CVE-2023-42794

Name	CVE-2023-42794
Description	Incomplete Cleanup vulnerability in Apache Tomcat. The internal fork of Commons FileUpload packaged with Apache Tomcat 9.0.70 through 9.0.80 and 8.5.85 through 8.5.93 included an unreleased, in progress refactoring that exposed a potential denial of service on Windows if a web application opened a stream for an uploaded file but failed to close the stream. The file would never be deleted from disk creating the possibility of an eventual denial of service due to the disk being full. Users are recommended to upgrade to version 9.0.81 onwards or 8.5.94 onwards, which fixes the issue.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
tomcat10 (PTS)	bookworm	10.1.6-1+deb12u1	fixed
	bookworm (security)	10.1.6-1+deb12u2	fixed
	sid, trixie	10.1.23-1	fixed
tomcat7 (PTS)	jessie, jessie (lts)	7.0.56-3+really7.0.109-1+deb8u6	fixed
	stretch	7.0.75-1	fixed
tomcat8 (PTS)	jessie, jessie (lts)	8.0.14-1+deb8u28	fixed
	stretch (security)	8.5.54-0+deb9u8	fixed
	stretch (lts), stretch	8.5.54-0+deb9u15	fixed
tomcat9 (PTS)	buster	9.0.31-1~deb10u6	fixed
	buster (security)	9.0.31-1~deb10u12	fixed
	bullseye	9.0.43-2~deb11u9	fixed
	bullseye (security)	9.0.43-2~deb11u10	fixed
	sid, trixie, bookworm	9.0.70-2	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version
tomcat10	source	(unstable)	(not affected)
tomcat7	source	(unstable)	(not affected)
tomcat8	source	(unstable)	(not affected)
tomcat9	source	(unstable)	(not affected)

Notes

- tomcat10 <not-affected> (Windows-specific)
- tomcat9 <not-affected> (Windows-specific)
- tomcat8 <not-affected> (Windows-specific)
https://www.openwall.com/lists/oss-security/2023/10/10/8
- tomcat7 <not-affected> (Windows-specific)