CVE-2023-42794: 
Java vulnerability analysis and mitigation

CVE-2023-42794 is an Incomplete Cleanup vulnerability discovered in Apache Tomcat. The vulnerability affects Apache Tomcat versions 9.0.70 through 9.0.80 and 8.5.85 through 8.5.93. The issue was disclosed on October 10, 2023, and involves the internal fork of Commons FileUpload packaged with Apache Tomcat (NVD, Apache Advisory).

The vulnerability stems from an unreleased, in-progress refactoring of the Commons FileUpload component that exposed a potential denial of service specifically on Windows systems. The issue occurs when a web application opens a stream for an uploaded file but fails to close the stream properly. The CVSS v3.1 base score is 5.9 (Medium), with a vector string of CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H (NVD).

When exploited, the vulnerability results in temporary files never being deleted from disk, potentially leading to disk space exhaustion and eventual denial of service. This impact is specifically limited to Windows-based systems running affected versions of Apache Tomcat (OSS Security).

Users are recommended to upgrade to Apache Tomcat version 9.0.81 or later for the 9.0.x series, or version 8.5.94 or later for the 8.5.x series. These versions contain the fix for the vulnerability (Apache Advisory).