Headline
GHSA-7w75-32cg-r6g2: Apache Tomcat Denial of Service due to improper input validation vulnerability for HTTP/2 requests
Denial of Service due to improper input validation vulnerability for HTTP/2 requests in Apache Tomcat. When processing an HTTP/2 request, if the request exceeded any of the configured limits for headers, the associated HTTP/2 stream was not reset until after all of the headers had been processed.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M16, from 10.1.0-M1 through 10.1.18, from 9.0.0-M1 through 9.0.85, from 8.5.0 through 8.5.98.
Users are recommended to upgrade to version 11.0.0-M17, 10.1.19, 9.0.86 or 8.5.99 which fix the issue.
- GitHub Advisory Database
- GitHub Reviewed
- CVE-2024-24549
Apache Tomcat Denial of Service due to improper input validation vulnerability for HTTP/2 requests
Moderate severity GitHub Reviewed Published Mar 13, 2024 to the GitHub Advisory Database • Updated Mar 15, 2024
Package
maven org.apache.tomcat.embed:tomcat-embed-core (Maven)
Affected versions
>= 8.5.0, <= 8.5.98
>= 9.0.0-M1, <= 9.0.85
>= 10.1.0-M1, <= 10.1.18
>= 11.0.0-M1, <= 11.0.0-M16
Patched versions
8.5.99
9.0.86
10.1.19
11.0.0-M17
maven org.apache.tomcat:tomcat (Maven)
>= 11.0.0-M1, <= 11.0.0-M16
>= 10.1.0-M1, <= 10.1.18
>= 9.0.0-M1, <= 9.0.85
>= 8.5.0, <= 8.5.98
11.0.0-M17
10.1.19
9.0.86
8.5.99
Published to the GitHub Advisory Database
Mar 13, 2024
Last updated
Mar 15, 2024
Related news
Debian Linux Security Advisory 5665-1 - Several security vulnerabilities have been discovered in the Tomcat servlet and JSP engine.
Red Hat Security Advisory 2024-1325-03 - Red Hat JBoss Web Server 6.0.1 zip release is now available for Red Hat Enterprise Linux 8, Red Hat Enterprise Linux 9, and Windows Server. Issues addressed include HTTP request smuggling, denial of service, and open redirection vulnerabilities.
Red Hat Security Advisory 2024-1324-03 - An update is now available for Red Hat JBoss Web Server 6.0.1 on Red Hat Enterprise Linux versions 8 and 9. Issues addressed include HTTP request smuggling, denial of service, and open redirection vulnerabilities.
Red Hat Security Advisory 2024-1319-03 - Red Hat JBoss Web Server 5.7.8 zip release is now available for Red Hat Enterprise Linux 7, Red Hat Enterprise Linux 8, Red Hat Enterprise Linux 9, and Windows Server. Issues addressed include HTTP request smuggling and denial of service vulnerabilities.
Red Hat Security Advisory 2024-1318-03 - An update is now available for Red Hat JBoss Web Server 5.7.8 on Red Hat Enterprise Linux versions 7, 8, and 9. Issues addressed include HTTP request smuggling and denial of service vulnerabilities.