Apache Tomcat Denial of Service Vulnerability Affects Multiple Versions
CVE-2024-24549

7.5HIGH

Key Information:

Vendor: Apache
Status: Apache Tomcat
Vendor: CVE Published:; 13 March 2024

Badges

👾 Exploit Exists🟡 Public PoC

Summary

This vulnerability in Apache Tomcat is triggered by improper input validation for HTTP/2 requests. Specifically, when an HTTP/2 request exceeds configured header limits, the system fails to reset the associated stream immediately, leading to a possible Denial of Service. Users are advised to update to versions 11.0.0-M17, 10.1.19, 9.0.86, or 8.5.99 to mitigate this issue effectively.

Affected Version(s)

Apache Tomcat 11.0.0-M1 <= 11.0.0-M16

Apache Tomcat 10.1.0-M1 <= 10.1.18

Apache Tomcat 9.0.0-M1 <= 9.0.85

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2024-24549
Created by JFOZ1010

References

https://lists.apache.org/thread/4c50rmomhbbsdgfjsgwlb51xd...

vendor-advisory

https://security.netapp.com/advisory/ntap-20240402-0002/

https://lists.debian.org/debian-lts-announce/2024/04/msg0...

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

🟡
Public PoC available
Dec 9, 2024
👾
Exploit known to exist
Dec 9, 2024
Vulnerability published
Mar 13, 2024
Vulnerability Reserved
Jan 25, 2024

Credit

Bartek Nowotarski