Skip to main content

Incomplete Cleanup


Severity High
Score 7.5/10


Denial of Service via an incomplete cleanup vulnerability in Apache Tomcat. WebSocket clients could keep WebSocket connections open leading to increased resource consumption. This issue affects Apache Tomcat: tomcat-embed-core, tomcat-embed-websocket and tomcat-websocket versions 8.5.0 through 8.5.98, 9.0.0-M1 through 9.0.85, 10.1.0-M1 through 10.1.18 and 11.0.0-M1 through 11.0.0-M16, and tomcat7-websocket versions 7.0.47 through 7.0.109.

  • LOW
  • NONE
  • NONE
  • NONE
  • HIGH
  • NONE

CWE-459 - Incomplete Cleanup

The software does not properly "clean up" and remove temporary or supporting resources after they have been used.

Advisory Timeline

  • Published