Published: 13/03/2024 Updated: 06/04/2024

Denial of Service due to improper input validation vulnerability for HTTP/2 requests in Apache Tomcat. When processing an HTTP/2 request, if the request exceeded any of the configured limits for headers, the associated HTTP/2 stream was not reset until after all of the headers had been processed.This issue affects Apache Tomcat: from 11.0.0-M1 up to and including 11.0.0-M16, from 10.1.0-M1 up to and including 10.1.18, from 9.0.0-M1 up to and including 9.0.85, from 8.5.0 up to and including 8.5.98. Users are recommended to upgrade to version 11.0.0-M17, 10.1.19, 9.0.86 or 8.5.99 which fix the issue.

Debian Bug report logs - #1066878 tomcat10: CVE-2024-24549 Package: src:tomcat10; Maintainer for src:tomcat10 is Debian Java Maintainers <pkg-java-maintainers@listsaliothdebianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Thu, 14 Mar 2024 19:57:04 UTC Severity: important Tags: security, upstrea ...

Denial of Service via incomplete cleanup vulnerability in Apache Tomcat It was possible for WebSocket clients to keep WebSocket connections open leading to increased resource consumptionThis issue affects Apache Tomcat: from 1100-M1 through 1100-M16, from 1010-M1 through 10118, from 900-M1 through 9085, from 850 through 8598 User ...

oss-sec mailing list archives   By Date By Thread </form>    CVE-2024-24549: Apache Tomcat: HTTP/2 header handling DoS   From: Mark Th ...

CWE-20 https://lists.apache.org/thread/4c50rmomhbbsdgfjsgwlb51xdwfjdcvg https://security.netapp.com/advisory/ntap-20240402-0002/https://lists.debian.org/debian-lts-announce/2024/04/msg00001.html https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1066878 https://nvd.nist.gov https://alas.aws.amazon.com/AL2/ALASTOMCAT9-2024-013.html

CVE-2024-24549

Vulnerability Summary

Vulnerability Trend

Vendor Advisories

Mailing Lists

References

Vulmon Search

About

Products

Connect