CVE-2024-38286

EPSS 1.36%
Published 07.11.2024 08:15:13
Last modified 08.08.2025 11:15:28
Source security@apache.org
Teams watchlist Login
Open Login

Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat.

This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M20, from 10.1.0-M1 through 10.1.24, from 9.0.13 through 9.0.89.


The following versions were EOL at the time the CVE was created but are 
known to be affected: 8.5.35 through 8.5.100 and 7.0.92 through 7.0.109.


Users are recommended to upgrade to version 11.0.0-M21, 10.1.25, or 9.0.90, which fixes the issue.



Apache Tomcat, under certain configurations on any platform, allows an attacker to cause an OutOfMemoryError by abusing the TLS handshake process.

Affected products Warnungen 0 Metrics 3 CWE 1 References 6

Data is provided by the National Vulnerability Database (NVD)

Apache ≫ Tomcat Version >= 9.0.13 < 9.0.90

Apache ≫ Tomcat Version >= 10.1.1 < 10.1.25

Apache ≫ Tomcat Version10.1.0 Updatemilestone1

Apache ≫ Tomcat Version10.1.0 Updatemilestone10

Apache ≫ Tomcat Version10.1.0 Updatemilestone11

Apache ≫ Tomcat Version10.1.0 Updatemilestone12

Apache ≫ Tomcat Version10.1.0 Updatemilestone13

Apache ≫ Tomcat Version10.1.0 Updatemilestone14

Apache ≫ Tomcat Version10.1.0 Updatemilestone15

Apache ≫ Tomcat Version10.1.0 Updatemilestone16

Apache ≫ Tomcat Version10.1.0 Updatemilestone17

Apache ≫ Tomcat Version10.1.0 Updatemilestone18

Apache ≫ Tomcat Version10.1.0 Updatemilestone19

Apache ≫ Tomcat Version10.1.0 Updatemilestone2

Apache ≫ Tomcat Version10.1.0 Updatemilestone20

Apache ≫ Tomcat Version10.1.0 Updatemilestone3

Apache ≫ Tomcat Version10.1.0 Updatemilestone4

Apache ≫ Tomcat Version10.1.0 Updatemilestone5

Apache ≫ Tomcat Version10.1.0 Updatemilestone6

Apache ≫ Tomcat Version10.1.0 Updatemilestone7

Apache ≫ Tomcat Version10.1.0 Updatemilestone8

Apache ≫ Tomcat Version10.1.0 Updatemilestone9

Apache ≫ Tomcat Version11.0.0 Updatemilestone1

Apache ≫ Tomcat Version11.0.0 Updatemilestone10

Apache ≫ Tomcat Version11.0.0 Updatemilestone11

Apache ≫ Tomcat Version11.0.0 Updatemilestone12

Apache ≫ Tomcat Version11.0.0 Updatemilestone13

Apache ≫ Tomcat Version11.0.0 Updatemilestone14

Apache ≫ Tomcat Version11.0.0 Updatemilestone15

Apache ≫ Tomcat Version11.0.0 Updatemilestone16

Apache ≫ Tomcat Version11.0.0 Updatemilestone17

Apache ≫ Tomcat Version11.0.0 Updatemilestone18

Apache ≫ Tomcat Version11.0.0 Updatemilestone19

Apache ≫ Tomcat Version11.0.0 Updatemilestone2

Apache ≫ Tomcat Version11.0.0 Updatemilestone20

Apache ≫ Tomcat Version11.0.0 Updatemilestone3

Apache ≫ Tomcat Version11.0.0 Updatemilestone4

Apache ≫ Tomcat Version11.0.0 Updatemilestone5

Apache ≫ Tomcat Version11.0.0 Updatemilestone6

Apache ≫ Tomcat Version11.0.0 Updatemilestone7

Apache ≫ Tomcat Version11.0.0 Updatemilestone8

Apache ≫ Tomcat Version11.0.0 Updatemilestone9

Netapp ≫ Ontap Tools Version9 SwPlatformvmware_vsphere

Netapp ≫ Ontap Tools Version10 SwPlatformvmware_vsphere

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	1.36%	0.795

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
security@apache.org	8.6	3.9	4	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

CWE-770 Allocation of Resources Without Limits or Throttling

The product allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor.

https://lists.apache.org/thread/wms60cvbsz3fpbz9psxtfx8r41jl6d4s

Mailing List

http://www.openwall.com/lists/oss-security/2024/09/23/2

Mailing List

https://security.netapp.com/advisory/ntap-20241101-0010/

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2024-38286

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-38286

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-38286

EUVD