CVE-2024-52317

Apache Tomcat: Request/response mix-up with HTTP/2

Severity Score

6.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Attend

*SSVC

Descriptions

Incorrect object re-cycling and re-use vulnerability in Apache Tomcat. Incorrect recycling of the request and response used by HTTP/2 requests
could lead to request and/or response mix-up between users.

This issue affects Apache Tomcat: from 11.0.0-M23 through 11.0.0-M26, from 10.1.27 through 10.1.30, from 9.0.92 through 9.0.95.

Users are recommended to upgrade to version 11.0.0, 10.1.31 or 9.0.96, which fixes the issue.

Vulnerabilidad de reutilización y reciclaje incorrecto de objetos en Apache Tomcat. El reciclaje incorrecto de la solicitud y la respuesta utilizadas por las solicitudes HTTP/2 podría provocar una confusión de solicitudes y/o respuestas entre usuarios. Este problema afecta a Apache Tomcat: desde 11.0.0-M23 hasta 11.0.0-M26, desde 10.1.27 hasta 10.1.30, desde 9.0.92 hasta 9.0.95. Se recomienda a los usuarios que actualicen a la versión 11.0.0, 10.1.31 o 9.0.96, que soluciona el problema.

*Credits: N/A

CVSS Scores

CISAv3.1 6.5

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:Attend

Exploitation

None

Automatable

Yes

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-11-07 CVE Reserved
2024-11-18 CVE Published
2024-11-18 CVE Updated
2024-11-19 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-326: Inadequate Encryption Strength

CAPEC

References (1)

URL	Tag	Source

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
https://lists.apache.org/thread/ty376mrxy1mmxtw3ogo53nc9l3co3dfs	2024-11-18

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Apache Software Foundation Search vendor "Apache Software Foundation"		Apache Tomcat Search vendor "Apache Software Foundation" for product "Apache Tomcat"				>= 11.0.0-M23 <= 11.0.0-M26 Search vendor "Apache Software Foundation" for product "Apache Tomcat" and version " >= 11.0.0-M23 <= 11.0.0-M26"		en		Affected
Apache Software Foundation Search vendor "Apache Software Foundation"		Apache Tomcat Search vendor "Apache Software Foundation" for product "Apache Tomcat"				>= 10.1.27 <= 10.1.30 Search vendor "Apache Software Foundation" for product "Apache Tomcat" and version " >= 10.1.27 <= 10.1.30"		en		Affected
Apache Software Foundation Search vendor "Apache Software Foundation"		Apache Tomcat Search vendor "Apache Software Foundation" for product "Apache Tomcat"				>= 9.0.92 <= 9.0.95 Search vendor "Apache Software Foundation" for product "Apache Tomcat" and version " >= 9.0.92 <= 9.0.95"		en		Affected