BIT-tomcat-2024-24549
See a problem?- Import Source
- https://github.com/bitnami/vulndb/tree/main/data/tomcat/BIT-tomcat-2024-24549.json
- JSON Data
- https://api.osv.dev/v1/vulns/BIT-tomcat-2024-24549
- Aliases
- Published
- 2025-07-17T08:09:49.355Z
- Modified
- 2026-03-20T12:15:07.004398Z
- Summary
- Apache Tomcat: HTTP/2 header handling DoS
- Details
-
Denial of Service due to improper input validation vulnerability for HTTP/2 requests in Apache Tomcat. When processing an HTTP/2 request, if the request exceeded any of the configured limits for headers, the associated HTTP/2 stream was not reset until after all of the headers had been processed.This issue affects Apache Tomcat: from 11.0.0 through 11.0.0, from 10.1.0 through 10.1.18, from 9.0.0 through 9.0.85, from 8.5.0 through 8.5.98. Other, older, EOL versions may also be affected.
Users are recommended to upgrade to version 11.0.0, 10.1.19, 9.0.86 or 8.5.99 which fix the issue.
- Database specific
{ "cpes": [ "cpe:2.3:a:apache:tomcat:*:*:*:*:*:maven:*:*" ], "severity": "High" }- References
-
- http://www.openwall.com/lists/oss-security/2024/03/13/3
- https://lists.apache.org/thread/4c50rmomhbbsdgfjsgwlb51xdwfjdcvg
- https://lists.debian.org/debian-lts-announce/2024/04/msg00001.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3UWIS5MMGYDZBLJYT674ZI5AWFHDZ46B/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/736G4GPZWS2DSQO5WKXO3G6OMZKFEK55/
- https://nvd.nist.gov/vuln/detail/CVE-2024-24549
- https://security.netapp.com/advisory/ntap-20240402-0002/
Affected packages
Bitnami / tomcat
Package
- Name
- tomcat
- Purl
- pkg:bitnami/tomcat
Severity
- 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator