[GHSA-v682-8vv8-vpwr] Denial of Service via incomplete cleanup vulnerability in Apache Tomcat#7665
Conversation
There was a problem hiding this comment.
Pull request overview
Updates the advisory for GHSA-v682-8vv8-vpwr / CVE-2024-23672 to improve affected package coverage for Apache Tomcat by expanding the Maven coordinates listed under affected.
Changes:
- Updated the advisory
modifiedtimestamp. - Added
org.apache.tomcat:tomcatto theaffectedlist with version ranges matching the advisory’s described impacted/fixed versions (11.0.0-M1..M16, 10.1.0-M1..10.1.18, 9.0.0-M1..9.0.85, 8.5.0..8.5.98).
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
👋 This pull request has been marked as stale because it has been open with no activity. You can: comment on the issue or remove the stale label to hold stale off for a while, add the |
|
How is the status of a review for this pull request? |
|
Thanks for the contribution, @aruneko - really appreciate the effort to make the affected-package list more complete! After looking at the upstream fix and the artifacts that the ASF actually publishes on Maven Central, I don't think we should add 1. Every changed file in the fixes lives under the WebSocket source tree.
The vulnerable code path (
Both jars contain 2. Per the OSV Maven ecosystem conventions, the affected For these reasons I don't think this change should land, but please don't let that discourage you — happy to look at follow-ups if you spot other advisories where an artifact is genuinely missing. Thanks again! |
Updates
Comments
improve affected packages