GHSA-wm9w-rjj3-j356
Suggest an improvement- Source
- https://github.com/advisories/GHSA-wm9w-rjj3-j356
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/07/GHSA-wm9w-rjj3-j356/GHSA-wm9w-rjj3-j356.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-wm9w-rjj3-j356
- Aliases
- Related
- Published
- 2024-07-03T21:39:44Z
- Modified
- 2024-07-05T20:57:34.262116Z
- Severity
-
- 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
- 8.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- Apache Tomcat - Denial of Service
- Details
-
Improper Handling of Exceptional Conditions, Uncontrolled Resource Consumption vulnerability in Apache Tomcat. When processing an HTTP/2 stream, Tomcat did not handle some cases of excessive HTTP headers correctly. This led to a miscounting of active HTTP/2 streams which in turn led to the use of an incorrect infinite timeout which allowed connections to remain open which should have been closed.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M20, from 10.1.0-M1 through 10.1.24, from 9.0.0-M1 through 9.0.89.
Users are recommended to upgrade to version 11.0.0-M21, 10.1.25 or 9.0.90, which fixes the issue.
- Database specific
{ "nvd_published_at": "2024-07-03T20:15:04Z", "cwe_ids": [ "CWE-400", "CWE-755" ], "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2024-07-05T20:39:41Z" }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2024-34750
- https://github.com/apache/tomcat/commit/2344a4c0d03e307ba6b8ab6dc8b894cc8bac63f2
- https://github.com/apache/tomcat/commit/2afae300c9ac9c0e516e2e9de580847d925365c3
- https://github.com/apache/tomcat/commit/9fec9a82887853402833a80b584e3762c7423f5f
- https://github.com/apache/tomcat
- https://lists.apache.org/thread/4kqf0bc9gxymjc2x7v3p7dvplnl77y8l
- https://tomcat.apache.org/security-10.html
- https://tomcat.apache.org/security-11.html
- https://tomcat.apache.org/security-9.html
Affected packages
Maven / org.apache.tomcat.embed:tomcat-embed-core
Package
- Name
- org.apache.tomcat.embed:tomcat-embed-core
- View open source insights on deps.dev
- Purl
- pkg:maven/org.apache.tomcat.embed/tomcat-embed-core
Maven / org.apache.tomcat.embed:tomcat-embed-core
Package
- Name
- org.apache.tomcat.embed:tomcat-embed-core
- View open source insights on deps.dev
- Purl
- pkg:maven/org.apache.tomcat.embed/tomcat-embed-core
Affected versions
10.*
10.1.0-M1
10.1.0-M2
10.1.0-M4
10.1.0-M5
10.1.0-M6
10.1.0-M7
10.1.0-M8
10.1.0-M10
10.1.0-M11
10.1.0-M12
10.1.0-M14
10.1.0-M15
10.1.0-M16
10.1.0-M17
10.1.0
10.1.1
10.1.2
10.1.4
10.1.5
10.1.6
10.1.7
10.1.8
10.1.9
10.1.10
10.1.11
10.1.12
10.1.13
10.1.14
10.1.15
10.1.16
10.1.17
10.1.18
10.1.19
10.1.20
10.1.23
10.1.24
Maven / org.apache.tomcat.embed:tomcat-embed-core
Package
- Name
- org.apache.tomcat.embed:tomcat-embed-core
- View open source insights on deps.dev
- Purl
- pkg:maven/org.apache.tomcat.embed/tomcat-embed-core
Affected versions
9.*
9.0.0.M1
9.0.0.M3
9.0.0.M4
9.0.0.M6
9.0.0.M8
9.0.0.M9
9.0.0.M10
9.0.0.M11
9.0.0.M13
9.0.0.M15
9.0.0.M17
9.0.0.M18
9.0.0.M19
9.0.0.M20
9.0.0.M21
9.0.0.M22
9.0.0.M25
9.0.0.M26
9.0.0.M27
9.0.1
9.0.2
9.0.4
9.0.5
9.0.6
9.0.7
9.0.8
9.0.10
9.0.11
9.0.12
9.0.13
9.0.14
9.0.16
9.0.17
9.0.19
9.0.20
9.0.21
9.0.22
9.0.24
9.0.26
9.0.27
9.0.29
9.0.30
9.0.31
9.0.33
9.0.34
9.0.35
9.0.36
9.0.37
9.0.38
9.0.39
9.0.40
9.0.41
9.0.43
9.0.44
9.0.45
9.0.46
9.0.48
9.0.50
9.0.52
9.0.53
9.0.54
9.0.55
9.0.56
9.0.58
9.0.59
9.0.60
9.0.62
9.0.63
9.0.64
9.0.65
9.0.67
9.0.68
9.0.69
9.0.70
9.0.71
9.0.72
9.0.73
9.0.74
9.0.75
9.0.76
9.0.78
9.0.79
9.0.80
9.0.81
9.0.82
9.0.83
9.0.84
9.0.85
9.0.86
9.0.87
9.0.88
9.0.89
Maven / org.apache.tomcat:tomcat-coyote
Package
- Name
- org.apache.tomcat:tomcat-coyote
- View open source insights on deps.dev
- Purl
- pkg:maven/org.apache.tomcat/tomcat-coyote
Maven / org.apache.tomcat:tomcat-coyote
Package
- Name
- org.apache.tomcat:tomcat-coyote
- View open source insights on deps.dev
- Purl
- pkg:maven/org.apache.tomcat/tomcat-coyote
Affected versions
10.*
10.1.0-M1
10.1.0-M2
10.1.0-M4
10.1.0-M5
10.1.0-M6
10.1.0-M7
10.1.0-M8
10.1.0-M10
10.1.0-M11
10.1.0-M12
10.1.0-M14
10.1.0-M15
10.1.0-M16
10.1.0-M17
10.1.0
10.1.1
10.1.2
10.1.4
10.1.5
10.1.6
10.1.7
10.1.8
10.1.9
10.1.10
10.1.11
10.1.12
10.1.13
10.1.14
10.1.15
10.1.16
10.1.17
10.1.18
10.1.19
10.1.20
10.1.23
10.1.24
Maven / org.apache.tomcat:tomcat-coyote
Package
- Name
- org.apache.tomcat:tomcat-coyote
- View open source insights on deps.dev
- Purl
- pkg:maven/org.apache.tomcat/tomcat-coyote
Affected versions
9.*
9.0.0.M1
9.0.0.M3
9.0.0.M4
9.0.0.M6
9.0.0.M8
9.0.0.M9
9.0.0.M10
9.0.0.M11
9.0.0.M13
9.0.0.M15
9.0.0.M17
9.0.0.M18
9.0.0.M19
9.0.0.M20
9.0.0.M21
9.0.0.M22
9.0.0.M25
9.0.0.M26
9.0.0.M27
9.0.1
9.0.2
9.0.4
9.0.5
9.0.6
9.0.7
9.0.8
9.0.10
9.0.11
9.0.12
9.0.13
9.0.14
9.0.16
9.0.17
9.0.19
9.0.20
9.0.21
9.0.22
9.0.24
9.0.26
9.0.27
9.0.29
9.0.30
9.0.31
9.0.33
9.0.34
9.0.35
9.0.36
9.0.37
9.0.38
9.0.39
9.0.40
9.0.41
9.0.43
9.0.44
9.0.45
9.0.46
9.0.48
9.0.50
9.0.52
9.0.53
9.0.54
9.0.55
9.0.56
9.0.58
9.0.59
9.0.60
9.0.62
9.0.63
9.0.64
9.0.65
9.0.67
9.0.68
9.0.69
9.0.70
9.0.71
9.0.72
9.0.73
9.0.74
9.0.75
9.0.76
9.0.78
9.0.79
9.0.80
9.0.81
9.0.82
9.0.83
9.0.84
9.0.85
9.0.86
9.0.87
9.0.88
9.0.89