CVE-2024-24549
Public on 2024-03-13
Modified on 2024-03-18
Description
Denial of Service due to improper input validation vulnerability for HTTP/2 requests in Apache Tomcat. When processing an HTTP/2 request, if the request exceeded any of the configured limits for headers, the associated HTTP/2 stream was not reset until after all of the headers had been processed.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M16, from 10.1.0-M1 through 10.1.18, from 9.0.0-M1 through 9.0.85, from 8.5.0 through 8.5.98.
Users are recommended to upgrade to version 11.0.0-M17, 10.1.19, 9.0.86 or 8.5.99 which fix the issue.
Users are recommended to upgrade to version 11.0.0-M17, 10.1.19, 9.0.86 or 8.5.99 which fix the issue.
Severity
Important
CVSS v3 Base Score
See breakdown
Affected Packages
| Platform | Package | Release Date | Advisory | Status |
|---|---|---|---|---|
| Amazon Linux 2 - Core | tomcat | Not Affected | ||
| Amazon Linux 2 - Tomcat8.5 Extra | tomcat | 2024-04-10 | ALAS2TOMCAT8.5-2024-019 | Fixed |
| Amazon Linux 2 - Tomcat9 Extra | tomcat | 2024-04-10 | ALAS2TOMCAT9-2024-013 | Fixed |
| Amazon Linux 1 | tomcat7 | Not Affected | ||
| Amazon Linux 1 | tomcat8 | 2024-06-19 | ALAS-2024-1941 | Fixed |
| Amazon Linux 1 | tomcat80 | Not Affected | ||
| Amazon Linux 2023 | tomcat9 | 2024-03-27 | ALAS2023-2024-577 | Fixed |
CVSS Scores
| Score Type | Score | Vector | |
|---|---|---|---|
| Amazon Linux | CVSSv3 | 7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
| NVD | CVSSv3 | 7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |