Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2024-24549

Denial of Service due to improper input validation vulnerability for HTTP/2 requests in Apache Tomcat. When processing an HTTP/2 request, if the request exceeded any of the configured limits for headers, the associated HTTP/2 stream was not reset until after all of the headers had been processed.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M16, from 10.1.0-M1 through 10.1.18, from 9.0.0-M1 through 9.0.85, from 8.5.0 through 8.5.98. Users are recommended to upgrade to version 11.0.0-M17, 10.1.19, 9.0.86 or 8.5.99 which fix the issue.

Published

2024-03-13T16:15:29.373

Last Modified

2025-05-19T13:02:08.910

Status

Analyzed

Source

[email protected]

Severity

CVSSv3.1: 7.5 (HIGH)

Weaknesses

Type: Secondary
CWE-20
Type: Primary
NVD-CWE-noinfo

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	apache	tomcat	< 8.5.99	Yes
Application	apache	tomcat	< 9.0.86	Yes
Application	apache	tomcat	< 10.1.19	Yes
Application	apache	tomcat	11.0.0	Yes
Application	apache	tomcat	11.0.0	Yes
Application	apache	tomcat	11.0.0	Yes
Application	apache	tomcat	11.0.0	Yes
Application	apache	tomcat	11.0.0	Yes
Application	apache	tomcat	11.0.0	Yes
Application	apache	tomcat	11.0.0	Yes
Application	apache	tomcat	11.0.0	Yes
Application	apache	tomcat	11.0.0	Yes
Application	apache	tomcat	11.0.0	Yes
Application	apache	tomcat	11.0.0	Yes
Application	apache	tomcat	11.0.0	Yes
Application	apache	tomcat	11.0.0	Yes
Application	apache	tomcat	11.0.0	Yes
Application	apache	tomcat	11.0.0	Yes
Application	apache	tomcat	11.0.0	Yes
Operating System	debian	debian_linux	10.0	Yes
Operating System	fedoraproject	fedora	39	Yes
Operating System	fedoraproject	fedora	40	Yes

References

http://www.openwall.com/lists/oss-security/2024/03/13/3 Mailing List ([email protected])
https://lists.apache.org/thread/4c50rmomhbbsdgfjsgwlb51xdwfjdcvg Vendor Advisory ([email protected])
https://lists.debian.org/debian-lts-announce/2024/04/msg00001.html Mailing List, Third Party Advisory ([email protected])
https://lists.fedoraproject.org/archives/list/[email protected]/message/3UWIS5MMGYDZBLJYT674ZI5AWFHDZ46B/ Third Party Advisory ([email protected])
https://lists.fedoraproject.org/archives/list/[email protected]/message/736G4GPZWS2DSQO5WKXO3G6OMZKFEK55/ Third Party Advisory ([email protected])
https://security.netapp.com/advisory/ntap-20240402-0002/ Third Party Advisory ([email protected])
http://www.openwall.com/lists/oss-security/2024/03/13/3 Mailing List (af854a3a-2127-422b-91ae-364da2661108)
https://lists.apache.org/thread/4c50rmomhbbsdgfjsgwlb51xdwfjdcvg Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://lists.debian.org/debian-lts-announce/2024/04/msg00001.html Mailing List, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://lists.fedoraproject.org/archives/list/[email protected]/message/3UWIS5MMGYDZBLJYT674ZI5AWFHDZ46B/ Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://lists.fedoraproject.org/archives/list/[email protected]/message/736G4GPZWS2DSQO5WKXO3G6OMZKFEK55/ Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://security.netapp.com/advisory/ntap-20240402-0002/ Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)