CVE-2023-42794

Publication date 10 October 2023

Last updated 4 August 2025


Ubuntu priority

Cvss 3 Severity Score

5.9 · Medium

Score breakdown

Description

Incomplete Cleanup vulnerability in Apache Tomcat. The internal fork of Commons FileUpload packaged with Apache Tomcat 9.0.70 through 9.0.80 and 8.5.85 through 8.5.93 included an unreleased, in progress refactoring that exposed a potential denial of service on Windows if a web application opened a stream for an uploaded file but failed to close the stream. The file would never be deleted from disk creating the possibility of an eventual denial of service due to the disk being full. Users are recommended to upgrade to version 9.0.81 onwards or 8.5.94 onwards, which fixes the issue.

Status

Package Ubuntu Release Status
tomcat10 25.04 plucky
Not affected
24.10 oracular
Not affected
24.04 LTS noble
Not affected
23.10 mantic Ignored end of life, was not-affected (Windows-specific)
23.04 lunar Ignored end of life, was not-affected (Windows-specific)
22.04 LTS jammy Not in release
20.04 LTS focal Not in release
18.04 LTS bionic Ignored end of standard support
16.04 LTS xenial Ignored end of standard support
14.04 LTS trusty Ignored end of standard support
tomcat8 25.04 plucky Not in release
24.10 oracular Not in release
24.04 LTS noble Not in release
23.10 mantic Not in release
23.04 lunar Not in release
22.04 LTS jammy Not in release
20.04 LTS focal Not in release
18.04 LTS bionic
Not affected
16.04 LTS xenial
Not affected
14.04 LTS trusty Ignored end of standard support
tomcat9 25.04 plucky
Not affected
24.10 oracular
Not affected
24.04 LTS noble
Not affected
23.10 mantic Ignored end of life, was not-affected (Windows-specific)
23.04 lunar Ignored end of life, was not-affected (Windows-specific)
22.04 LTS jammy
Not affected
20.04 LTS focal
Not affected
18.04 LTS bionic
Not affected
16.04 LTS xenial Ignored end of standard support
14.04 LTS trusty Ignored end of standard support

Severity score breakdown

Parameter Value
Base score 5.9 · Medium
Attack vector Network
Attack complexity High
Privileges required None
User interaction None
Scope Unchanged
Confidentiality None
Integrity impact None
Availability impact High
Vector CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H