Incorrect object re-cycling and re-use vulnerability in Apache Tomcat. Incorrect recycling of the request and response used by HTTP/2 requests
could lead to request and/or response mix-up between users.

This issue affects Apache Tomcat: from 11.0.0-M23 through 11.0.0-M26, from 10.1.27 through 10.1.30, from 9.0.92 through 9.0.95.

Users are recommended to upgrade to version 11.0.0, 10.1.31 or 9.0.96, which fixes the issue.
Fixes

Solution

No solution given by the vendor.


Workaround

No workaround given by the vendor.

History

Thu, 15 May 2025 18:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:11.0.0:milestone23:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:11.0.0:milestone24:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:11.0.0:milestone25:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:11.0.0:milestone26:*:*:*:*:*:*

Fri, 24 Jan 2025 20:45:00 +0000

Type Values Removed Values Added
References

Sat, 23 Nov 2024 03:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

threat_severity

Important


Fri, 22 Nov 2024 12:00:00 +0000

Type Values Removed Values Added
References

Mon, 18 Nov 2024 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache tomcat
Weaknesses CWE-326
CPEs cpe:2.3:a:apache:tomcat:-:*:*:*:*:*:*:*
Vendors & Products Apache
Apache tomcat
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 18 Nov 2024 11:45:00 +0000

Type Values Removed Values Added
Description Incorrect object re-cycling and re-use vulnerability in Apache Tomcat. Incorrect recycling of the request and response used by HTTP/2 requests could lead to request and/or response mix-up between users. This issue affects Apache Tomcat: from 11.0.0-M23 through 11.0.0-M26, from 10.1.27 through 10.1.30, from 9.0.92 through 9.0.95. Users are recommended to upgrade to version 11.0.0, 10.1.31 or 9.0.96, which fixes the issue.
Title Apache Tomcat: Request/response mix-up with HTTP/2
References

cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2025-01-24T20:03:10.485Z

Reserved: 2024-11-07T07:45:03.449Z

Link: CVE-2024-52317

cve-icon Vulnrichment

Updated: 2024-11-18T18:03:24.879Z

cve-icon NVD

Status : Analyzed

Published: 2024-11-18T12:15:18.727

Modified: 2025-05-15T17:51:16.553

Link: CVE-2024-52317

cve-icon Redhat

Severity : Important

Publid Date: 2024-11-18T11:36:51Z

Links: CVE-2024-52317 - Bugzilla

cve-icon OpenCVE Enrichment

No data.