CVE CVE-2021-42340 | Apache Tomcat Memory Leaks (Denial Of Service)

Common Vulnerabilities and Exposures


Joined: Mar 15, 2021
Messages: 998
Resources: 402
Points: 93
Reaction score: 937
CVE-2021-42340 | Apache Tomcat Memory Leaks (Denial Of Service)

Vulnerability Details : CVE-2021-42340

The fix for bug 63362 present in Apache Tomcat 10.1.0-M1 to 10.1.0-M5, 10.0.0-M1 to 10.0.11, 9.0.40 to 9.0.53 and 8.5.60 to 8.5.71 introduced a memory leak. The object introduced to collect metrics for HTTP upgrade connections was not released for WebSocket connections once the connection was closed. This created a memory leak that, over time, could lead to a denial of service via an OutOfMemoryError.
Publish Date : 2021-10-14 Last Update Date : 2021-10-21

- CVSS Scores & Vulnerability Types​

CVSS Score5.0
Confidentiality ImpactNone (There is no impact to the confidentiality of the system.)
Integrity ImpactNone (There is no impact to the integrity of the system)
Availability ImpactPartial (There is reduced performance or interruptions in resource availability.)
Access ComplexityLow (Specialized access conditions or extenuating circumstances do not exist. Very little knowledge or skill is required to exploit. )
AuthenticationNot required (Authentication is not required to exploit the vulnerability.)
Gained AccessNone
Vulnerability Type(s)Denial Of Service

- Products Affected By CVE-2021-42340​

#Product TypeVendorProductVersionUpdateEditionLanguage
1ApplicationApacheTomcat****Version Details Vulnerabilities
2ApplicationApacheTomcat10.0.0Milestone10**Version Details Vulnerabilities
3ApplicationApacheTomcat10.1.0Milestone4**Version Details Vulnerabilities
4ApplicationApacheTomcat10.1.0Milestone5**Version Details Vulnerabilities
5ApplicationApacheTomcat10.1.0Milestone1**Version Details Vulnerabilities
6ApplicationApacheTomcat10.1.0Milestone2**Version Details Vulnerabilities
7ApplicationApacheTomcat10.1.0Milestone3**Version Details Vulnerabilities

- Number Of Affected Versions By Product​

VendorProductVulnerable Versions

- References For CVE-2021-42340​<>
MLIST [myfaces-commits] 20211021 [myfaces-tobago] branch tobago-5.x updated: build: workaround for CVE-2021-42340<>

- Metasploit Modules Related To CVE-2021-42340​

  • Tags
    apache apache cve apache tomcat cve-2021-42340 denial of service dos memory leaks tomcat
  • Top