Skip to content

Commit 7e6129a

Browse files
committed
1 parent c69b7a5 commit 7e6129a

1 file changed

Lines changed: 107 additions & 23 deletions

File tree

advisories/github-reviewed/2024/03/GHSA-7w75-32cg-r6g2/GHSA-7w75-32cg-r6g2.json

Lines changed: 107 additions & 23 deletions
Original file line numberDiff line numberDiff line change
@@ -1,24 +1,108 @@
11
{
22
"schema_version": "1.4.0",
33
"id": "GHSA-7w75-32cg-r6g2",
4-
"modified": "2025-10-29T14:49:23Z",
4+
"modified": "2025-02-13T19:07:46Z",
55
"published": "2024-03-13T18:31:34Z",
66
"aliases": [
77
"CVE-2024-24549"
88
],
99
"summary": "Apache Tomcat Denial of Service due to improper input validation vulnerability for HTTP/2 requests",
1010
"details": "Denial of Service due to improper input validation vulnerability for HTTP/2 requests in Apache Tomcat. When processing an HTTP/2 request, if the request exceeded any of the configured limits for headers, the associated HTTP/2 stream was not reset until after all of the headers had been processed.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M16, from 10.1.0-M1 through 10.1.18, from 9.0.0-M1 through 9.0.85, from 8.5.0 through 8.5.98.\n\nUsers are recommended to upgrade to version 11.0.0-M17, 10.1.19, 9.0.86 or 8.5.99 which fix the issue.",
1111
"severity": [
12-
{
13-
"type": "CVSS_V3",
14-
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
15-
},
1612
{
1713
"type": "CVSS_V4",
18-
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U"
14+
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"
1915
}
2016
],
2117
"affected": [
18+
{
19+
"package": {
20+
"ecosystem": "Maven",
21+
"name": "org.apache.tomcat.embed:tomcat-embed-core"
22+
},
23+
"ranges": [
24+
{
25+
"type": "ECOSYSTEM",
26+
"events": [
27+
{
28+
"introduced": "8.5.0"
29+
},
30+
{
31+
"fixed": "8.5.99"
32+
}
33+
]
34+
}
35+
],
36+
"database_specific": {
37+
"last_known_affected_version_range": "<= 8.5.98"
38+
}
39+
},
40+
{
41+
"package": {
42+
"ecosystem": "Maven",
43+
"name": "org.apache.tomcat.embed:tomcat-embed-core"
44+
},
45+
"ranges": [
46+
{
47+
"type": "ECOSYSTEM",
48+
"events": [
49+
{
50+
"introduced": "9.0.0-M1"
51+
},
52+
{
53+
"fixed": "9.0.86"
54+
}
55+
]
56+
}
57+
],
58+
"database_specific": {
59+
"last_known_affected_version_range": "<= 9.0.85"
60+
}
61+
},
62+
{
63+
"package": {
64+
"ecosystem": "Maven",
65+
"name": "org.apache.tomcat.embed:tomcat-embed-core"
66+
},
67+
"ranges": [
68+
{
69+
"type": "ECOSYSTEM",
70+
"events": [
71+
{
72+
"introduced": "10.1.0-M1"
73+
},
74+
{
75+
"fixed": "10.1.19"
76+
}
77+
]
78+
}
79+
],
80+
"database_specific": {
81+
"last_known_affected_version_range": "<= 10.1.18"
82+
}
83+
},
84+
{
85+
"package": {
86+
"ecosystem": "Maven",
87+
"name": "org.apache.tomcat.embed:tomcat-embed-core"
88+
},
89+
"ranges": [
90+
{
91+
"type": "ECOSYSTEM",
92+
"events": [
93+
{
94+
"introduced": "11.0.0-M1"
95+
},
96+
{
97+
"fixed": "11.0.0-M17"
98+
}
99+
]
100+
}
101+
],
102+
"database_specific": {
103+
"last_known_affected_version_range": "<= 11.0.0-M16"
104+
}
105+
},
22106
{
23107
"package": {
24108
"ecosystem": "Maven",
@@ -110,89 +194,89 @@
110194
{
111195
"package": {
112196
"ecosystem": "Maven",
113-
"name": "org.apache.tomcat.embed:tomcat-embed-core"
197+
"name": "org.apache.tomcat:tomcat"
114198
},
115199
"ranges": [
116200
{
117201
"type": "ECOSYSTEM",
118202
"events": [
119203
{
120-
"introduced": "8.5.0"
204+
"introduced": "11.0.0-M1"
121205
},
122206
{
123-
"fixed": "8.5.99"
207+
"fixed": "11.0.0-M17"
124208
}
125209
]
126210
}
127211
],
128212
"database_specific": {
129-
"last_known_affected_version_range": "<= 8.5.98"
213+
"last_known_affected_version_range": "<= 11.0.0-M16"
130214
}
131215
},
132216
{
133217
"package": {
134218
"ecosystem": "Maven",
135-
"name": "org.apache.tomcat.embed:tomcat-embed-core"
219+
"name": "org.apache.tomcat:tomcat"
136220
},
137221
"ranges": [
138222
{
139223
"type": "ECOSYSTEM",
140224
"events": [
141225
{
142-
"introduced": "9.0.0-M1"
226+
"introduced": "10.1.0-M1"
143227
},
144228
{
145-
"fixed": "9.0.86"
229+
"fixed": "10.1.19"
146230
}
147231
]
148232
}
149233
],
150234
"database_specific": {
151-
"last_known_affected_version_range": "<= 9.0.85"
235+
"last_known_affected_version_range": "<= 10.1.18"
152236
}
153237
},
154238
{
155239
"package": {
156240
"ecosystem": "Maven",
157-
"name": "org.apache.tomcat.embed:tomcat-embed-core"
241+
"name": "org.apache.tomcat:tomcat"
158242
},
159243
"ranges": [
160244
{
161245
"type": "ECOSYSTEM",
162246
"events": [
163247
{
164-
"introduced": "10.1.0-M1"
248+
"introduced": "9.0.0-M1"
165249
},
166250
{
167-
"fixed": "10.1.19"
251+
"fixed": "9.0.86"
168252
}
169253
]
170254
}
171255
],
172256
"database_specific": {
173-
"last_known_affected_version_range": "<= 10.1.18"
257+
"last_known_affected_version_range": "<= 9.0.85"
174258
}
175259
},
176260
{
177261
"package": {
178262
"ecosystem": "Maven",
179-
"name": "org.apache.tomcat.embed:tomcat-embed-core"
263+
"name": "org.apache.tomcat:tomcat"
180264
},
181265
"ranges": [
182266
{
183267
"type": "ECOSYSTEM",
184268
"events": [
185269
{
186-
"introduced": "11.0.0-M1"
270+
"introduced": "8.5.0"
187271
},
188272
{
189-
"fixed": "11.0.0-M17"
273+
"fixed": "8.5.99"
190274
}
191275
]
192276
}
193277
],
194278
"database_specific": {
195-
"last_known_affected_version_range": "<= 11.0.0-M16"
279+
"last_known_affected_version_range": "<= 8.5.98"
196280
}
197281
}
198282
],
@@ -250,7 +334,7 @@
250334
"cwe_ids": [
251335
"CWE-20"
252336
],
253-
"severity": "MODERATE",
337+
"severity": "HIGH",
254338
"github_reviewed": true,
255339
"github_reviewed_at": "2024-03-15T16:27:53Z",
256340
"nvd_published_at": "2024-03-13T16:15:29Z"

0 commit comments

Comments
 (0)