GHSA-7w75-32cg-r6g2

Source

https://github.com/advisories/GHSA-7w75-32cg-r6g2

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/03/GHSA-7w75-32cg-r6g2/GHSA-7w75-32cg-r6g2.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-7w75-32cg-r6g2

Aliases

BIT-tomcat-2024-24549
CVE-2024-24549

Related

Published

2024-03-13T18:31:34Z

Modified

2024-06-25T02:30:05.155818Z

Summary

Apache Tomcat Denial of Service due to improper input validation vulnerability for HTTP/2 requests

Details

Denial of Service due to improper input validation vulnerability for HTTP/2 requests in Apache Tomcat. When processing an HTTP/2 request, if the request exceeded any of the configured limits for headers, the associated HTTP/2 stream was not reset until after all of the headers had been processed.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M16, from 10.1.0-M1 through 10.1.18, from 9.0.0-M1 through 9.0.85, from 8.5.0 through 8.5.98.

Users are recommended to upgrade to version 11.0.0-M17, 10.1.19, 9.0.86 or 8.5.99 which fix the issue.

References

Affected packages

Maven / org.apache.tomcat:tomcat-coyote

Package

Name: org.apache.tomcat:tomcat-coyote; View open source insights on deps.dev
Purl: pkg:maven/org.apache.tomcat/tomcat-coyote

Affected ranges

Type: ECOSYSTEM
Events: Introduced

11.0.0-M1

Fixed

11.0.0-M17

Affected versions

11.*

11.0.0-M1

11.0.0-M3

11.0.0-M4

11.0.0-M5

11.0.0-M6

11.0.0-M7

11.0.0-M9

11.0.0-M10

11.0.0-M11

11.0.0-M12

11.0.0-M13

11.0.0-M14

11.0.0-M15

11.0.0-M16

Database specific

{
    "last_known_affected_version_range": "<= 11.0.0-M16"
}

Maven / org.apache.tomcat:tomcat-coyote

Package

Name: org.apache.tomcat:tomcat-coyote; View open source insights on deps.dev
Purl: pkg:maven/org.apache.tomcat/tomcat-coyote

Affected ranges

Type: ECOSYSTEM
Events: Introduced

10.1.0-M1

Fixed

10.1.19

Affected versions

10.*

10.1.0-M1

10.1.0-M2

10.1.0-M4

10.1.0-M5

10.1.0-M6

10.1.0-M7

10.1.0-M8

10.1.0-M10

10.1.0-M11

10.1.0-M12

10.1.0-M14

10.1.0-M15

10.1.0-M16

10.1.0-M17

10.1.0

10.1.1

10.1.2

10.1.4

10.1.5

10.1.6

10.1.7

10.1.8

10.1.9

10.1.10

10.1.11

10.1.12

10.1.13

10.1.14

10.1.15

10.1.16

10.1.17

10.1.18

Database specific

{
    "last_known_affected_version_range": "<= 10.1.18"
}

Maven / org.apache.tomcat:tomcat-coyote

Package

Name: org.apache.tomcat:tomcat-coyote; View open source insights on deps.dev
Purl: pkg:maven/org.apache.tomcat/tomcat-coyote

Affected ranges

Type: ECOSYSTEM
Events: Introduced

9.0.0-M1

Fixed

9.0.86

Affected versions

9.*

9.0.0.M1

9.0.0.M3

9.0.0.M4

9.0.0.M6

9.0.0.M8

9.0.0.M9

9.0.0.M10

9.0.0.M11

9.0.0.M13

9.0.0.M15

9.0.0.M17

9.0.0.M18

9.0.0.M19

9.0.0.M20

9.0.0.M21

9.0.0.M22

9.0.0.M25

9.0.0.M26

9.0.0.M27

9.0.1

9.0.2

9.0.4

9.0.5

9.0.6

9.0.7

9.0.8

9.0.10

9.0.11

9.0.12

9.0.13

9.0.14

9.0.16

9.0.17

9.0.19

9.0.20

9.0.21

9.0.22

9.0.24

9.0.26

9.0.27

9.0.29

9.0.30

9.0.31

9.0.33

9.0.34

9.0.35

9.0.36

9.0.37

9.0.38

9.0.39

9.0.40

9.0.41

9.0.43

9.0.44

9.0.45

9.0.46

9.0.48

9.0.50

9.0.52

9.0.53

9.0.54

9.0.55

9.0.56

9.0.58

9.0.59

9.0.60

9.0.62

9.0.63

9.0.64

9.0.65

9.0.67

9.0.68

9.0.69

9.0.70

9.0.71

9.0.72

9.0.73

9.0.74

9.0.75

9.0.76

9.0.78

9.0.79

9.0.80

9.0.81

9.0.82

9.0.83

9.0.84

9.0.85

Database specific

{
    "last_known_affected_version_range": "<= 9.0.85"
}

Maven / org.apache.tomcat:tomcat-coyote

Package

Name: org.apache.tomcat:tomcat-coyote; View open source insights on deps.dev
Purl: pkg:maven/org.apache.tomcat/tomcat-coyote

Affected ranges

Type: ECOSYSTEM
Events: Introduced

8.5.0

Fixed

8.5.99

Affected versions

8.*

8.5.0

8.5.2

8.5.3

8.5.4

8.5.5

8.5.6

8.5.8

8.5.9

8.5.11

8.5.12

8.5.13

8.5.14

8.5.15

8.5.16

8.5.19

8.5.20

8.5.21

8.5.23

8.5.24

8.5.27

8.5.28

8.5.29

8.5.30

8.5.31

8.5.32

8.5.33

8.5.34

8.5.35

8.5.37

8.5.38

8.5.39

8.5.40

8.5.41

8.5.42

8.5.43

8.5.45

8.5.46

8.5.47

8.5.49

8.5.50

8.5.51

8.5.53

8.5.54

8.5.55

8.5.56

8.5.57

8.5.58

8.5.59

8.5.60

8.5.61

8.5.63

8.5.64

8.5.65

8.5.66

8.5.68

8.5.69

8.5.70

8.5.71

8.5.72

8.5.73

8.5.75

8.5.76

8.5.77

8.5.78

8.5.79

8.5.81

8.5.82

8.5.83

8.5.84

8.5.85

8.5.86

8.5.87

8.5.88

8.5.89

8.5.90

8.5.91

8.5.92

8.5.93

8.5.94

8.5.95

8.5.96

8.5.97

8.5.98

Database specific

{
    "last_known_affected_version_range": "<= 8.5.98"
}

Maven / org.apache.tomcat.embed:tomcat-embed-core

Package

Name: org.apache.tomcat.embed:tomcat-embed-core; View open source insights on deps.dev
Purl: pkg:maven/org.apache.tomcat.embed/tomcat-embed-core

Affected ranges

Type: ECOSYSTEM
Events: Introduced

8.5.0

Fixed

8.5.99

Affected versions

8.*

8.5.0

8.5.2

8.5.3

8.5.4

8.5.5

8.5.6

8.5.8

8.5.9

8.5.11

8.5.12

8.5.13

8.5.14

8.5.15

8.5.16

8.5.19

8.5.20

8.5.21

8.5.23

8.5.24

8.5.27

8.5.28

8.5.29

8.5.30

8.5.31

8.5.32

8.5.33

8.5.34

8.5.35

8.5.37

8.5.38

8.5.39

8.5.40

8.5.41

8.5.42

8.5.43

8.5.45

8.5.46

8.5.47

8.5.49

8.5.50

8.5.51

8.5.53

8.5.54

8.5.55

8.5.56

8.5.57

8.5.58

8.5.59

8.5.60

8.5.61

8.5.63

8.5.64

8.5.65

8.5.66

8.5.68

8.5.69

8.5.70

8.5.71

8.5.72

8.5.73

8.5.75

8.5.76

8.5.77

8.5.78

8.5.79

8.5.81

8.5.82

8.5.83

8.5.84

8.5.85

8.5.86

8.5.87

8.5.88

8.5.89

8.5.90

8.5.91

8.5.92

8.5.93

8.5.94

8.5.95

8.5.96

8.5.97

8.5.98

Database specific

{
    "last_known_affected_version_range": "<= 8.5.98"
}

Maven / org.apache.tomcat.embed:tomcat-embed-core

Package

Name: org.apache.tomcat.embed:tomcat-embed-core; View open source insights on deps.dev
Purl: pkg:maven/org.apache.tomcat.embed/tomcat-embed-core

Affected ranges

Type: ECOSYSTEM
Events: Introduced

9.0.0-M1

Fixed

9.0.86

Affected versions

9.*

9.0.0.M1

9.0.0.M3

9.0.0.M4

9.0.0.M6

9.0.0.M8

9.0.0.M9

9.0.0.M10

9.0.0.M11

9.0.0.M13

9.0.0.M15

9.0.0.M17

9.0.0.M18

9.0.0.M19

9.0.0.M20

9.0.0.M21

9.0.0.M22

9.0.0.M25

9.0.0.M26

9.0.0.M27

9.0.1

9.0.2

9.0.4

9.0.5

9.0.6

9.0.7

9.0.8

9.0.10

9.0.11

9.0.12

9.0.13

9.0.14

9.0.16

9.0.17

9.0.19

9.0.20

9.0.21

9.0.22

9.0.24

9.0.26

9.0.27

9.0.29

9.0.30

9.0.31

9.0.33

9.0.34

9.0.35

9.0.36

9.0.37

9.0.38

9.0.39

9.0.40

9.0.41

9.0.43

9.0.44

9.0.45

9.0.46

9.0.48

9.0.50

9.0.52

9.0.53

9.0.54

9.0.55

9.0.56

9.0.58

9.0.59

9.0.60

9.0.62

9.0.63

9.0.64

9.0.65

9.0.67

9.0.68

9.0.69

9.0.70

9.0.71

9.0.72

9.0.73

9.0.74

9.0.75

9.0.76

9.0.78

9.0.79

9.0.80

9.0.81

9.0.82

9.0.83

9.0.84

9.0.85

Database specific

{
    "last_known_affected_version_range": "<= 9.0.85"
}

Maven / org.apache.tomcat.embed:tomcat-embed-core

Package

Name: org.apache.tomcat.embed:tomcat-embed-core; View open source insights on deps.dev
Purl: pkg:maven/org.apache.tomcat.embed/tomcat-embed-core

Affected ranges

Type: ECOSYSTEM
Events: Introduced

10.1.0-M1

Fixed

10.1.19

Affected versions

10.*

10.1.0-M1

10.1.0-M2

10.1.0-M4

10.1.0-M5

10.1.0-M6

10.1.0-M7

10.1.0-M8

10.1.0-M10

10.1.0-M11

10.1.0-M12

10.1.0-M14

10.1.0-M15

10.1.0-M16

10.1.0-M17

10.1.0

10.1.1

10.1.2

10.1.4

10.1.5

10.1.6

10.1.7

10.1.8

10.1.9

10.1.10

10.1.11

10.1.12

10.1.13

10.1.14

10.1.15

10.1.16

10.1.17

10.1.18

Database specific

{
    "last_known_affected_version_range": "<= 10.1.18"
}

Maven / org.apache.tomcat.embed:tomcat-embed-core

Package

Name: org.apache.tomcat.embed:tomcat-embed-core; View open source insights on deps.dev
Purl: pkg:maven/org.apache.tomcat.embed/tomcat-embed-core

Affected ranges

Type: ECOSYSTEM
Events: Introduced

11.0.0-M1

Fixed

11.0.0-M17

Affected versions

11.*

11.0.0-M1

11.0.0-M3

11.0.0-M4

11.0.0-M5

11.0.0-M6

11.0.0-M7

11.0.0-M9

11.0.0-M10

11.0.0-M11

11.0.0-M12

11.0.0-M13

11.0.0-M14

11.0.0-M15

11.0.0-M16

Database specific

{
    "last_known_affected_version_range": "<= 11.0.0-M16"
}