CVE-2024-24549

EPSS 64.39%
Veröffentlicht 13.03.2024 16:15:29
Zuletzt bearbeitet 29.10.2025 12:15:34
Quelle security@apache.org
CVE-Watchlists
Login
Unerledigt
Login

Apache Tomcat: HTTP/2 header handling DoS

Denial of Service due to improper input validation vulnerability for HTTP/2 requests in Apache Tomcat. When processing an HTTP/2 request, if the request exceeded any of the configured limits for headers, the associated HTTP/2 stream was not reset until after all of the headers had been processed.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M16, from 10.1.0-M1 through 10.1.18, from 9.0.0-M1 through 9.0.85, from 8.5.0 through 8.5.98. Other, older, EOL versions may also be affected.

Users are recommended to upgrade to version 11.0.0-M17, 10.1.19, 9.0.86 or 8.5.99 which fix the issue.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 9

NVD 22 VulnDex Vulnerability Enrichment 1

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Apache ≫ Tomcat Version >= 8.5.0 < 8.5.99

Apache ≫ Tomcat Version >= 9.0.0 < 9.0.86

Apache ≫ Tomcat Version >= 10.1.0 < 10.1.19

Apache ≫ Tomcat Version11.0.0 Updatemilestone1

Apache ≫ Tomcat Version11.0.0 Updatemilestone10

Apache ≫ Tomcat Version11.0.0 Updatemilestone11

Apache ≫ Tomcat Version11.0.0 Updatemilestone12

Apache ≫ Tomcat Version11.0.0 Updatemilestone13

Apache ≫ Tomcat Version11.0.0 Updatemilestone14

Apache ≫ Tomcat Version11.0.0 Updatemilestone15

Apache ≫ Tomcat Version11.0.0 Updatemilestone16

Apache ≫ Tomcat Version11.0.0 Updatemilestone2

Apache ≫ Tomcat Version11.0.0 Updatemilestone3

Apache ≫ Tomcat Version11.0.0 Updatemilestone4

Apache ≫ Tomcat Version11.0.0 Updatemilestone5

Apache ≫ Tomcat Version11.0.0 Updatemilestone6

Apache ≫ Tomcat Version11.0.0 Updatemilestone7

Apache ≫ Tomcat Version11.0.0 Updatemilestone8

Apache ≫ Tomcat Version11.0.0 Updatemilestone9

Debian ≫ Debian Linux Version10.0

Fedoraproject ≫ Fedora Version39

Fedoraproject ≫ Fedora Version40

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	64.39%	0.984

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
134c704f-9b21-4f2e-91b3-4a467353bcc0	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

https://lists.debian.org/debian-lts-announce/2024/04/msg00001.html

Third Party Advisory

Mailing List

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3UWIS5MMGYDZBLJYT674ZI5AWFHDZ46B/

Third Party Advisory

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/736G4GPZWS2DSQO5WKXO3G6OMZKFEK55/

Third Party Advisory

https://security.netapp.com/advisory/ntap-20240402-0002/

Third Party Advisory

http://www.openwall.com/lists/oss-security/2024/03/13/3

Mailing List

https://lists.apache.org/thread/4c50rmomhbbsdgfjsgwlb51xdwfjdcvg