{"dataType":"CVE_RECORD","dataVersion":"5.1","cveMetadata":{"cveId":"CVE-2023-42794","assignerOrgId":"f0158376-9dc2-43b6-827c-5f631a4d8d09","state":"PUBLISHED","assignerShortName":"apache","dateReserved":"2023-09-14T12:05:53.583Z","datePublished":"2023-10-10T17:17:01.378Z","dateUpdated":"2025-10-29T12:04:10.367Z"},"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","product":"Apache Tomcat","vendor":"Apache Software Foundation","versions":[{"lessThanOrEqual":"9.0.80","status":"affected","version":"9.0.70","versionType":"semver"},{"lessThanOrEqual":"8.5.93","status":"affected","version":"8.5.85","versionType":"semver"},{"lessThanOrEqual":"10.0.27","status":"unknown","version":"10.0.0-M1","versionType":"semver"}]}],"credits":[{"lang":"en","type":"finder","value":"Mohammad Khedmatgozar (cellbox)"}],"descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"Incomplete Cleanup vulnerability in Apache Tomcat.<br><br>The internal fork of Commons FileUpload packaged with Apache Tomcat 9.0.70 through 9.0.80 and 8.5.85 through 8.5.93 included an unreleased, \nin progress refactoring that exposed a potential denial of service on \nWindows if a web application opened a stream for an uploaded file but \nfailed to close the stream. The file would never be deleted from disk \ncreating the possibility of an eventual denial of service due to the \ndisk being full.\n<br><p><span style=\"background-color: var(--wht);\">Other, EOL versions may also be affected.<br></span></p><p><span style=\"background-color: var(--wht);\">Users are recommended to upgrade to version 9.0.81 onwards or 8.5.94 onwards, which fixes the issue.</span><br></p>"}],"value":"Incomplete Cleanup vulnerability in Apache Tomcat.\n\nThe internal fork of Commons FileUpload packaged with Apache Tomcat 9.0.70 through 9.0.80 and 8.5.85 through 8.5.93 included an unreleased, \nin progress refactoring that exposed a potential denial of service on \nWindows if a web application opened a stream for an uploaded file but \nfailed to close the stream. The file would never be deleted from disk \ncreating the possibility of an eventual denial of service due to the \ndisk being full.\n\nOther, EOL versions may also be affected.\n\n\nUsers are recommended to upgrade to version 9.0.81 onwards or 8.5.94 onwards, which fixes the issue."}],"metrics":[{"other":{"content":{"text":"low"},"type":"Textual description of severity"}}],"problemTypes":[{"descriptions":[{"cweId":"CWE-459","description":"CWE-459 Incomplete Cleanup","lang":"en","type":"CWE"}]}],"providerMetadata":{"orgId":"f0158376-9dc2-43b6-827c-5f631a4d8d09","shortName":"apache","dateUpdated":"2025-10-29T12:04:10.367Z"},"references":[{"tags":["vendor-advisory"],"url":"https://lists.apache.org/thread/vvbr2ms7lockj1hlhz5q3wmxb2mwcw82"}],"source":{"discovery":"EXTERNAL"},"title":"Apache Tomcat: FileUpload: DoS due to accumulation of temporary files on Windows","x_generator":{"engine":"Vulnogram 0.1.0-dev"}},"adp":[{"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2024-08-02T19:30:24.246Z"},"title":"CVE Program Container","references":[{"tags":["vendor-advisory","x_transferred"],"url":"https://lists.apache.org/thread/vvbr2ms7lockj1hlhz5q3wmxb2mwcw82"},{"url":"http://www.openwall.com/lists/oss-security/2023/10/10/8","tags":["x_transferred"]}]}]}}