|
1 | 1 | { |
2 | 2 | "schema_version": "1.4.0", |
3 | 3 | "id": "GHSA-7w75-32cg-r6g2", |
4 | | - "modified": "2025-10-29T14:49:23Z", |
| 4 | + "modified": "2025-02-13T19:07:46Z", |
5 | 5 | "published": "2024-03-13T18:31:34Z", |
6 | 6 | "aliases": [ |
7 | 7 | "CVE-2024-24549" |
8 | 8 | ], |
9 | 9 | "summary": "Apache Tomcat Denial of Service due to improper input validation vulnerability for HTTP/2 requests", |
10 | 10 | "details": "Denial of Service due to improper input validation vulnerability for HTTP/2 requests in Apache Tomcat. When processing an HTTP/2 request, if the request exceeded any of the configured limits for headers, the associated HTTP/2 stream was not reset until after all of the headers had been processed.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M16, from 10.1.0-M1 through 10.1.18, from 9.0.0-M1 through 9.0.85, from 8.5.0 through 8.5.98.\n\nUsers are recommended to upgrade to version 11.0.0-M17, 10.1.19, 9.0.86 or 8.5.99 which fix the issue.", |
11 | 11 | "severity": [ |
12 | | - { |
13 | | - "type": "CVSS_V3", |
14 | | - "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" |
15 | | - }, |
16 | 12 | { |
17 | 13 | "type": "CVSS_V4", |
18 | | - "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U" |
| 14 | + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" |
19 | 15 | } |
20 | 16 | ], |
21 | 17 | "affected": [ |
| 18 | + { |
| 19 | + "package": { |
| 20 | + "ecosystem": "Maven", |
| 21 | + "name": "org.apache.tomcat.embed:tomcat-embed-core" |
| 22 | + }, |
| 23 | + "ranges": [ |
| 24 | + { |
| 25 | + "type": "ECOSYSTEM", |
| 26 | + "events": [ |
| 27 | + { |
| 28 | + "introduced": "8.5.0" |
| 29 | + }, |
| 30 | + { |
| 31 | + "fixed": "8.5.99" |
| 32 | + } |
| 33 | + ] |
| 34 | + } |
| 35 | + ], |
| 36 | + "database_specific": { |
| 37 | + "last_known_affected_version_range": "<= 8.5.98" |
| 38 | + } |
| 39 | + }, |
| 40 | + { |
| 41 | + "package": { |
| 42 | + "ecosystem": "Maven", |
| 43 | + "name": "org.apache.tomcat.embed:tomcat-embed-core" |
| 44 | + }, |
| 45 | + "ranges": [ |
| 46 | + { |
| 47 | + "type": "ECOSYSTEM", |
| 48 | + "events": [ |
| 49 | + { |
| 50 | + "introduced": "9.0.0-M1" |
| 51 | + }, |
| 52 | + { |
| 53 | + "fixed": "9.0.86" |
| 54 | + } |
| 55 | + ] |
| 56 | + } |
| 57 | + ], |
| 58 | + "database_specific": { |
| 59 | + "last_known_affected_version_range": "<= 9.0.85" |
| 60 | + } |
| 61 | + }, |
| 62 | + { |
| 63 | + "package": { |
| 64 | + "ecosystem": "Maven", |
| 65 | + "name": "org.apache.tomcat.embed:tomcat-embed-core" |
| 66 | + }, |
| 67 | + "ranges": [ |
| 68 | + { |
| 69 | + "type": "ECOSYSTEM", |
| 70 | + "events": [ |
| 71 | + { |
| 72 | + "introduced": "10.1.0-M1" |
| 73 | + }, |
| 74 | + { |
| 75 | + "fixed": "10.1.19" |
| 76 | + } |
| 77 | + ] |
| 78 | + } |
| 79 | + ], |
| 80 | + "database_specific": { |
| 81 | + "last_known_affected_version_range": "<= 10.1.18" |
| 82 | + } |
| 83 | + }, |
| 84 | + { |
| 85 | + "package": { |
| 86 | + "ecosystem": "Maven", |
| 87 | + "name": "org.apache.tomcat.embed:tomcat-embed-core" |
| 88 | + }, |
| 89 | + "ranges": [ |
| 90 | + { |
| 91 | + "type": "ECOSYSTEM", |
| 92 | + "events": [ |
| 93 | + { |
| 94 | + "introduced": "11.0.0-M1" |
| 95 | + }, |
| 96 | + { |
| 97 | + "fixed": "11.0.0-M17" |
| 98 | + } |
| 99 | + ] |
| 100 | + } |
| 101 | + ], |
| 102 | + "database_specific": { |
| 103 | + "last_known_affected_version_range": "<= 11.0.0-M16" |
| 104 | + } |
| 105 | + }, |
22 | 106 | { |
23 | 107 | "package": { |
24 | 108 | "ecosystem": "Maven", |
|
110 | 194 | { |
111 | 195 | "package": { |
112 | 196 | "ecosystem": "Maven", |
113 | | - "name": "org.apache.tomcat.embed:tomcat-embed-core" |
| 197 | + "name": "org.apache.tomcat:tomcat" |
114 | 198 | }, |
115 | 199 | "ranges": [ |
116 | 200 | { |
117 | 201 | "type": "ECOSYSTEM", |
118 | 202 | "events": [ |
119 | 203 | { |
120 | | - "introduced": "8.5.0" |
| 204 | + "introduced": "11.0.0-M1" |
121 | 205 | }, |
122 | 206 | { |
123 | | - "fixed": "8.5.99" |
| 207 | + "fixed": "11.0.0-M17" |
124 | 208 | } |
125 | 209 | ] |
126 | 210 | } |
127 | 211 | ], |
128 | 212 | "database_specific": { |
129 | | - "last_known_affected_version_range": "<= 8.5.98" |
| 213 | + "last_known_affected_version_range": "<= 11.0.0-M16" |
130 | 214 | } |
131 | 215 | }, |
132 | 216 | { |
133 | 217 | "package": { |
134 | 218 | "ecosystem": "Maven", |
135 | | - "name": "org.apache.tomcat.embed:tomcat-embed-core" |
| 219 | + "name": "org.apache.tomcat:tomcat" |
136 | 220 | }, |
137 | 221 | "ranges": [ |
138 | 222 | { |
139 | 223 | "type": "ECOSYSTEM", |
140 | 224 | "events": [ |
141 | 225 | { |
142 | | - "introduced": "9.0.0-M1" |
| 226 | + "introduced": "10.1.0-M1" |
143 | 227 | }, |
144 | 228 | { |
145 | | - "fixed": "9.0.86" |
| 229 | + "fixed": "10.1.19" |
146 | 230 | } |
147 | 231 | ] |
148 | 232 | } |
149 | 233 | ], |
150 | 234 | "database_specific": { |
151 | | - "last_known_affected_version_range": "<= 9.0.85" |
| 235 | + "last_known_affected_version_range": "<= 10.1.18" |
152 | 236 | } |
153 | 237 | }, |
154 | 238 | { |
155 | 239 | "package": { |
156 | 240 | "ecosystem": "Maven", |
157 | | - "name": "org.apache.tomcat.embed:tomcat-embed-core" |
| 241 | + "name": "org.apache.tomcat:tomcat" |
158 | 242 | }, |
159 | 243 | "ranges": [ |
160 | 244 | { |
161 | 245 | "type": "ECOSYSTEM", |
162 | 246 | "events": [ |
163 | 247 | { |
164 | | - "introduced": "10.1.0-M1" |
| 248 | + "introduced": "9.0.0-M1" |
165 | 249 | }, |
166 | 250 | { |
167 | | - "fixed": "10.1.19" |
| 251 | + "fixed": "9.0.86" |
168 | 252 | } |
169 | 253 | ] |
170 | 254 | } |
171 | 255 | ], |
172 | 256 | "database_specific": { |
173 | | - "last_known_affected_version_range": "<= 10.1.18" |
| 257 | + "last_known_affected_version_range": "<= 9.0.85" |
174 | 258 | } |
175 | 259 | }, |
176 | 260 | { |
177 | 261 | "package": { |
178 | 262 | "ecosystem": "Maven", |
179 | | - "name": "org.apache.tomcat.embed:tomcat-embed-core" |
| 263 | + "name": "org.apache.tomcat:tomcat" |
180 | 264 | }, |
181 | 265 | "ranges": [ |
182 | 266 | { |
183 | 267 | "type": "ECOSYSTEM", |
184 | 268 | "events": [ |
185 | 269 | { |
186 | | - "introduced": "11.0.0-M1" |
| 270 | + "introduced": "8.5.0" |
187 | 271 | }, |
188 | 272 | { |
189 | | - "fixed": "11.0.0-M17" |
| 273 | + "fixed": "8.5.99" |
190 | 274 | } |
191 | 275 | ] |
192 | 276 | } |
193 | 277 | ], |
194 | 278 | "database_specific": { |
195 | | - "last_known_affected_version_range": "<= 11.0.0-M16" |
| 279 | + "last_known_affected_version_range": "<= 8.5.98" |
196 | 280 | } |
197 | 281 | } |
198 | 282 | ], |
|
250 | 334 | "cwe_ids": [ |
251 | 335 | "CWE-20" |
252 | 336 | ], |
253 | | - "severity": "MODERATE", |
| 337 | + "severity": "HIGH", |
254 | 338 | "github_reviewed": true, |
255 | 339 | "github_reviewed_at": "2024-03-15T16:27:53Z", |
256 | 340 | "nvd_published_at": "2024-03-13T16:15:29Z" |
|
0 commit comments