{"dataType": "CVE_RECORD", "cveMetadata": {"cveId": "CVE-2024-24549", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "state": "PUBLISHED", "assignerShortName": "apache", "dateReserved": "2024-01-25T12:05:42.034Z", "datePublished": "2024-03-13T15:46:53.085Z", "dateUpdated": "2024-08-01T23:19:52.712Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Apache Tomcat", "vendor": "Apache Software Foundation", "versions": [{"lessThanOrEqual": "11.0.0-M16", "status": "affected", "version": "11.0.0-M1", "versionType": "semver"}, {"lessThanOrEqual": "10.1.18", "status": "affected", "version": "10.1.0-M1", "versionType": "semver"}, {"lessThanOrEqual": "9.0.85", "status": "affected", "version": "9.0.0-M1", "versionType": "semver"}, {"lessThanOrEqual": "8.5.98", "status": "affected", "version": "8.5.0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Bartek Nowotarski"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Denial of Service due to improper input validation vulnerability for HTTP/2 requests in Apache Tomcat. When processing an HTTP/2 request, if the request exceeded any of the configured limits for headers, the associated HTTP/2 stream was not reset until after all of the headers had been processed.<p>This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M16, from 10.1.0-M1 through 10.1.18, from 9.0.0-M1 through 9.0.85, from 8.5.0 through 8.5.98.</p><p>Users are recommended to upgrade to version 11.0.0-M17, 10.1.19, 9.0.86 or 8.5.99 which fix the issue.</p>"}], "value": "Denial of Service due to improper input validation vulnerability for HTTP/2 requests in Apache Tomcat. When processing an HTTP/2 request, if the request exceeded any of the configured limits for headers, the associated HTTP/2 stream was not reset until after all of the headers had been processed.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M16, from 10.1.0-M1 through 10.1.18, from 9.0.0-M1 through 9.0.85, from 8.5.0 through 8.5.98.\n\nUsers are recommended to upgrade to version 11.0.0-M17, 10.1.19, 9.0.86 or 8.5.99 which fix the issue.\n\n"}], "metrics": [{"other": {"content": {"text": "important"}, "type": "Textual description of severity"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-20", "description": "CWE-20 Improper Input Validation", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2024-03-13T15:46:53.085Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://lists.apache.org/thread/4c50rmomhbbsdgfjsgwlb51xdwfjdcvg"}, {"url": "https://security.netapp.com/advisory/ntap-20240402-0002/"}, {"url": "https://lists.debian.org/debian-lts-announce/2024/04/msg00001.html"}, {"url": "http://www.openwall.com/lists/oss-security/2024/03/13/3"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/736G4GPZWS2DSQO5WKXO3G6OMZKFEK55/"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3UWIS5MMGYDZBLJYT674ZI5AWFHDZ46B/"}], "source": {"discovery": "EXTERNAL"}, "title": "Apache Tomcat: HTTP/2 header handling DoS", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-24549", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-03-15T15:00:56.854044Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-04T17:43:38.348Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T23:19:52.712Z"}, "title": "CVE Program Container", "references": [{"tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.apache.org/thread/4c50rmomhbbsdgfjsgwlb51xdwfjdcvg"}, {"url": "https://security.netapp.com/advisory/ntap-20240402-0002/", "tags": ["x_transferred"]}, {"url": "https://lists.debian.org/debian-lts-announce/2024/04/msg00001.html", "tags": ["x_transferred"]}, {"url": "http://www.openwall.com/lists/oss-security/2024/03/13/3", "tags": ["x_transferred"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/736G4GPZWS2DSQO5WKXO3G6OMZKFEK55/", "tags": ["x_transferred"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3UWIS5MMGYDZBLJYT674ZI5AWFHDZ46B/", "tags": ["x_transferred"]}]}]}, "dataVersion": "5.1"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-24549", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-03-15T15:00:56.854044Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-05-23T19:01:17.867Z"}, "title": "CISA ADP Vulnrichment"}], "cna": {"title": "Apache Tomcat: HTTP/2 header handling DoS", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Bartek Nowotarski"}], "metrics": [{"other": {"type": "Textual description of severity", "content": {"text": "important"}}}], "affected": [{"vendor": "Apache Software Foundation", "product": "Apache Tomcat", "versions": [{"status": "affected", "version": "11.0.0-M1", "versionType": "semver", "lessThanOrEqual": "11.0.0-M16"}, {"status": "affected", "version": "10.1.0-M1", "versionType": "semver", "lessThanOrEqual": "10.1.18"}, {"status": "affected", "version": "9.0.0-M1", "versionType": "semver", "lessThanOrEqual": "9.0.85"}, {"status": "affected", "version": "8.5.0", "versionType": "semver", "lessThanOrEqual": "8.5.98"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://lists.apache.org/thread/4c50rmomhbbsdgfjsgwlb51xdwfjdcvg", "tags": ["vendor-advisory"]}, {"url": "https://security.netapp.com/advisory/ntap-20240402-0002/"}, {"url": "https://lists.debian.org/debian-lts-announce/2024/04/msg00001.html"}, {"url": "http://www.openwall.com/lists/oss-security/2024/03/13/3"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/736G4GPZWS2DSQO5WKXO3G6OMZKFEK55/"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3UWIS5MMGYDZBLJYT674ZI5AWFHDZ46B/"}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "Denial of Service due to improper input validation vulnerability for HTTP/2 requests in Apache Tomcat. When processing an HTTP/2 request, if the request exceeded any of the configured limits for headers, the associated HTTP/2 stream was not reset until after all of the headers had been processed.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M16, from 10.1.0-M1 through 10.1.18, from 9.0.0-M1 through 9.0.85, from 8.5.0 through 8.5.98.\n\nUsers are recommended to upgrade to version 11.0.0-M17, 10.1.19, 9.0.86 or 8.5.99 which fix the issue.\n\n", "supportingMedia": [{"type": "text/html", "value": "Denial of Service due to improper input validation vulnerability for HTTP/2 requests in Apache Tomcat. When processing an HTTP/2 request, if the request exceeded any of the configured limits for headers, the associated HTTP/2 stream was not reset until after all of the headers had been processed.<p>This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M16, from 10.1.0-M1 through 10.1.18, from 9.0.0-M1 through 9.0.85, from 8.5.0 through 8.5.98.</p><p>Users are recommended to upgrade to version 11.0.0-M17, 10.1.19, 9.0.86 or 8.5.99 which fix the issue.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-20", "description": "CWE-20 Improper Input Validation"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2024-03-13T15:46:53.085Z"}}}, "cveMetadata": {"cveId": "CVE-2024-24549", "state": "PUBLISHED", "dateUpdated": "2024-03-13T15:46:53.085Z", "dateReserved": "2024-01-25T12:05:42.034Z", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "datePublished": "2024-03-13T15:46:53.085Z", "assignerShortName": "apache"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Denial of Service due to improper input validation vulnerability for HTTP/2 requests in Apache Tomcat. When processing an HTTP/2 request, if the request exceeded any of the configured limits for headers, the associated HTTP/2 stream was not reset until after all of the headers had been processed.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M16, from 10.1.0-M1 through 10.1.18, from 9.0.0-M1 through 9.0.85, from 8.5.0 through 8.5.98.\n\nUsers are recommended to upgrade to version 11.0.0-M17, 10.1.19, 9.0.86 or 8.5.99 which fix the issue.\n\n"}, {"lang": "es", "value": "Denegaci\u00f3n de servicio debido a una vulnerabilidad de validaci\u00f3n de entrada incorrecta para solicitudes HTTP/2 en Apache Tomcat. Al procesar una solicitud HTTP/2, si la solicitud exced\u00eda cualquiera de los l\u00edmites configurados para los encabezados, la secuencia HTTP/2 asociada no se restablec\u00eda hasta que se hubieran procesado todos los encabezados. Este problema afecta a Apache Tomcat: desde 11.0.0- M1 hasta 11.0.0-M16, desde 10.1.0-M1 hasta 10.1.18, desde 9.0.0-M1 hasta 9.0.85, desde 8.5.0 hasta 8.5.98. Se recomienda a los usuarios actualizar a la versi\u00f3n 11.0.0-M17, 10.1.19, 9.0.86 u 8.5.99, que solucionan el problema."}], "id": "CVE-2024-24549", "lastModified": "2024-06-23T09:15:11.213", "metrics": {}, "published": "2024-03-13T16:15:29.373", "references": [{"source": "security@apache.org", "url": "http://www.openwall.com/lists/oss-security/2024/03/13/3"}, {"source": "security@apache.org", "url": "https://lists.apache.org/thread/4c50rmomhbbsdgfjsgwlb51xdwfjdcvg"}, {"source": "security@apache.org", "url": "https://lists.debian.org/debian-lts-announce/2024/04/msg00001.html"}, {"source": "security@apache.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3UWIS5MMGYDZBLJYT674ZI5AWFHDZ46B/"}, {"source": "security@apache.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/736G4GPZWS2DSQO5WKXO3G6OMZKFEK55/"}, {"source": "security@apache.org", "url": "https://security.netapp.com/advisory/ntap-20240402-0002/"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}], "source": "security@apache.org", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2024:1319", "cpe": "cpe:/a:redhat:jboss_enterprise_web_server:5.7", "package": "tomcat", "product_name": "JWS 5.7.8", "release_date": "2024-03-18T00:00:00Z"}, {"advisory": "RHSA-2024:1325", "cpe": "cpe:/a:redhat:jboss_enterprise_web_server:6.0", "package": "tomcat", "product_name": "JWS 6.0.1", "release_date": "2024-03-18T00:00:00Z"}, {"advisory": "RHSA-2024:3666", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "tomcat-1:9.0.87-1.el8_10.1", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2024-06-06T00:00:00Z"}, {"advisory": "RHSA-2024:3814", "cpe": "cpe:/a:redhat:rhel_eus:8.8", "package": "tomcat-1:9.0.87-1.el8_8.2", "product_name": "Red Hat Enterprise Linux 8.8 Extended Update Support", "release_date": "2024-06-11T00:00:00Z"}, {"advisory": "RHSA-2024:3307", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "tomcat-1:9.0.87-1.el9_4.1", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2024-05-23T00:00:00Z"}, {"advisory": "RHSA-2024:3308", "cpe": "cpe:/a:redhat:rhel_eus:9.2", "package": "tomcat-1:9.0.87-1.el9_2.1", "product_name": "Red Hat Enterprise Linux 9.2 Extended Update Support", "release_date": "2024-05-23T00:00:00Z"}, {"advisory": "RHSA-2024:1318", "cpe": "cpe:/a:redhat:jboss_enterprise_web_server:5.7::el7", "package": "jws5-tomcat-0:9.0.62-41.redhat_00020.1.el7jws", "product_name": "Red Hat JBoss Web Server 5.7 on RHEL 7", "release_date": "2024-03-18T00:00:00Z"}, {"advisory": "RHSA-2024:1318", "cpe": "cpe:/a:redhat:jboss_enterprise_web_server:5.7::el7", "package": "jws5-tomcat-native-0:1.2.31-17.redhat_17.el7jws", "product_name": "Red Hat JBoss Web Server 5.7 on RHEL 7", "release_date": "2024-03-18T00:00:00Z"}, {"advisory": "RHSA-2024:1318", "cpe": "cpe:/a:redhat:jboss_enterprise_web_server:5.7::el8", "package": "jws5-tomcat-0:9.0.62-41.redhat_00020.1.el8jws", "product_name": "Red Hat JBoss Web Server 5.7 on RHEL 8", "release_date": "2024-03-18T00:00:00Z"}, {"advisory": "RHSA-2024:1318", "cpe": "cpe:/a:redhat:jboss_enterprise_web_server:5.7::el8", "package": "jws5-tomcat-native-0:1.2.31-17.redhat_17.el8jws", "product_name": "Red Hat JBoss Web Server 5.7 on RHEL 8", "release_date": "2024-03-18T00:00:00Z"}, {"advisory": "RHSA-2024:1318", "cpe": "cpe:/a:redhat:jboss_enterprise_web_server:5.7::el9", "package": "jws5-tomcat-0:9.0.62-41.redhat_00020.1.el9jws", "product_name": "Red Hat JBoss Web Server 5.7 on RHEL 9", "release_date": "2024-03-18T00:00:00Z"}, {"advisory": "RHSA-2024:1318", "cpe": "cpe:/a:redhat:jboss_enterprise_web_server:5.7::el9", "package": "jws5-tomcat-native-0:1.2.31-17.redhat_17.el9jws", "product_name": "Red Hat JBoss Web Server 5.7 on RHEL 9", "release_date": "2024-03-18T00:00:00Z"}, {"advisory": "RHSA-2024:1324", "cpe": "cpe:/a:redhat:jboss_enterprise_web_server:6.0::el8", "package": "jws6-tomcat-0:10.1.8-6.redhat_00013.1.el8jws", "product_name": "Red Hat JBoss Web Server 6.0 on RHEL 8", "release_date": "2024-03-18T00:00:00Z"}, {"advisory": "RHSA-2024:1324", "cpe": "cpe:/a:redhat:jboss_enterprise_web_server:6.0::el9", "package": "jws6-tomcat-0:10.1.8-6.redhat_00013.1.el9jws", "product_name": "Red Hat JBoss Web Server 6.0 on RHEL 9", "release_date": "2024-03-18T00:00:00Z"}], "bugzilla": {"description": "Tomcat: HTTP/2 header handling DoS", "id": "2269607", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2269607"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "verified"}, "cwe": "CWE-20", "details": ["Denial of Service due to improper input validation vulnerability for HTTP/2 requests in Apache Tomcat. When processing an HTTP/2 request, if the request exceeded any of the configured limits for headers, the associated HTTP/2 stream was not reset until after all of the headers had been processed.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M16, from 10.1.0-M1 through 10.1.18, from 9.0.0-M1 through 9.0.85, from 8.5.0 through 8.5.98.\nUsers are recommended to upgrade to version 11.0.0-M17, 10.1.19, 9.0.86 or 8.5.99 which fix the issue.", "A vulnerability was found in the Tomcat package due to its handling of HTTP/2 requests. Specifically, when an HTTP/2 request surpasses the predetermined limits for headers configured within the server, the associated HTTP/2 stream isn't reset immediately. Instead, the reset action occurs only after all the headers within the request have been processed. This lapse in resetting the stream exposes the system to potential risks, as it allows malicious actors to exploit the delay in stream reset to carry out various attacks, such as header manipulation or resource exhaustion."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2024-24549", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "tomcat6", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "tomcat", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Will not fix", "package_name": "pki-deps:10.6/pki-servlet-engine", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Will not fix", "package_name": "pki-servlet-engine", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2024-03-13T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-24549\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-24549\nhttps://lists.apache.org/thread/4c50rmomhbbsdgfjsgwlb51xdwfjdcvg"], "statement": "This vulnerability presents an Important severity issue due to its potential to facilitate various forms of attack, particularly in the context of HTTP/2 protocol. By delaying the reset of HTTP/2 streams until after processing all headers, malicious actors can exploit this window to execute header manipulation attacks, leading to potential data exfiltration, injection of malicious content, or server resource exhaustion. Furthermore, the delayed reset prolongs the exposure time of vulnerable systems, increasing the likelihood of successful exploitation.\nIn addition, Red Hat Certificate System 10.0 and Red Hat Enterprise Linux 8's Identity Management, are using a vulnerable version of Tomcat that is bundled into the pki-servlet-engine component. However, HTTP/2 is not enabled in such a configuration, and it is not possible to trigger the flaw in a supported setup. See https://access.redhat.com/security/cve/CVE-2020-13934 for context.", "threat_severity": "Important", "upstream_fix": "Apache Tomcat 11.0.0-M17, Apache Tomcat 10.1.19, Apache Tomcat 9.0.86, Apache Tomcat 8.5.99"}