CVE-2024-24549

State: PUBLISHED · Published: 2024-03-13 · Updated: 2025-10-29 · Assigner: apache

Description

Denial of Service due to improper input validation vulnerability for HTTP/2 requests in Apache Tomcat. When processing an HTTP/2 request, if the request exceeded any of the configured limits for headers, the associated HTTP/2 stream was not reset until after all of the headers had been processed.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M16, from 10.1.0-M1 through 10.1.18, from 9.0.0-M1 through 9.0.85, from 8.5.0 through 8.5.98. Other, older, EOL versions may also be affected. Users are recommended to upgrade to version 11.0.0-M17, 10.1.19, 9.0.86 or 8.5.99 which fix the issue.

CWE

CWE-20 — CWE-20 Improper Input Validation

Affected

Apache Software Foundation / Apache Tomcat — v=11.0.0-M1 ≤11.0.0-M16 [affected]; v=10.1.0-M1 ≤10.1.18 [affected]; v=9.0.0-M1 ≤9.0.85 [affected]; v=8.5.0 ≤8.5.98 [affected]; v=10.0.0-M1 ≤10.0.27 [unknown]

CVSS

(none)

References

https://lists.apache.org/thread/4c50rmomhbbsdgfjsgwlb51xdwfjdcvg vendor-advisory

Source

cvelistV5-main/cves/2024/24xxx/CVE-2024-24549.json