-4AC5-A602-BB66E0E54CFC", "versionEndExcluding": "9.0.81", "versionStartIncluding": "9.0.1", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*", "matchCriteriaId": "0995DE67-7E3B-4CFE-AB96-E2243F994755", "versionEndExcluding": "10.1.14", "versionStartIncluding": "10.1.1", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone1:*:*:*:*:*:*", "matchCriteriaId": "9D0689FE-4BC0-4F53-8C79-34B21F9B86C2", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone10:*:*:*:*:*:*", "matchCriteriaId": "89B129B2-FB6F-4EF9-BF12-E589A87996CF", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone11:*:*:*:*:*:*", "matchCriteriaId": "8B6787B6-54A8-475E-BA1C-AB99334B2535", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone12:*:*:*:*:*:*", "matchCriteriaId": "EABB6FBC-7486-44D5-A6AD-FFF1D3F677E1", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone13:*:*:*:*:*:*", "matchCriteriaId": "E10C03BC-EE6B-45B2-83AE-9E8DFB58D7DB", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone14:*:*:*:*:*:*", "matchCriteriaId": "8A6DA0BE-908C-4DA8-A191-A0113235E99A", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone15:*:*:*:*:*:*", "matchCriteriaId": "39029C72-28B4-46A4-BFF5-EC822CFB2A4C", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone16:*:*:*:*:*:*", "matchCriteriaId": "1A2E05A3-014F-4C4D-81E5-88E725FBD6AD", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone17:*:*:*:*:*:*", "matchCriteriaId": "166C533C-0833-41D5-99B6-17A4FAB3CAF0", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone18:*:*:*:*:*:*", "matchCriteriaId": "D3768C60-21FA-4B92-B98C-C3A2602D1BC4", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone19:*:*:*:*:*:*", "matchCriteriaId": "DDD510FA-A2E4-4BAF-A0DE-F4E5777E9325", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone2:*:*:*:*:*:*", "matchCriteriaId": "9F542E12-6BA8-4504-A494-DA83E7E19BD5", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone20:*:*:*:*:*:*", "matchCriteriaId": "C2409CC7-6A85-4A66-A457-0D62B9895DC1", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone21:*:*:*:*:*:*", "matchCriteriaId": "B392A7E5-4455-4B1C-8FAC-AE6DDC70689E", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone22:*:*:*:*:*:*", "matchCriteriaId": "EF411DDA-2601-449A-9046-D250419A0E1A", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone23:*:*:*:*:*:*", "matchCriteriaId": "D7D8F2F4-AFE2-47EA-A3FD-79B54324DE02", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone24:*:*:*:*:*:*", "matchCriteriaId": "1B4FBF97-DE16-4E5E-BE19-471E01818D40", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone25:*:*:*:*:*:*", "matchCriteriaId": "3B266B1E-24B5-47EE-A421-E0E3CC0C7471", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone26:*:*:*:*:*:*", "matchCriteriaId": "29614C3A-6FB3-41C7-B56E-9CC3F45B04F0", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone27:*:*:*:*:*:*", "matchCriteriaId": "C6AB156C-8FF6-4727-AF75-590D0DCB3F9D", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone3:*:*:*:*:*:*", "matchCriteriaId": "C0C5F004-F7D8-45DB-B173-351C50B0EC16", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone4:*:*:*:*:*:*", "matchCriteriaId": "D1902D2E-1896-4D3D-9E1C-3A675255072C", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone5:*:*:*:*:*:*", "matchCriteriaId": "49AAF4DF-F61D-47A8-8788-A21E317A145D", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone6:*:*:*:*:*:*", "matchCriteriaId": "454211D0-60A2-4661-AECA-4C0121413FEB", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone7:*:*:*:*:*:*", "matchCriteriaId": "0686F977-889F-4960-8E0B-7784B73A7F2D", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone8:*:*:*:*:*:*", "matchCriteriaId": "558703AE-DB5E-4DFF-B497-C36694DD7B24", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone9:*:*:*:*:*:*", "matchCriteriaId": "ED6273F2-1165-47A4-8DD7-9E9B2472941B", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:10.1.0:milestone1:*:*:*:*:*:*", "matchCriteriaId": "6D402B5D-5901-43EB-8E6A-ECBD512CE367", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:10.1.0:milestone10:*:*:*:*:*:*", "matchCriteriaId": "33C71AE1-B38E-4783-BAC2-3CDA7B4D9EBA", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:10.1.0:milestone11:*:*:*:*:*:*", "matchCriteriaId": "F6BD4180-D3E8-42AB-96B1-3869ECF47F6C", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:10.1.0:milestone12:*:*:*:*:*:*", "matchCriteriaId": "64668CCF-DBC9-442D-9E0F-FD40E1D0DDB7", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:10.1.0:milestone13:*:*:*:*:*:*", "matchCriteriaId": "FC64BB57-4912-481E-AE8D-C8FCD36142BB", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:10.1.0:milestone14:*:*:*:*:*:*", "matchCriteriaId": "49B43BFD-6B6C-4E6D-A9D8-308709DDFB44", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:10.1.0:milestone15:*:*:*:*:*:*", "matchCriteriaId": "919C16BD-79A7-4597-8D23-2CBDED2EF615", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:10.1.0:milestone16:*:*:*:*:*:*", "matchCriteriaId": "81B27C03-D626-42EC-AE4E-1E66624908E3", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:10.1.0:milestone17:*:*:*:*:*:*", "matchCriteriaId": "BD81405D-81A5-4683-A355-B39C912DAD2D", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:10.1.0:milestone18:*:*:*:*:*:*", "matchCriteriaId": "2DCE3576-86BC-4BB8-A5FB-1274744DFD7F", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:10.1.0:milestone19:*:*:*:*:*:*", "matchCriteriaId": "5571F54A-2EAC-41B6-BDA9-7D33CFE97F70", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:10.1.0:milestone2:*:*:*:*:*:*", "matchCriteriaId": "9846609D-51FC-4CDD-97B3-8C6E07108F14", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:10.1.0:milestone20:*:*:*:*:*:*", "matchCriteriaId": "ED30E850-C475-4133-BDE3-74CB3768D787", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:10.1.0:milestone3:*:*:*:*:*:*", "matchCriteriaId": "2E321FB4-0B0C-497A-BB75-909D888C93CB", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:10.1.0:milestone4:*:*:*:*:*:*", "matchCriteriaId": "3B0CAE57-AF7A-40E6-9519-F5C9F422C1BE", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:10.1.0:milestone5:*:*:*:*:*:*", "matchCriteriaId": "7CB9D150-EED6-4AE9-BCBE-48932E50035E", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:10.1.0:milestone6:*:*:*:*:*:*", "matchCriteriaId": "D334103F-F64E-4869-BCC8-670A5AFCC76C", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:10.1.0:milestone7:*:*:*:*:*:*", "matchCriteriaId": "941FCF7B-FFB6-4967-95C7-BB3D32C73DAF", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:10.1.0:milestone8:*:*:*:*:*:*", "matchCriteriaId": "CE1A9030-B397-4BA6-8E13-DA1503872DDB", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:10.1.0:milestone9:*:*:*:*:*:*", "matchCriteriaId": "6284B74A-1051-40A7-9D74-380FEEEC3F88", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:11.0.0:milestone1:*:*:*:*:*:*", "matchCriteriaId": "D1AA7FF6-E8E7-4BF6-983E-0A99B0183008", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:11.0.0:milestone10:*:*:*:*:*:*", "matchCriteriaId": "57088BDD-A136-45EF-A8A1-2EBF79CEC2CE", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:11.0.0:milestone11:*:*:*:*:*:*", "matchCriteriaId": "B32D1D7A-A04F-444E-8F45-BB9A9E4B0199", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:11.0.0:milestone2:*:*:*:*:*:*", "matchCriteriaId": "2AAD52CE-94F5-4F98-A027-9A7E68818CB6", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:11.0.0:milestone3:*:*:*:*:*:*", "matchCriteriaId": "F1F981F5-035A-4EDD-8A9F-481EE8BC7FF7", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:11.0.0:milestone4:*:*:*:*:*:*", "matchCriteriaId": "03A171AF-2EC8-4422-912C-547CDB58CAAA", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:11.0.0:milestone5:*:*:*:*:*:*", "matchCriteriaId": "538E68C4-0BA4-495F-AEF8-4EF6EE7963CF", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:11.0.0:milestone6:*:*:*:*:*:*", "matchCriteriaId": "49350A6E-5E1D-45B2-A874-3B8601B3ADCC", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:11.0.0:milestone7:*:*:*:*:*:*", "matchCriteriaId": "5F50942F-DF54-46C0-8371-9A476DD3EEA3", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:11.0.0:milestone8:*:*:*:*:*:*", "matchCriteriaId": "D12C2C95-B79F-4AA4-8CE3-99A3EE7991AB", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:11.0.0:milestone9:*:*:*:*:*:*", "matchCriteriaId": "98792138-DD56-42DF-9612-3BDC65EEC117", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*", "matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73", "vulnerable": true}, {"criteria": "cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*", "matchCriteriaId": "FA6FEEC2-9F11-4643-8827-749718254FED", "vulnerable": true}, {"criteria": "cpe:2.3:o:debian:debian_linux:12.0:*:*:*:*:*:*:*", "matchCriteriaId": "46D69DCC-AE4D-4EA5-861C-D60951444C6C", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Incomplete Cleanup vulnerability in Apache Tomcat.When recycling various internal objects in Apache Tomcat from 11.0.0-M1 through 11.0.0-M11, from 10.1.0-M1 through 10.1.13, from 9.0.0-M1 through 9.0.80 and from 8.5.0 through 8.5.93, an error could \ncause Tomcat to skip some parts of the recycling process leading to \ninformation leaking from the current request/response to the next.\n\nUsers are recommended to upgrade to version 11.0.0-M12 onwards, 10.1.14 onwards, 9.0.81 onwards or 8.5.94 onwards, which fixes the issue."}, {"lang": "es", "value": "Vulnerabilidad de limpieza incompleta en Apache Tomcat. Al reciclar varios objetos internos en Apache Tomcat desde 11.0.0-M1 hasta 11.0.0-M11, desde 10.1.0-M1 hasta 10.1.13, desde 9.0.0-M1 hasta 9.0.80 y Desde 8.5.0 hasta 8.5.93, un error podr\u00eda hacer que Tomcat se salte algunas partes del proceso de reciclaje, lo que provocar\u00eda que se filtrara informaci\u00f3n de la solicitud/respuesta actual a la siguiente. Se recomienda a los usuarios actualizar a la versi\u00f3n 11.0.0-M12 en adelante, 10.1.14 en adelante, 9.0.81 en adelante o 8.5.94 en adelante, lo que soluciona el problema."}], "id": "CVE-2023-42795", "lastModified": "2025-02-13T17:17:09.610", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-10-10T18:15:18.933", "references": [{"source": "security@apache.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2023/10/10/9"}, {"source": "security@apache.org", "tags": ["Mailing List", "Vendor Advisory"], "url": "https://lists.apache.org/thread/065jfyo583490r9j2v73nhpyxdob56lw"}, {"source": "security@apache.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00020.html"}, {"source": "security@apache.org", "url": "https://security.netapp.com/advisory/ntap-20231103-0007/"}, {"source": "security@apache.org", "tags": ["Third Party Advisory"], "url": "https://www.debian.org/security/2023/dsa-5521"}, {"source": "security@apache.org", "tags": ["Third Party Advisory"], "url": "https://www.debian.org/security/2023/dsa-5522"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2023/10/10/9"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Vendor Advisory"], "url": "https://lists.apache.org/thread/065jfyo583490r9j2v73nhpyxdob56lw"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00020.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://security.netapp.com/advisory/ntap-20231103-0007/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://www.debian.org/security/2023/dsa-5521"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://www.debian.org/security/2023/dsa-5522"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-459"}], "source": "security@apache.org", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2024:0125", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "tomcat-1:9.0.62-27.el8_9.2", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2024-01-10T00:00:00Z"}, {"advisory": "RHSA-2024:0474", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "tomcat-1:9.0.62-37.el9_3.1", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2024-01-25T00:00:00Z"}, {"advisory": "RHSA-2023:7247", "cpe": "cpe:/a:redhat:jboss_fuse:7", "package": "tomcat", "product_name": "Red Hat Fuse 7.12.1", "release_date": "2023-11-15T00:00:00Z"}, {"advisory": "RHSA-2023:6207", "cpe": "cpe:/a:redhat:jboss_enterprise_web_server:5.7", "package": "tomcat", "product_name": "Red Hat JBoss Web Server 5", "release_date": "2023-10-31T00:00:00Z"}, {"advisory": "RHSA-2023:6206", "cpe": "cpe:/a:redhat:jboss_enterprise_web_server:5.7::el7", "package": "jws5-tomcat-0:9.0.62-18.redhat_00016.1.el7jws", "product_name": "Red Hat JBoss Web Server 5.7 on RHEL 7", "release_date": "2023-10-31T00:00:00Z"}, {"advisory": "RHSA-2023:6206", "cpe": "cpe:/a:redhat:jboss_enterprise_web_server:5.7::el8", "package": "jws5-tomcat-0:9.0.62-18.redhat_00016.1.el8jws", "product_name": "Red Hat JBoss Web Server 5.7 on RHEL 8", "release_date": "2023-10-31T00:00:00Z"}, {"advisory": "RHSA-2023:6206", "cpe": "cpe:/a:redhat:jboss_enterprise_web_server:5.7::el9", "package": "jws5-tomcat-0:9.0.62-18.redhat_00016.1.el9jws", "product_name": "Red Hat JBoss Web Server 5.7 on RHEL 9", "release_date": "2023-10-31T00:00:00Z"}], "bugzilla": {"description": "tomcat: improper cleaning of recycled objects could lead to information leak", "id": "2243752", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2243752"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.3", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "status": "verified"}, "cwe": "CWE-459", "details": ["Incomplete Cleanup vulnerability in Apache Tomcat.When recycling various internal objects in Apache Tomcat from 11.0.0-M1 through 11.0.0-M11, from 10.1.0-M1 through 10.1.13, from 9.0.0-M1 through 9.0.80 and from 8.5.0 through 8.5.93, an error could \ncause Tomcat to skip some parts of the recycling process leading to \ninformation leaking from the current request/response to the next.\nUsers are recommended to upgrade to version 11.0.0-M12 onwards, 10.1.14 onwards, 9.0.81 onwards or 8.5.94 onwards, which fixes the issue.", "A flaw was found in Apache Tomcat. Tomcat may skip, after an error, the recycling of the internal objects that the next request/response process might use, resulting in information leaking from one request to the next. This flaw allows a malicious user to have access to this information."], "mitigation": {"lang": "en:us", "value": "No mitigation is currently available for this flaw."}, "name": "CVE-2023-42795", "package_state": [{"cpe": "cpe:/a:redhat:a_mq_clients:2", "fix_state": "Not affected", "package_name": "tomcat", "product_name": "A-MQ Clients 2"}, {"cpe": "cpe:/a:redhat:amq_broker:7", "fix_state": "Not affected", "package_name": "tomcat", "product_name": "Red Hat AMQ Broker 7"}, {"cpe": "cpe:/a:redhat:camel_spring_boot:3", "fix_state": "Will not fix", "package_name": "tomcat", "product_name": "Red Hat build of Apache Camel for Spring Boot 3"}, {"cpe": "cpe:/a:redhat:optaplanner:::el6", "fix_state": "Will not fix", "package_name": "tomcat", "product_name": "Red Hat build of OptaPlanner 8"}, {"cpe": "cpe:/a:redhat:jboss_data_grid:8", "fix_state": "Not affected", "package_name": "tomcat", "product_name": "Red Hat Data Grid 8"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_brms_platform:7", "fix_state": "Affected", "package_name": "tomcat", "product_name": "Red Hat Decision Manager 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Will not fix", "package_name": "tomcat", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Will not fix", "package_name": "pki-deps:10.6/pki-servlet-engine", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Will not fix", "package_name": "pki-servlet-container", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Will not fix", "package_name": "pki-servlet-engine", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:integration:1", "fix_state": "Will not fix", "package_name": "tomcat", "product_name": "Red Hat Integration Camel K"}, {"cpe": "cpe:/a:redhat:jboss_data_grid:7", "fix_state": "Will not fix", "package_name": "tomcat", "product_name": "Red Hat JBoss Data Grid 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:6", "fix_state": "Out of support scope", "package_name": "tomcat", "product_name": "Red Hat JBoss Enterprise Application Platform 6"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7", "fix_state": "Not affected", "package_name": "tomcat", "product_name": "Red Hat JBoss Enterprise Application Platform 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8", "fix_state": "Not affected", "package_name": "tomcat", "product_name": "Red Hat JBoss Enterprise Application Platform 8"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Not affected", "package_name": "tomcat", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_web_server:6", "fix_state": "Not affected", "package_name": "tomcat", "product_name": "Red Hat JBoss Web Server 6"}, {"cpe": "cpe:/a:redhat:openshift_application_runtimes:1.0", "fix_state": "Affected", "package_name": "tomcat", "product_name": "Red Hat OpenShift Application Runtimes"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_bpms_platform:7", "fix_state": "Will not fix", "package_name": "tomcat", "product_name": "Red Hat Process Automation 7"}, {"cpe": "cpe:/a:redhat:red_hat_single_sign_on:7", "fix_state": "Not affected", "package_name": "tomcat", "product_name": "Red Hat Single Sign-On 7"}, {"cpe": "cpe:/a:redhat:amq_streams:1", "fix_state": "Will not fix", "package_name": "tomcat", "product_name": "streams for Apache Kafka"}], "public_date": "2023-10-10T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2023-42795\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-42795\nhttp://www.openwall.com/lists/oss-security/2023/10/10/9\nhttps://lists.apache.org/thread/065jfyo583490r9j2v73nhpyxdob56lw"], "statement": "Red Hat rates this as a Moderate impact as the confidentiality is not fully compromised and the malicious user does not have confirmation over the scenario to replicate the error and capture the possible jeopardizing response.", "threat_severity": "Moderate", "upstream_fix": "tomcat 11.0.0-M12, tomcat 10.1.14, tomcat 9.0.81, tomcat 8.5.94"}