CVE-2024-38286
Apache Tomcat: Denial of Service
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M20, from 10.1.0-M1 through 10.1.24, from 9.0.13 through 9.0.89. Older, unsupported versions may also be affected. Users are recommended to upgrade to version 11.0.0-M21, 10.1.25, or 9.0.90, which fixes the issue. Apache Tomcat, under certain configurations on any platform, allows an attacker to cause an OutOfMemoryError by abusing the TLS handshake process.
Vulnerabilidad de asignación de recursos sin límites o limitación de recursos en Apache Tomcat. Este problema afecta a Apache Tomcat: desde la versión 11.0.0-M1 hasta la 11.0.0-M20, desde la versión 10.1.0-M1 hasta la 10.1.24, desde la versión 9.0.13 hasta la 9.0.89. También pueden verse afectadas versiones anteriores no compatibles. Se recomienda a los usuarios que actualicen a la versión 11.0.0-M21, 10.1.25 o 9.0.90, que soluciona el problema. Apache Tomcat, en determinadas configuraciones de cualquier plataforma, permite a un atacante provocar un error OutOfMemoryError abusando del proceso de enlace TLS.
A vulnerability was found in Tomcat. Under certain configurations on any platform, this flaw allows an attacker to cause an OutOfMemoryError by abusing the TLS handshake process.
It was discovered that Tomcat did not include the secure attribute for session cookies when using the RemoteIpFilter with requests from a reverse proxy. An attacker could possibly use this issue to leak sensitive information. This issue was fixed for tomcat8 on Ubuntu 18.04 LTS and for tomcat9 on Ubuntu 24.04 LTS, Ubuntu 24.10, and Ubuntu 25.04. It was discovered that Tomcat incorrectly recycled certain objects, which could lead to information leaking from one request to the next. An attacker could potentially use this issue to leak sensitive information. This issue was fixed for tomcat8 on Ubuntu 18.04 LTS and for tomcat9 on Ubuntu 24.04 LTS, Ubuntu 24.10, and Ubuntu 25.04.
CVSS Scores
SSVC
- Decision:Attend
Timeline
- 2024-06-12 CVE Reserved
- 2024-10-30 CVE Published
- 2024-11-07 CVE Updated
- 2025-06-03 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-400: Uncontrolled Resource Consumption
- CWE-770: Allocation of Resources Without Limits or Throttling
CAPEC
References (3)
| URL | Tag | Source |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://lists.apache.org/thread/wms60cvbsz3fpbz9psxtfx8r41jl6d4s | 2024-11-07 | |
| https://access.redhat.com/security/cve/CVE-2024-38286 | 2024-10-29 | |
| https://bugzilla.redhat.com/show_bug.cgi?id=2314686 | 2024-10-29 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Apache Software Foundation Search vendor "Apache Software Foundation" | Apache Tomcat Search vendor "Apache Software Foundation" for product "Apache Tomcat" | >= 11.0.0-M1 <= 11.0.0-M20 Search vendor "Apache Software Foundation" for product "Apache Tomcat" and version " >= 11.0.0-M1 <= 11.0.0-M20" | en |
Affected
| ||||||
| Apache Software Foundation Search vendor "Apache Software Foundation" | Apache Tomcat Search vendor "Apache Software Foundation" for product "Apache Tomcat" | >= 10.1.0-M1 <= 10.1.24 Search vendor "Apache Software Foundation" for product "Apache Tomcat" and version " >= 10.1.0-M1 <= 10.1.24" | en |
Affected
| ||||||
| Apache Software Foundation Search vendor "Apache Software Foundation" | Apache Tomcat Search vendor "Apache Software Foundation" for product "Apache Tomcat" | >= 9.0.13 <= 9.0.89 Search vendor "Apache Software Foundation" for product "Apache Tomcat" and version " >= 9.0.13 <= 9.0.89" | en |
Affected
| ||||||