CVE-2024-24549
Severity
7.5HIGH
EPSS
64.4%
top 1.55%
CISA KEV
Not in KEV
Exploit
No known exploits
Timeline
PublishedMar 13
Latest updateJun 9
Description
Denial of Service due to improper input validation vulnerability for HTTP/2 requests in Apache Tomcat. When processing an HTTP/2 request, if the request exceeded any of the configured limits for headers, the associated HTTP/2 stream was not reset until after all of the headers had been processed.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M16, from 10.1.0-M1 through 10.1.18, from 9.0.0-M1 through 9.0.85, from 8.5.0 through 8.5.98. Other, older, EOL versions may also be affect…
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6
Affected Packages6 packages
Also affects: Debian Linux 10.0, Fedora 39, 40
🔴Vulnerability Details
4GHSA▶
Apache Tomcat Denial of Service due to improper input validation vulnerability for HTTP/2 requests↗2024-03-13
OSV▶
Apache Tomcat Denial of Service due to improper input validation vulnerability for HTTP/2 requests↗2024-03-13
OSV▶
CVE-2024-24549: Denial of Service due to improper input validation vulnerability for HTTP/2 requests in Apache Tomcat↗2024-03-13
📋Vendor Advisories
8Oracle▶
Oracle Oracle Autonomous Health Framework Risk Matrix: Trace File Analyzer (Apache Tomcat) — CVE-2024-24549↗2025-04-15
Atlassian▶
CVE-2024-24549: DoS (Denial of Service) org.apache.tomcat.embed:tomcat-embed-core Dependency in Bitbucket Data Center and Server↗2024-11-19
Oracle▶
Oracle Oracle Communications Applications Risk Matrix: Core (Apache Tomcat) — CVE-2024-24549↗2024-10-15
Oracle▶
Oracle Oracle Commerce Risk Matrix: Workbench, Platform Services, Content Acquisition System (Apache Tomcat) — CVE-2024-24549↗2024-07-15