Allocation of Resources Without Limits or Throttling Vulnerability Affects Multiple Apache Tomcat Versions

CVE-2024-38286

8.6HIGH

Key Information

Vendor: Apache
Status: Apache Tomcat
Vendor: CVE Published:; 7 November 2024

Summary

Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M20, from 10.1.0-M1 through 10.1.24, from 9.0.13 through 9.0.89. Older, unsupported versions may also be affected. Users are recommended to upgrade to version 11.0.0-M21, 10.1.25, or 9.0.90, which fixes the issue. Apache Tomcat, under certain configurations on any platform, allows an attacker to cause an OutOfMemoryError by abusing the TLS handshake process.

Affected Version(s)

Apache Tomcat <= 11.0.0-M20

Apache Tomcat <= 10.1.24

Apache Tomcat <= 9.0.89

CVSS V3.1

Score:

8.6

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Timeline

Vulnerability published.
Nov 7, 2024
Vulnerability Reserved.
Jun 12, 2024
Issue reported to Apache Tomcat Security Team
Jun 4, 2024

Collectors

NVD DatabaseMitre Database

Credit

Ozaki, North Grid Corporation