6.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-23672

GHSA ID

GHSA-v682-8vv8-vpwr

EPSS Score

0.61408%

CWE

CWE-459

Published

3/13/2024

Updated

2/13/2025

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-23672

CVE-2024-23672: Denial of Service via incomplete cleanup vulnerability in Apache Tomcat

Denial of Service via incomplete cleanup vulnerability in Apache Tomcat. It was possible for WebSocket clients to keep WebSocket connections open leading to increased resource consumption.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M16, from 10.1.0-M1 through 10.1.18, from 9.0.0-M1 through 9.0.85, from 8.5.0 through 8.5.98.

Users are recommended to upgrade to version 11.0.0-M17, 10.1.19, 9.0.86 or 8.5.99 which fix the issue.

(GitHub Advisory)

6.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-23672

GHSA ID

GHSA-v682-8vv8-vpwr

EPSS Score

0.61408%

CWE

CWE-459

Published

3/13/2024

Updated

2/13/2025

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.apache.tomcat:tomcat-websocket	maven	>= 11.0.0-M1, <= 11.0.0-M16	11.0.0-M17
org.apache.tomcat:tomcat-websocket	maven	>= 10.1.0-M1, <= 10.1.18	10.1.19
org.apache.tomcat:tomcat-websocket	maven	>= 9.0.0-M1, <= 9.0.85	9.0.86
org.apache.tomcat:tomcat-websocket	maven	>= 8.5.0, <= 8.5.98	8.5.99
org.apache.tomcat.embed:tomcat-embed-websocket	maven	>= 11.0.0-M1, <= 11.0.0-M16	11.0.0-M17
org.apache.tomcat.embed:tomcat-embed-websocket	maven	>= 10.1.0-M1, <= 10.1.18	10.1.19
org.apache.tomcat.embed:tomcat-embed-websocket	maven	>= 9.0.0-M1, <= 9.0.85	9.0.86
org.apache.tomcat.embed:tomcat-embed-websocket	maven	>= 8.5.0, <= 8.5.98	8.5.99

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from incomplete cleanup during WebSocket closure. The commit introduces:

A new closeConnection() method in WsSession.java to handle unregistration.
Session close timeout tracking (sessionCloseTimeoutExpiry).
checkCloseTimeout() in the background process. The original doClose/onClose methods directly called wsRemoteEndpoint.close() without session cleanup, and the background process lacked timeout enforcement. These gaps allowed clients to keep connections open via suspended/resumed sessions without proper termination.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

**ni*l o* S*rvi** vi* in*ompl*t* *l**nup vuln*r**ility in *p**** Tom**t. It w*s possi*l* *or W**So*k*t *li*nts to k**p W**So*k*t *onn**tions op*n l***in* to in*r**s** r*sour** *onsumption.T*is issu* *****ts *p**** Tom**t: *rom **.*.*-M* t*rou** **.*.

Reasoning

T** vuln*r**ility st*ms *rom in*ompl*t* *l**nup *urin* W**So*k*t *losur*. T** *ommit intro*u**s: *. * n*w *los**onn**tion() m*t*o* in WsS*ssion.j*v* to **n*l* unr**istr*tion. *. S*ssion *los* tim*out tr**kin* (s*ssion*los*Tim*out*xpiry). *. ****k*los

6.3

Basic Information

Concerned about an active attack path?

CVE-2024-23672: Denial of Service via incomplete cleanup vulnerability in Apache Tomcat

6.3

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI