Skip to content

[GHSA-v682-8vv8-vpwr] Denial of Service via incomplete cleanup vulnerability in Apache Tomcat#7665

Closed
aruneko wants to merge 1 commit into
aruneko/advisory-improvement-7665from
aruneko-GHSA-v682-8vv8-vpwr
Closed

[GHSA-v682-8vv8-vpwr] Denial of Service via incomplete cleanup vulnerability in Apache Tomcat#7665
aruneko wants to merge 1 commit into
aruneko/advisory-improvement-7665from
aruneko-GHSA-v682-8vv8-vpwr

Conversation

@aruneko

@aruneko aruneko commented May 12, 2026

Copy link
Copy Markdown
Contributor

Updates

  • Affected products

Comments
improve affected packages

Copilot AI review requested due to automatic review settings May 12, 2026 07:21
@github-actions github-actions Bot changed the base branch from main to aruneko/advisory-improvement-7665 May 12, 2026 07:22

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates the advisory for GHSA-v682-8vv8-vpwr / CVE-2024-23672 to improve affected package coverage for Apache Tomcat by expanding the Maven coordinates listed under affected.

Changes:

  • Updated the advisory modified timestamp.
  • Added org.apache.tomcat:tomcat to the affected list with version ranges matching the advisory’s described impacted/fixed versions (11.0.0-M1..M16, 10.1.0-M1..10.1.18, 9.0.0-M1..9.0.85, 8.5.0..8.5.98).

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@github-actions

Copy link
Copy Markdown

👋 This pull request has been marked as stale because it has been open with no activity. You can: comment on the issue or remove the stale label to hold stale off for a while, add the Keep label to hold stale off permanently, or do nothing. If you do nothing this pull request will be closed eventually by the stale bot. Please see CONTRIBUTING.md for more policy details.

@github-actions github-actions Bot added the Stale label Jun 12, 2026
@aruneko

aruneko commented Jun 12, 2026

Copy link
Copy Markdown
Contributor Author

How is the status of a review for this pull request?

@github-actions github-actions Bot removed the Stale label Jun 13, 2026
@taladrane

Copy link
Copy Markdown
Collaborator

Thanks for the contribution, @aruneko - really appreciate the effort to make the affected-package list more complete!

After looking at the upstream fix and the artifacts that the ASF actually publishes on Maven Central, I don't think we should add org.apache.tomcat:tomcat to this advisory. Two reasons:

1. Every changed file in the fixes lives under the WebSocket source tree.

File Module
java/org/apache/tomcat/websocket/Constants.java WebSocket
java/org/apache/tomcat/websocket/WsSession.java WebSocket
java/org/apache/tomcat/websocket/WsWebSocketContainer.java WebSocket
java/org/apache/tomcat/websocket/server/WsServerContainer.java WebSocket (server side)
test/org/apache/tomcat/websocket/TestWsSessionSuspendResume.java WebSocket test
webapps/docs/web-socket-howto.xml WebSocket docs
webapps/docs/changelog.xml Docs

The vulnerable code path (WsSession.doClose / onClose / sendCloseMessage not unregistering or closing the connection when the server side has used the proprietary suspend()/resume() API) is entirely contained in the org.apache.tomcat.websocket package. In Tomcat's Maven distribution, that package ships as exactly two artifacts:

  • org.apache.tomcat:tomcat-websocket — the standalone WebSocket implementation jar.
  • org.apache.tomcat.embed:tomcat-embed-websocket — the same implementation repackaged for embedded Tomcat (Spring Boot, etc.).

Both jars contain org/apache/tomcat/websocket/WsSession.class and the related classes that were patched, which is why the advisory already lists both. A consumer who only depends on tomcat-embed-core or on tomcat-catalina (without the websocket jar) doesn't ship the vulnerable classes.

2. org.apache.tomcat:tomcat is a pom-only aggregator

Per the OSV Maven ecosystem conventions, the affected package.name should be the smallest artifact that actually contains the vulnerable code. Adding the aggregator POM would create false positives for users who don't pull in the websocket jar via the aggregator's dependency graph, and it's redundant for users who do (since their dependency resolver will already pin tomcat-websocket to the listed range).

For these reasons I don't think this change should land, but please don't let that discourage you — happy to look at follow-ups if you spot other advisories where an artifact is genuinely missing. Thanks again!

@github-actions github-actions Bot deleted the aruneko-GHSA-v682-8vv8-vpwr branch June 29, 2026 19:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants