SCA: security update for org.apache.tomcat:tomcat-coyote (GHSA-jm7m-8jh6-29hp)

medium Tenable Cloud Security Plugin ID 416455

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Incomplete Cleanup vulnerability in Apache Tomcat. The internal fork of Commons FileUpload packaged with
Apache Tomcat 9.0.70 through 9.0.80 and 8.5.85 through 8.5.93 included an unreleased, in progress
refactoring that exposed a potential denial of service on Windows if a web application opened a stream for
an uploaded file but failed to close the stream. The file would never be deleted from disk creating the
possibility of an eventual denial of service due to the disk being full. Other, EOL versions may also be
affected. Users are recommended to upgrade to version 9.0.81 onwards or 8.5.94 onwards, which fixes the
issue. (CVE-2023-42794)

See Also

https://github.com/advisories/GHSA-jm7m-8jh6-29hp

Plugin Details

Severity: Medium

ID: 416455

Version: Revision 1.11

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 3

Percentile: 23.51

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: Medium

Base Score: 5.4

Temporal Score: 4

Vector: CVSS2#AV:N/AC:H/Au:N/C:N/I:N/A:C

CVSS Score Source: CVE-2023-42794

CVSS v3

Risk Factor: Medium

Base Score: 5.9

Temporal Score: 5.2

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 10/10/2023

Vulnerability Publication Date: 10/10/2023

Reference Information

CVE: CVE-2023-42794

cwe: CWE-459