CVEs-PoC/2021/CVE-2021-42340.md

### [CVE-2021-42340](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42340)
![](https://img.shields.io/static/v1?label=Product&message=Apache%20Tomcat&color=blue)
![](https://img.shields.io/static/v1?label=Version&message=Apache%20Tomcat%2010%2010.0.0-M10%20to%2010.0.11%20&color=brightgreen)
![](https://img.shields.io/static/v1?label=Version&message=Apache%20Tomcat%2010%2010.1.0-M1%20to%2010.1.0-M5%20&color=brightgreen)
![](https://img.shields.io/static/v1?label=Version&message=Apache%20Tomcat%208%208.5.60%20to%208.5.71%20&color=brightgreen)
![](https://img.shields.io/static/v1?label=Version&message=Apache%20Tomcat%209%209.0.40%20to%209.0.53%20&color=brightgreen)
![](https://img.shields.io/static/v1?label=Vulnerability&message=CWE-772%20Missing%20Release%20of%20Resource%20after%20Effective%20Lifetime&color=brightgreen)

### Description

The fix for bug 63362 present in Apache Tomcat 10.1.0-M1 to 10.1.0-M5, 10.0.0-M1 to 10.0.11, 9.0.40 to 9.0.53 and 8.5.60 to 8.5.71 introduced a memory leak. The object introduced to collect metrics for HTTP upgrade connections was not released for WebSocket connections once the connection was closed. This created a memory leak that, over time, could lead to a denial of service via an OutOfMemoryError.

### POC

#### Reference
- https://kc.mcafee.com/corporate/index?page=content&id=SB10379
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://www.oracle.com/security-alerts/cpujul2022.html

#### Github
- https://github.com/20142995/nuclei-templates
- https://github.com/ARPSyndicate/cvemon
- https://github.com/PalindromeLabs/awesome-websocket-security
- https://github.com/cyb3r-w0lf/nuclei-template-collection
- https://github.com/malwaremily/infosec-news-briefs