VYPR
High severityNVD Advisory· Published Oct 14, 2021· Updated Aug 4, 2024

DoS via memory leak with WebSocket connections

CVE-2021-42340

Description

The fix for bug 63362 present in Apache Tomcat 10.1.0-M1 to 10.1.0-M5, 10.0.0-M1 to 10.0.11, 9.0.40 to 9.0.53 and 8.5.60 to 8.5.71 introduced a memory leak. The object introduced to collect metrics for HTTP upgrade connections was not released for WebSocket connections once the connection was closed. This created a memory leak that, over time, could lead to a denial of service via an OutOfMemoryError.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
org.apache.tomcat:tomcatMaven
>= 10.1.0-M1, < 10.1.0-M610.1.0-M6
org.apache.tomcat:tomcatMaven
>= 10.0.0-M1, < 10.0.1210.0.12
org.apache.tomcat:tomcatMaven
>= 9.0.40, < 9.0.549.0.54
org.apache.tomcat:tomcatMaven
>= 8.5.60, < 8.5.728.5.72

Affected products

3
  • osv-coords2 versions
    >= 8.5.60, < 8.5.72+ 1 more
    • (no CPE)range: >= 8.5.60, < 8.5.72
    • (no CPE)range: >= 10.1.0-M1, < 10.1.0-M6
  • Apache Software Foundation/Apache Tomcatv5
    Range: Apache Tomcat 10 10.0.0-M10 to 10.0.11

Patches

Vulnerability mechanics

References

20

News mentions

0

No linked articles in our index yet.