Skip to content

Apache Tomcat Denial of Service due to improper input validation vulnerability for HTTP/2 requests

Moderate severity GitHub Reviewed Published Mar 13, 2024 to the GitHub Advisory Database • Updated May 2, 2024

Package

maven org.apache.tomcat.embed:tomcat-embed-core (Maven)

Affected versions

>= 8.5.0, <= 8.5.98
>= 9.0.0-M1, <= 9.0.85
>= 10.1.0-M1, <= 10.1.18
>= 11.0.0-M1, <= 11.0.0-M16

Patched versions

8.5.99
9.0.86
10.1.19
11.0.0-M17
maven org.apache.tomcat:tomcat-coyote (Maven)
>= 11.0.0-M1, <= 11.0.0-M16
>= 10.1.0-M1, <= 10.1.18
>= 9.0.0-M1, <= 9.0.85
>= 8.5.0, <= 8.5.98
11.0.0-M17
10.1.19
9.0.86
8.5.99

Description

Denial of Service due to improper input validation vulnerability for HTTP/2 requests in Apache Tomcat. When processing an HTTP/2 request, if the request exceeded any of the configured limits for headers, the associated HTTP/2 stream was not reset until after all of the headers had been processed.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M16, from 10.1.0-M1 through 10.1.18, from 9.0.0-M1 through 9.0.85, from 8.5.0 through 8.5.98.

Users are recommended to upgrade to version 11.0.0-M17, 10.1.19, 9.0.86 or 8.5.99 which fix the issue.

References

Published by the National Vulnerability Database Mar 13, 2024
Published to the GitHub Advisory Database Mar 13, 2024
Reviewed Mar 15, 2024
Last updated May 2, 2024

Severity

Moderate

Weaknesses

CVE ID

CVE-2024-24549

GHSA ID

GHSA-7w75-32cg-r6g2

Source code

Credits

Checking history
See something to contribute? Suggest improvements for this vulnerability.