{
  "threat_severity" : "Moderate",
  "public_date" : "2023-10-10T00:00:00Z",
  "bugzilla" : {
    "description" : "tomcat: improper cleaning of recycled objects could lead to information leak",
    "id" : "2243752",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2243752"
  },
  "cvss3" : {
    "cvss3_base_score" : "5.3",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
    "status" : "verified"
  },
  "cwe" : "CWE-459",
  "details" : [ "Incomplete Cleanup vulnerability in Apache Tomcat.When recycling various internal objects in Apache Tomcat from 11.0.0-M1 through 11.0.0-M11, from 10.1.0-M1 through 10.1.13, from 9.0.0-M1 through 9.0.80 and from 8.5.0 through 8.5.93, an error could \ncause Tomcat to skip some parts of the recycling process leading to \ninformation leaking from the current request/response to the next.\nOlder, EOL versions may also be affected.\nUsers are recommended to upgrade to version 11.0.0-M12 onwards, 10.1.14 onwards, 9.0.81 onwards or 8.5.94 onwards, which fixes the issue.", "A flaw was found in Apache Tomcat. Tomcat may skip, after an error, the recycling of the internal objects that the next request/response process might use, resulting in information leaking from one request to the next. This flaw allows a malicious user to have access to this information." ],
  "statement" : "Red Hat rates this as a Moderate impact as the confidentiality is not fully compromised and the malicious user does not have confirmation over the scenario to replicate the error and capture the possible jeopardizing response.",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2024-01-10T00:00:00Z",
    "advisory" : "RHSA-2024:0125",
    "cpe" : "cpe:/a:redhat:enterprise_linux:8",
    "package" : "tomcat-1:9.0.62-27.el8_9.2"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2024-01-25T00:00:00Z",
    "advisory" : "RHSA-2024:0474",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "tomcat-1:9.0.62-37.el9_3.1"
  }, {
    "product_name" : "Red Hat Fuse 7.12.1",
    "release_date" : "2023-11-15T00:00:00Z",
    "advisory" : "RHSA-2023:7247",
    "cpe" : "cpe:/a:redhat:jboss_fuse:7",
    "package" : "tomcat"
  }, {
    "product_name" : "Red Hat JBoss Web Server 5",
    "release_date" : "2023-10-31T00:00:00Z",
    "advisory" : "RHSA-2023:6207",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:5.7",
    "package" : "tomcat"
  }, {
    "product_name" : "Red Hat JBoss Web Server 5.7 on RHEL 7",
    "release_date" : "2023-10-31T00:00:00Z",
    "advisory" : "RHSA-2023:6206",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:5.7::el7",
    "package" : "jws5-tomcat-0:9.0.62-18.redhat_00016.1.el7jws"
  }, {
    "product_name" : "Red Hat JBoss Web Server 5.7 on RHEL 8",
    "release_date" : "2023-10-31T00:00:00Z",
    "advisory" : "RHSA-2023:6206",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:5.7::el8",
    "package" : "jws5-tomcat-0:9.0.62-18.redhat_00016.1.el8jws"
  }, {
    "product_name" : "Red Hat JBoss Web Server 5.7 on RHEL 9",
    "release_date" : "2023-10-31T00:00:00Z",
    "advisory" : "RHSA-2023:6206",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:5.7::el9",
    "package" : "jws5-tomcat-0:9.0.62-18.redhat_00016.1.el9jws"
  } ],
  "package_state" : [ {
    "product_name" : "A-MQ Clients 2",
    "fix_state" : "Not affected",
    "package_name" : "tomcat",
    "cpe" : "cpe:/a:redhat:a_mq_clients:2"
  }, {
    "product_name" : "Red Hat AMQ Broker 7",
    "fix_state" : "Not affected",
    "package_name" : "tomcat",
    "cpe" : "cpe:/a:redhat:amq_broker:7"
  }, {
    "product_name" : "Red Hat build of Apache Camel for Spring Boot 3",
    "fix_state" : "Will not fix",
    "package_name" : "tomcat",
    "cpe" : "cpe:/a:redhat:camel_spring_boot:3"
  }, {
    "product_name" : "Red Hat build of OptaPlanner 8",
    "fix_state" : "Will not fix",
    "package_name" : "tomcat",
    "cpe" : "cpe:/a:redhat:optaplanner:::el6"
  }, {
    "product_name" : "Red Hat Data Grid 8",
    "fix_state" : "Not affected",
    "package_name" : "tomcat",
    "cpe" : "cpe:/a:redhat:jboss_data_grid:8"
  }, {
    "product_name" : "Red Hat Decision Manager 7",
    "fix_state" : "Fix deferred",
    "package_name" : "tomcat",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_brms_platform:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Will not fix",
    "package_name" : "tomcat",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Will not fix",
    "package_name" : "pki-deps:10.6/pki-servlet-engine",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "pki-servlet-container",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Will not fix",
    "package_name" : "pki-servlet-engine",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  }, {
    "product_name" : "Red Hat Integration Camel K 1",
    "fix_state" : "Will not fix",
    "package_name" : "tomcat",
    "cpe" : "cpe:/a:redhat:integration:1"
  }, {
    "product_name" : "Red Hat JBoss Data Grid 7",
    "fix_state" : "Will not fix",
    "package_name" : "tomcat",
    "cpe" : "cpe:/a:redhat:jboss_data_grid:7"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform 6",
    "fix_state" : "Out of support scope",
    "package_name" : "tomcat",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:6"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform 7",
    "fix_state" : "Not affected",
    "package_name" : "tomcat",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform 8",
    "fix_state" : "Not affected",
    "package_name" : "tomcat",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:8"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform Expansion Pack",
    "fix_state" : "Not affected",
    "package_name" : "tomcat",
    "cpe" : "cpe:/a:redhat:jbosseapxp"
  }, {
    "product_name" : "Red Hat JBoss Web Server 6",
    "fix_state" : "Not affected",
    "package_name" : "tomcat",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:6"
  }, {
    "product_name" : "Red Hat OpenShift Application Runtimes",
    "fix_state" : "Affected",
    "package_name" : "tomcat",
    "cpe" : "cpe:/a:redhat:openshift_application_runtimes:1.0"
  }, {
    "product_name" : "Red Hat Process Automation 7",
    "fix_state" : "Will not fix",
    "package_name" : "tomcat",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_bpms_platform:7"
  }, {
    "product_name" : "Red Hat Single Sign-On 7",
    "fix_state" : "Not affected",
    "package_name" : "tomcat",
    "cpe" : "cpe:/a:redhat:red_hat_single_sign_on:7"
  }, {
    "product_name" : "streams for Apache Kafka",
    "fix_state" : "Will not fix",
    "package_name" : "tomcat",
    "cpe" : "cpe:/a:redhat:amq_streams:1"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2023-42795\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-42795\nhttp://www.openwall.com/lists/oss-security/2023/10/10/9\nhttps://lists.apache.org/thread/065jfyo583490r9j2v73nhpyxdob56lw" ],
  "name" : "CVE-2023-42795",
  "mitigation" : {
    "value" : "No mitigation is currently available for this flaw.",
    "lang" : "en:us"
  },
  "csaw" : false
}