CVE-2023-42795
Information Leakage vulnerability in tomcat-embed-core (Maven)
What is CVE-2023-42795 About?
This Apache Tomcat vulnerability is an Incomplete Cleanup flaw that can lead to information leakage between requests. When an error occurs during object recycling, parts of the process are skipped, causing data from a previous request/response to be exposed to a subsequent one. Exploitation is triggered by specific error conditions during internal object handling.
Affected Software
- org.apache.tomcat:tomcat-coyote
- >10.1.0-M1, <10.1.14
- >11.0.0-M1, <11.0.0-M12
- org.apache.tomcat:tomcat
- >9.0.0-M1, <9.0.81
- >8.5.0, <8.5.94
- org.apache.tomcat.embed:tomcat-embed-core
- >10.1.0-M1, <10.1.14
- >9.0.0-M1, <9.0.81
- >11.0.0-M1, <11.0.0-M12
- >8.5.0, <8.5.94
Technical Details
The vulnerability manifests in Apache Tomcat (versions 11.0.0-M1 through 11.0.0-M11, 10.1.0-M1 through 10.1.13, 9.0.0-M1 through 9.0.80, and 8.5.0 through 8.5.93) during the recycling of its internal objects, such as request and response objects. When an error occurs within the recycling process, some parts of the cleanup routine are inadvertently skipped. This incomplete cleanup means that remnants of data from a prior request or response might persist in the recycled object. Consequently, when this partially-cleaned object is reused for a subsequent, unrelated request, the leftover data from the previous request/response is exposed to the new one, leading to an information leak across different user sessions or requests.
What is the Impact of CVE-2023-42795?
Successful exploitation may allow attackers to leak sensitive information from other requests, potentially compromising user data, session tokens, or other confidential details.
What is the Exploitability of CVE-2023-42795?
Exploitation likely involves triggering specific error conditions during the handling of HTTP requests, which could be complex to achieve reliably. The exact method of triggering the incomplete cleanup would depend on internal Tomcat mechanisms. There are no explicit authentication or privilege requirements for the attacker beyond making standard HTTP requests, as the vulnerability affects the internal state management. This is a remote vulnerability, as it can be triggered by sending HTTP requests to the server. The special conditions involve inducing an error that prevents complete object recycling. Risk factors include heavily loaded Tomcat instances, unusual client behavior, or specific problematic application code that might induce these errors indirectly, increasing the chances of data remnants appearing in subsequent requests.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2023-42795?
About the Fix from Resolved Security
The patch adds exception handling and logging around resource cleanup steps (such as session end, encoder/decoder resets, and temporary file deletion) to prevent unhandled exceptions from being thrown during object recycling. This fixes CVE-2023-42795 by ensuring that a single cleanup failure cannot cause broader request processing errors or resource leaks, which attackers could otherwise exploit to disrupt the server or escalate impact.
Available Upgrade Options
- org.apache.tomcat.embed:tomcat-embed-core
- >8.5.0, <8.5.94 → Upgrade to 8.5.94
- org.apache.tomcat.embed:tomcat-embed-core
- >9.0.0-M1, <9.0.81 → Upgrade to 9.0.81
- org.apache.tomcat.embed:tomcat-embed-core
- >10.1.0-M1, <10.1.14 → Upgrade to 10.1.14
- org.apache.tomcat.embed:tomcat-embed-core
- >11.0.0-M1, <11.0.0-M12 → Upgrade to 11.0.0-M12
- org.apache.tomcat:tomcat-coyote
- >10.1.0-M1, <10.1.14 → Upgrade to 10.1.14
- org.apache.tomcat:tomcat-coyote
- >11.0.0-M1, <11.0.0-M12 → Upgrade to 11.0.0-M12
- org.apache.tomcat:tomcat
- >8.5.0, <8.5.94 → Upgrade to 8.5.94
- org.apache.tomcat:tomcat
- >9.0.0-M1, <9.0.81 → Upgrade to 9.0.81
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/apache/tomcat
- https://osv.dev/vulnerability/GHSA-g8pj-r55q-5c2v
- https://github.com/apache/tomcat/commit/9375d67106f8df9eb9d7b360b2bef052fe67d3d4
- https://www.debian.org/security/2023/dsa-5521
- https://www.debian.org/security/2023/dsa-5522
- https://github.com/apache/tomcat/commit/d6db22e411307c97ddf78315c15d5889356eca38
- https://lists.debian.org/debian-lts-announce/2023/10/msg00020.html
- https://security.netapp.com/advisory/ntap-20231103-0007
- http://www.openwall.com/lists/oss-security/2023/10/10/9
- https://lists.apache.org/thread/065jfyo583490r9j2v73nhpyxdob56lw
What are Similar Vulnerabilities to CVE-2023-42795?
Similar Vulnerabilities: CVE-2023-45648 , CVE-2020-1938 , CVE-2019-0232 , CVE-2017-7679 , CVE-2015-5345
