Medium severity5.3NVD Advisory· Published Oct 10, 2023· Updated Jun 17, 2026
CVE-2023-42795
CVE-2023-42795
Description
Incomplete Cleanup vulnerability in Apache Tomcat.When recycling various internal objects in Apache Tomcat from 11.0.0-M1 through 11.0.0-M11, from 10.1.0-M1 through 10.1.13, from 9.0.0-M1 through 9.0.80 and from 8.5.0 through 8.5.93, an error could cause Tomcat to skip some parts of the recycling process leading to information leaking from the current request/response to the next. Older, EOL versions may also be affected.
Users are recommended to upgrade to version 11.0.0-M12 onwards, 10.1.14 onwards, 9.0.81 onwards or 8.5.94 onwards, which fixes the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.tomcat:tomcatMaven | >= 11.0.0-M1, < 11.0.0-M12 | 11.0.0-M12 |
org.apache.tomcat:tomcatMaven | >= 10.1.0-M1, < 10.1.14 | 10.1.14 |
org.apache.tomcat:tomcatMaven | >= 9.0.0-M1, < 9.0.81 | 9.0.81 |
org.apache.tomcat:tomcatMaven | >= 8.5.0, < 8.5.94 | 8.5.94 |
org.apache.tomcat.embed:tomcat-embed-coreMaven | >= 10.1.0-M1, < 10.1.14 | 10.1.14 |
org.apache.tomcat.embed:tomcat-embed-coreMaven | >= 9.0.0-M1, < 9.0.81 | 9.0.81 |
org.apache.tomcat.embed:tomcat-embed-coreMaven | >= 8.5.0, < 8.5.94 | 8.5.94 |
org.apache.tomcat.embed:tomcat-embed-coreMaven | >= 11.0.0-M1, < 11.0.0-M12 | 11.0.0-M12 |
org.apache.tomcat:tomcat-catalinaMaven | >= 11.0.0-M1, < 11.0.0-M12 | 11.0.0-M12 |
org.apache.tomcat:tomcat-catalinaMaven | >= 10.1.0-M1, < 10.1.14 | 10.1.14 |
org.apache.tomcat:tomcat-catalinaMaven | >= 9.0.0-M1, < 9.0.81 | 9.0.81 |
org.apache.tomcat:tomcat-catalinaMaven | >= 8.5.0, < 8.5.94 | 8.5.94 |
org.apache.tomcat:tomcat-utilMaven | >= 11.0.0-M1, < 11.0.0-M12 | 11.0.0-M12 |
org.apache.tomcat:tomcat-utilMaven | >= 10.1.0-M1, < 10.1.14 | 10.1.14 |
org.apache.tomcat:tomcat-utilMaven | >= 9.0.0-M1, < 9.0.81 | 9.0.81 |
org.apache.tomcat:tomcat-utilMaven | >= 8.5.0, < 8.5.94 | 8.5.94 |
Affected products
37- osv-coords36 versionspkg:bitnami/tomcatpkg:maven/org.apache.tomcat.embed/tomcat-embed-corepkg:maven/org.apache.tomcat/tomcatpkg:maven/org.apache.tomcat/tomcat-catalinapkg:maven/org.apache.tomcat/tomcat-coyotepkg:maven/org.apache.tomcat/tomcat-utilpkg:rpm/almalinux/tomcatpkg:rpm/almalinux/tomcat-admin-webappspkg:rpm/almalinux/tomcat-docs-webapppkg:rpm/almalinux/tomcat-el-3.0-apipkg:rpm/almalinux/tomcat-jsp-2.3-apipkg:rpm/almalinux/tomcat-libpkg:rpm/almalinux/tomcat-servlet-4.0-apipkg:rpm/almalinux/tomcat-webappspkg:rpm/opensuse/tomcat&distro=openSUSE%20Leap%2015.5pkg:rpm/opensuse/tomcat&distro=openSUSE%20Tumbleweedpkg:rpm/suse/tomcat&distro=SUSE%20Enterprise%20Storage%207.1pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-LTSSpkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP2-LTSSpkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP3-LTSSpkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-ESPOSpkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-LTSSpkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Web%20and%20Scripting%2015%20SP5pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5-LTSSpkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP1-LTSSpkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP2-LTSSpkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP3-LTSSpkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP4-LTSSpkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP5pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP1pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP2pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP3pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP4pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%20LTSS%20Extended%20Security%2012%20SP5pkg:rpm/suse/tomcat&distro=SUSE%20Manager%20Server%204.3
>= 8.5.0, < 8.5.94+ 35 more
- (no CPE)range: >= 8.5.0, < 8.5.94
- (no CPE)range: >= 10.1.0-M1, < 10.1.14
- (no CPE)range: >= 11.0.0-M1, < 11.0.0-M12
- (no CPE)range: >= 11.0.0-M1, < 11.0.0-M12
- (no CPE)range: >= 11.0.0-M1, < 11.0.0-M12
- (no CPE)range: >= 11.0.0-M1, < 11.0.0-M12
- (no CPE)range: < 1:9.0.62-27.el8_9.2
- (no CPE)range: < 1:9.0.62-27.el8_9.2
- (no CPE)range: < 1:9.0.62-27.el8_9.2
- (no CPE)range: < 1:9.0.62-27.el8_9.2
- (no CPE)range: < 1:9.0.62-27.el8_9.2
- (no CPE)range: < 1:9.0.62-27.el8_9.2
- (no CPE)range: < 1:9.0.62-27.el8_9.2
- (no CPE)range: < 1:9.0.62-27.el8_9.2
- (no CPE)range: < 9.0.85-150200.57.1
- (no CPE)range: < 9.0.82-2.1
- (no CPE)range: < 9.0.85-150200.57.1
- (no CPE)range: < 9.0.36-150100.4.98.1
- (no CPE)range: < 9.0.85-150200.57.1
- (no CPE)range: < 9.0.85-150200.57.1
- (no CPE)range: < 9.0.85-150200.57.1
- (no CPE)range: < 9.0.85-150200.57.1
- (no CPE)range: < 9.0.85-150200.57.1
- (no CPE)range: < 9.0.36-3.111.1
- (no CPE)range: < 9.0.115-3.160.1
- (no CPE)range: < 9.0.36-150100.4.98.1
- (no CPE)range: < 9.0.85-150200.57.1
- (no CPE)range: < 9.0.85-150200.57.1
- (no CPE)range: < 9.0.85-150200.57.1
- (no CPE)range: < 9.0.36-3.111.1
- (no CPE)range: < 9.0.36-150100.4.98.1
- (no CPE)range: < 9.0.85-150200.57.1
- (no CPE)range: < 9.0.85-150200.57.1
- (no CPE)range: < 9.0.85-150200.57.1
- (no CPE)range: < 9.0.115-3.160.1
- (no CPE)range: < 9.0.85-150200.57.1
- Apache Software Foundation/Apache Tomcatv5Range: 11.0.0-M1
Patches
Vulnerability mechanics
References
13- www.openwall.com/lists/oss-security/2023/10/10/9nvdMailing ListThird Party AdvisoryWEB
- github.com/advisories/GHSA-g8pj-r55q-5c2vghsaADVISORY
- lists.apache.org/thread/065jfyo583490r9j2v73nhpyxdob56lwnvdMailing ListVendor AdvisoryWEB
- lists.debian.org/debian-lts-announce/2023/10/msg00020.htmlnvdMailing ListThird Party AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2023-42795ghsaADVISORY
- www.debian.org/security/2023/dsa-5521nvdThird Party AdvisoryWEB
- www.debian.org/security/2023/dsa-5522nvdThird Party AdvisoryWEB
- github.com/apache/tomcat/commit/30f8063d7a9b4c43ae4722f5e382a76af1d7a6bfghsaWEB
- github.com/apache/tomcat/commit/44d05d75d696ca10ce251e4e370511e38f20ae75ghsaWEB
- github.com/apache/tomcat/commit/9375d67106f8df9eb9d7b360b2bef052fe67d3d4ghsaWEB
- github.com/apache/tomcat/commit/d6db22e411307c97ddf78315c15d5889356eca38ghsaWEB
- security.netapp.com/advisory/ntap-20231103-0007ghsaWEB
- security.netapp.com/advisory/ntap-20231103-0007/nvd
News mentions
0No linked articles in our index yet.