// For flags

CVE-2024-24549

Apache Tomcat: HTTP/2 header handling DoS

Severity Score

7.5
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

1
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

Track
*SSVC
Descriptions

Denial of Service due to improper input validation vulnerability for HTTP/2 requests in Apache Tomcat. When processing an HTTP/2 request, if the request exceeded any of the configured limits for headers, the associated HTTP/2 stream was not reset until after all of the headers had been processed.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M16, from 10.1.0-M1 through 10.1.18, from 9.0.0-M1 through 9.0.85, from 8.5.0 through 8.5.98.

Users are recommended to upgrade to version 11.0.0-M17, 10.1.19, 9.0.86 or 8.5.99 which fix the issue.

Denegación de servicio debido a una vulnerabilidad de validación de entrada incorrecta para solicitudes HTTP/2 en Apache Tomcat. Al procesar una solicitud HTTP/2, si la solicitud excedía cualquiera de los límites configurados para los encabezados, la secuencia HTTP/2 asociada no se restablecía hasta que se hubieran procesado todos los encabezados. Este problema afecta a Apache Tomcat: desde 11.0.0- M1 hasta 11.0.0-M16, desde 10.1.0-M1 hasta 10.1.18, desde 9.0.0-M1 hasta 9.0.85, desde 8.5.0 hasta 8.5.98. Se recomienda a los usuarios actualizar a la versión 11.0.0-M17, 10.1.19, 9.0.86 u 8.5.99, que solucionan el problema.

A vulnerability was found in the Tomcat package due to its handling of HTTP/2 requests. Specifically, when an HTTP/2 request surpasses the predetermined limits for headers configured within the server, the associated HTTP/2 stream isn't reset immediately. Instead, the reset action occurs only after all the headers within the request have been processed. This lapse in resetting the stream exposes the system to potential risks, as it allows malicious actors to exploit the delay in stream reset to carry out various attacks, such as header manipulation or resource exhaustion.

*Credits: Bartek Nowotarski
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High
* Common Vulnerability Scoring System
SSVC
  • Decision:Track
Exploitation
None
Automatable
No
Tech. Impact
Partial
* Organization's Worst-case Scenario
Timeline
  • 2024-01-25 CVE Reserved
  • 2024-03-13 CVE Published
  • 2024-08-02 First Exploit
  • 2024-09-02 EPSS Updated
  • 2024-11-04 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
CWE
  • CWE-20: Improper Input Validation
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Apache Software Foundation
Search vendor "Apache Software Foundation"
 Apache Tomcat
Search vendor "Apache Software Foundation" for product "Apache Tomcat"
 >= 11.0.0-M1 <= 11.0.0-M16
Search vendor "Apache Software Foundation" for product "Apache Tomcat" and version " >= 11.0.0-M1 <= 11.0.0-M16"
en
Affected
Apache Software Foundation
Search vendor "Apache Software Foundation"
 Apache Tomcat
Search vendor "Apache Software Foundation" for product "Apache Tomcat"
 >= 10.1.0-M1 <= 10.1.18
Search vendor "Apache Software Foundation" for product "Apache Tomcat" and version " >= 10.1.0-M1 <= 10.1.18"
en
Affected
Apache Software Foundation
Search vendor "Apache Software Foundation"
 Apache Tomcat
Search vendor "Apache Software Foundation" for product "Apache Tomcat"
 >= 9.0.0-M1 <= 9.0.85
Search vendor "Apache Software Foundation" for product "Apache Tomcat" and version " >= 9.0.0-M1 <= 9.0.85"
en
Affected
Apache Software Foundation
Search vendor "Apache Software Foundation"
 Apache Tomcat
Search vendor "Apache Software Foundation" for product "Apache Tomcat"
 >= 8.5.0 <= 8.5.98
Search vendor "Apache Software Foundation" for product "Apache Tomcat" and version " >= 8.5.0 <= 8.5.98"
en
Affected