CVE-2024-38286Allocation of Resources Without Limits or Throttling in Apache Tomcat

CWE-770Allocation of Resources Without Limits or ThrottlingCWE-400Uncontrolled Resource Consumption9 documents8 sources
Severity
7.5HIGHNVD
CNA8.6
EPSS
0.4%
top 39.18%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Apache TomcatApache Software Foundation Apache TomcatNetapp Ontap Tools
Timeline
PublishedNov 7
Latest updateJun 9

Description

Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M20, from 10.1.0-M1 through 10.1.24, from 9.0.13 through 9.0.89. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.35 through 8.5.100 and 7.0.92 through 7.0.109. Other EOL versions may also be affected. Users are recommended to upgrade to version 11.0.0-M21, 10.1.25, or 9.0.90, which fixes the iss

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages2 packages

NVDapache/tomcat9.0.139.0.90+3
CVEListV5apache_software_foundation/apache_tomcat11.0.0-M111.0.0-M20+4

Also affects: Ontap Tools 10, 9

🔴Vulnerability Details

4
GHSA
Apache Tomcat Allocation of Resources Without Limits or Throttling vulnerability2024-11-07
OSV
Apache Tomcat Allocation of Resources Without Limits or Throttling vulnerability2024-11-07
CVEList
Apache Tomcat: Denial of Service2024-11-07
OSV
CVE-2024-38286: Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat2024-11-07

📋Vendor Advisories

4
Ubuntu
Tomcat vulnerabilities2025-06-09
Atlassian
CVE-2024-38286: 6.1.1 to 6.1.2 recommended Data Center Only 6.0.3 to 6.0.4 Data Center Only 5.3.6 Data Center Only2024-11-19
Red Hat
tomcat: Denial of Service in Tomcat2024-09-23
Debian
CVE-2024-38286: tomcat10 - Allocation of Resources Without Limits or Throttling vulnerability in Apache Tom...2024
CVE-2024-38286 — Apache Tomcat vulnerability | cvebase