Incorrect Object Recycling Vulnerability Affects Apache Tomcat Versions
CVE-2024-52317

6.5MEDIUM

Key Information:

Vendor: Apache
Status: Apache Tomcat
Vendor: CVE Published:; 18 November 2024

Badges

👾 Exploit Exists🟡 Public PoC

Summary

Incorrect object re-cycling and re-use vulnerability in Apache Tomcat. Incorrect recycling of the request and response used by HTTP/2 requests could lead to request and/or response mix-up between users.

This issue affects Apache Tomcat: from 11.0.0-M23 through 11.0.0-M26, from 10.1.27 through 10.1.30, from 9.0.92 through 9.0.95.

Users are recommended to upgrade to version 11.0.0, 10.1.31 or 9.0.96, which fixes the issue.

Affected Version(s)

Apache Tomcat 11.0.0-M23 <= 11.0.0-M26

Apache Tomcat 10.1.27 <= 10.1.30

Apache Tomcat 9.0.92 <= 9.0.95

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2024-52317
Created by TAM-K592

References

https://lists.apache.org/thread/ty376mrxy1mmxtw3ogo53nc9l...

vendor-advisory

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

🟡
Public PoC available
Nov 21, 2024
👾
Exploit known to exist
Nov 21, 2024
Vulnerability published
Nov 18, 2024