Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-7w75-32cg-r6g2: Apache Tomcat Denial of Service due to improper input validation vulnerability for HTTP/2 requests

Denial of Service due to improper input validation vulnerability for HTTP/2 requests in Apache Tomcat. When processing an HTTP/2 request, if the request exceeded any of the configured limits for headers, the associated HTTP/2 stream was not reset until after all of the headers had been processed.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M16, from 10.1.0-M1 through 10.1.18, from 9.0.0-M1 through 9.0.85, from 8.5.0 through 8.5.98.

Users are recommended to upgrade to version 11.0.0-M17, 10.1.19, 9.0.86 or 8.5.99 which fix the issue.

ghsa
#vulnerability#dos#apache#git#java#maven
  1. GitHub Advisory Database
  2. GitHub Reviewed
  3. CVE-2024-24549

Apache Tomcat Denial of Service due to improper input validation vulnerability for HTTP/2 requests

Moderate severity GitHub Reviewed Published Mar 13, 2024 to the GitHub Advisory Database • Updated Mar 15, 2024

Package

maven org.apache.tomcat.embed:tomcat-embed-core (Maven)

Affected versions

>= 8.5.0, <= 8.5.98

>= 9.0.0-M1, <= 9.0.85

>= 10.1.0-M1, <= 10.1.18

>= 11.0.0-M1, <= 11.0.0-M16

Patched versions

8.5.99

9.0.86

10.1.19

11.0.0-M17

maven org.apache.tomcat:tomcat (Maven)

>= 11.0.0-M1, <= 11.0.0-M16

>= 10.1.0-M1, <= 10.1.18

>= 9.0.0-M1, <= 9.0.85

>= 8.5.0, <= 8.5.98

11.0.0-M17

10.1.19

9.0.86

8.5.99

Published to the GitHub Advisory Database

Mar 13, 2024

Last updated

Mar 15, 2024

Related news

Debian Security Advisory 5665-1

Debian Linux Security Advisory 5665-1 - Several security vulnerabilities have been discovered in the Tomcat servlet and JSP engine.

Red Hat Security Advisory 2024-1325-03

Red Hat Security Advisory 2024-1325-03 - Red Hat JBoss Web Server 6.0.1 zip release is now available for Red Hat Enterprise Linux 8, Red Hat Enterprise Linux 9, and Windows Server. Issues addressed include HTTP request smuggling, denial of service, and open redirection vulnerabilities.

Red Hat Security Advisory 2024-1324-03

Red Hat Security Advisory 2024-1324-03 - An update is now available for Red Hat JBoss Web Server 6.0.1 on Red Hat Enterprise Linux versions 8 and 9. Issues addressed include HTTP request smuggling, denial of service, and open redirection vulnerabilities.

Red Hat Security Advisory 2024-1319-03

Red Hat Security Advisory 2024-1319-03 - Red Hat JBoss Web Server 5.7.8 zip release is now available for Red Hat Enterprise Linux 7, Red Hat Enterprise Linux 8, Red Hat Enterprise Linux 9, and Windows Server. Issues addressed include HTTP request smuggling and denial of service vulnerabilities.

Red Hat Security Advisory 2024-1318-03

Red Hat Security Advisory 2024-1318-03 - An update is now available for Red Hat JBoss Web Server 5.7.8 on Red Hat Enterprise Linux versions 7, 8, and 9. Issues addressed include HTTP request smuggling and denial of service vulnerabilities.