CVE-2023-42794 is a vulnerability classified under CWE-459 (Incomplete Cleanup) affecting Apache Tomcat versions 9.0.70 through 9.0.80 and 8.5.85 through 8.5.93. The root cause lies in an internal fork of the Commons FileUpload library packaged with these Tomcat versions. This fork included an unreleased, in-progress refactoring that introduced a flaw on Windows platforms: when a web application opens a stream to an uploaded file but fails to close it properly, the file is not deleted from disk as expected. Over time, this leads to accumulation of orphaned files, which can exhaust disk space and cause a denial of service (DoS) condition by preventing the server from functioning correctly due to lack of storage. The vulnerability does not require authentication but depends on the behavior of the deployed web applications handling file uploads. No known exploits have been reported in the wild, and the issue primarily affects availability rather than confidentiality or integrity. The Apache Software Foundation has addressed this issue in Tomcat versions 9.0.81 and 8.5.94 and later, recommending users upgrade to these versions or newer to mitigate the risk. End-of-life (EOL) versions may also be affected but are not explicitly detailed. This vulnerability is particularly relevant for Windows-based Tomcat deployments with web applications that handle file uploads and may not always close streams properly.

The primary impact of CVE-2023-42794 is on the availability of Apache Tomcat servers running on Windows. The incomplete cleanup of uploaded files can lead to disk space exhaustion, resulting in denial of service conditions where the server cannot process new requests or store new data. For European organizations, this can disrupt critical web services, internal applications, or customer-facing portals relying on Tomcat. The impact is heightened in environments with high file upload volumes or where applications do not reliably close file streams. While confidentiality and integrity are not directly compromised, service outages can lead to operational disruptions, financial losses, and reputational damage. Organizations in sectors such as finance, healthcare, government, and e-commerce, which often rely on Tomcat for web application hosting, may face increased risk. Additionally, remediation may require planned downtime to upgrade Tomcat versions, which could affect service availability temporarily. Since no authentication is required to trigger the issue, any user or attacker able to upload files could inadvertently or maliciously cause a denial of service, increasing the threat surface.

To mitigate CVE-2023-42794, organizations should prioritize upgrading Apache Tomcat to versions 9.0.81 or later, or 8.5.94 or later, where the issue is fixed. For environments where immediate upgrade is not feasible, implement monitoring of disk space usage on Windows servers hosting Tomcat to detect abnormal growth in file storage. Review and audit web applications to ensure proper handling and closure of file streams after upload processing. Employ application-level validation to limit file upload sizes and frequency to reduce risk. Consider deploying file system quotas or automated cleanup scripts to remove orphaned files periodically. Additionally, restrict file upload functionality to authenticated and authorized users where possible to reduce exposure. Regularly review Tomcat logs for errors related to file handling and investigate any anomalies promptly. Finally, maintain an inventory of Tomcat versions in use across the organization to ensure timely patch management and vulnerability remediation.