cve-2024-52317
Vulnerability from cvelistv5
Published
2024-11-18 11:36
Modified
2025-01-24 20:03
Severity ?
Summary
Incorrect object re-cycling and re-use vulnerability in Apache Tomcat. Incorrect recycling of the request and response used by HTTP/2 requests could lead to request and/or response mix-up between users. This issue affects Apache Tomcat: from 11.0.0-M23 through 11.0.0-M26, from 10.1.27 through 10.1.30, from 9.0.92 through 9.0.95. Users are recommended to upgrade to version 11.0.0, 10.1.31 or 9.0.96, which fixes the issue.
Impacted products
Vendor Product Version
Apache Software Foundation Apache Tomcat Version: 11.0.0-M23    11.0.0-M26
Version: 10.1.27    10.1.30
Version: 9.0.92    9.0.95
Create a notification for this product.
Show details on NVD website


{
   containers: {
      adp: [
         {
            affected: [
               {
                  cpes: [
                     "cpe:2.3:a:apache:tomcat:-:*:*:*:*:*:*:*",
                  ],
                  defaultStatus: "unknown",
                  product: "tomcat",
                  vendor: "apache",
                  versions: [
                     {
                        lessThanOrEqual: "9.0.95",
                        status: "affected",
                        version: "9.0.92",
                        versionType: "semver",
                     },
                     {
                        lessThanOrEqual: "10.1.30",
                        status: "affected",
                        version: "10.1.27",
                        versionType: "semver",
                     },
                     {
                        lessThanOrEqual: "11.0.0-M26",
                        status: "affected",
                        version: "11.0.0-M23",
                        versionType: "semver",
                     },
                  ],
               },
            ],
            metrics: [
               {
                  cvssV3_1: {
                     attackComplexity: "LOW",
                     attackVector: "NETWORK",
                     availabilityImpact: "NONE",
                     baseScore: 6.5,
                     baseSeverity: "MEDIUM",
                     confidentialityImpact: "LOW",
                     integrityImpact: "LOW",
                     privilegesRequired: "NONE",
                     scope: "UNCHANGED",
                     userInteraction: "NONE",
                     vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
                     version: "3.1",
                  },
               },
               {
                  other: {
                     content: {
                        id: "CVE-2024-52317",
                        options: [
                           {
                              Exploitation: "none",
                           },
                           {
                              Automatable: "yes",
                           },
                           {
                              "Technical Impact": "partial",
                           },
                        ],
                        role: "CISA Coordinator",
                        timestamp: "2024-11-18T14:44:38.538929Z",
                        version: "2.0.3",
                     },
                     type: "ssvc",
                  },
               },
            ],
            problemTypes: [
               {
                  descriptions: [
                     {
                        cweId: "CWE-326",
                        description: "CWE-326 Inadequate Encryption Strength",
                        lang: "en",
                        type: "CWE",
                     },
                  ],
               },
            ],
            providerMetadata: {
               dateUpdated: "2024-11-18T14:49:35.054Z",
               orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0",
               shortName: "CISA-ADP",
            },
            title: "CISA ADP Vulnrichment",
         },
         {
            providerMetadata: {
               dateUpdated: "2025-01-24T20:03:10.485Z",
               orgId: "af854a3a-2127-422b-91ae-364da2661108",
               shortName: "CVE",
            },
            references: [
               {
                  url: "http://www.openwall.com/lists/oss-security/2024/11/18/3",
               },
               {
                  url: "https://security.netapp.com/advisory/ntap-20250124-0004/",
               },
            ],
            title: "CVE Program Container",
         },
      ],
      cna: {
         affected: [
            {
               defaultStatus: "unaffected",
               product: "Apache Tomcat",
               vendor: "Apache Software Foundation",
               versions: [
                  {
                     lessThanOrEqual: "11.0.0-M26",
                     status: "affected",
                     version: "11.0.0-M23",
                     versionType: "semver",
                  },
                  {
                     lessThanOrEqual: "10.1.30",
                     status: "affected",
                     version: "10.1.27",
                     versionType: "semver",
                  },
                  {
                     lessThanOrEqual: "9.0.95",
                     status: "affected",
                     version: "9.0.92",
                     versionType: "semver",
                  },
               ],
            },
         ],
         descriptions: [
            {
               lang: "en",
               supportingMedia: [
                  {
                     base64: false,
                     type: "text/html",
                     value: "<p>Incorrect object re-cycling and re-use vulnerability in Apache Tomcat.&nbsp;Incorrect recycling of the request and response used by HTTP/2 requests \ncould lead to request and/or response mix-up between users.</p><p>This issue affects Apache Tomcat: from 11.0.0-M23 through 11.0.0-M26, from 10.1.27 through 10.1.30, from 9.0.92 through 9.0.95.</p><p>Users are recommended to upgrade to version 11.0.0, 10.1.31 or 9.0.96, which fixes the issue.</p>",
                  },
               ],
               value: "Incorrect object re-cycling and re-use vulnerability in Apache Tomcat. Incorrect recycling of the request and response used by HTTP/2 requests \ncould lead to request and/or response mix-up between users.\n\nThis issue affects Apache Tomcat: from 11.0.0-M23 through 11.0.0-M26, from 10.1.27 through 10.1.30, from 9.0.92 through 9.0.95.\n\nUsers are recommended to upgrade to version 11.0.0, 10.1.31 or 9.0.96, which fixes the issue.",
            },
         ],
         metrics: [
            {
               other: {
                  content: {
                     text: "important",
                  },
                  type: "Textual description of severity",
               },
            },
         ],
         problemTypes: [
            {
               descriptions: [
                  {
                     description: "Incorrect object re-cycling and re-use",
                     lang: "en",
                  },
               ],
            },
         ],
         providerMetadata: {
            dateUpdated: "2024-11-18T11:36:51.963Z",
            orgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09",
            shortName: "apache",
         },
         references: [
            {
               tags: [
                  "vendor-advisory",
               ],
               url: "https://lists.apache.org/thread/ty376mrxy1mmxtw3ogo53nc9l3co3dfs",
            },
         ],
         source: {
            discovery: "INTERNAL",
         },
         title: "Apache Tomcat: Request/response mix-up with HTTP/2",
         x_generator: {
            engine: "Vulnogram 0.2.0",
         },
      },
   },
   cveMetadata: {
      assignerOrgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09",
      assignerShortName: "apache",
      cveId: "CVE-2024-52317",
      datePublished: "2024-11-18T11:36:51.963Z",
      dateReserved: "2024-11-07T07:45:03.449Z",
      dateUpdated: "2025-01-24T20:03:10.485Z",
      state: "PUBLISHED",
   },
   dataType: "CVE_RECORD",
   dataVersion: "5.1",
   "vulnerability-lookup:meta": {
      fkie_nvd: {
         descriptions: "[{\"lang\": \"en\", \"value\": \"Incorrect object re-cycling and re-use vulnerability in Apache Tomcat.\\u00a0Incorrect recycling of the request and response used by HTTP/2 requests \\ncould lead to request and/or response mix-up between users.\\n\\nThis issue affects Apache Tomcat: from 11.0.0-M23 through 11.0.0-M26, from 10.1.27 through 10.1.30, from 9.0.92 through 9.0.95.\\n\\nUsers are recommended to upgrade to version 11.0.0, 10.1.31 or 9.0.96, which fixes the issue.\"}, {\"lang\": \"es\", \"value\": \"Vulnerabilidad de reutilizaci\\u00f3n y reciclaje incorrecto de objetos en Apache Tomcat. El reciclaje incorrecto de la solicitud y la respuesta utilizadas por las solicitudes HTTP/2 podr\\u00eda provocar una confusi\\u00f3n de solicitudes y/o respuestas entre usuarios. Este problema afecta a Apache Tomcat: desde 11.0.0-M23 hasta 11.0.0-M26, desde 10.1.27 hasta 10.1.30, desde 9.0.92 hasta 9.0.95. Se recomienda a los usuarios que actualicen a la versi\\u00f3n 11.0.0, 10.1.31 o 9.0.96, que soluciona el problema.\"}]",
         id: "CVE-2024-52317",
         lastModified: "2024-11-21T09:46:16.630",
         metrics: "{\"cvssMetricV31\": [{\"source\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N\", \"baseScore\": 6.5, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"LOW\", \"integrityImpact\": \"LOW\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 2.5}]}",
         published: "2024-11-18T12:15:18.727",
         references: "[{\"url\": \"https://lists.apache.org/thread/ty376mrxy1mmxtw3ogo53nc9l3co3dfs\", \"source\": \"security@apache.org\"}, {\"url\": \"http://www.openwall.com/lists/oss-security/2024/11/18/3\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}]",
         sourceIdentifier: "security@apache.org",
         vulnStatus: "Awaiting Analysis",
         weaknesses: "[{\"source\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-326\"}]}]",
      },
      nvd: "{\"cve\":{\"id\":\"CVE-2024-52317\",\"sourceIdentifier\":\"security@apache.org\",\"published\":\"2024-11-18T12:15:18.727\",\"lastModified\":\"2025-01-24T20:15:32.963\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Incorrect object re-cycling and re-use vulnerability in Apache Tomcat. Incorrect recycling of the request and response used by HTTP/2 requests \\ncould lead to request and/or response mix-up between users.\\n\\nThis issue affects Apache Tomcat: from 11.0.0-M23 through 11.0.0-M26, from 10.1.27 through 10.1.30, from 9.0.92 through 9.0.95.\\n\\nUsers are recommended to upgrade to version 11.0.0, 10.1.31 or 9.0.96, which fixes the issue.\"},{\"lang\":\"es\",\"value\":\"Vulnerabilidad de reutilización y reciclaje incorrecto de objetos en Apache Tomcat. El reciclaje incorrecto de la solicitud y la respuesta utilizadas por las solicitudes HTTP/2 podría provocar una confusión de solicitudes y/o respuestas entre usuarios. Este problema afecta a Apache Tomcat: desde 11.0.0-M23 hasta 11.0.0-M26, desde 10.1.27 hasta 10.1.30, desde 9.0.92 hasta 9.0.95. Se recomienda a los usuarios que actualicen a la versión 11.0.0, 10.1.31 o 9.0.96, que soluciona el problema.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N\",\"baseScore\":6.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":2.5}]},\"weaknesses\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-326\"}]}],\"references\":[{\"url\":\"https://lists.apache.org/thread/ty376mrxy1mmxtw3ogo53nc9l3co3dfs\",\"source\":\"security@apache.org\"},{\"url\":\"http://www.openwall.com/lists/oss-security/2024/11/18/3\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://security.netapp.com/advisory/ntap-20250124-0004/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}",
      vulnrichment: {
         containers: "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"http://www.openwall.com/lists/oss-security/2024/11/18/3\"}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-11-18T18:03:24.879Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 6.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"LOW\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-52317\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-11-18T14:44:38.538929Z\"}}}], \"affected\": [{\"cpes\": [\"cpe:2.3:a:apache:tomcat:-:*:*:*:*:*:*:*\"], \"vendor\": \"apache\", \"product\": \"tomcat\", \"versions\": [{\"status\": \"affected\", \"version\": \"9.0.92\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"9.0.95\"}, {\"status\": \"affected\", \"version\": \"10.1.27\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"10.1.30\"}, {\"status\": \"affected\", \"version\": \"11.0.0-M23\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"11.0.0-M26\"}], \"defaultStatus\": \"unknown\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-326\", \"description\": \"CWE-326 Inadequate Encryption Strength\"}]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-11-18T14:49:18.718Z\"}}], \"cna\": {\"title\": \"Apache Tomcat: Request/response mix-up with HTTP/2\", \"source\": {\"discovery\": \"INTERNAL\"}, \"metrics\": [{\"other\": {\"type\": \"Textual description of severity\", \"content\": {\"text\": \"important\"}}}], \"affected\": [{\"vendor\": \"Apache Software Foundation\", \"product\": \"Apache Tomcat\", \"versions\": [{\"status\": \"affected\", \"version\": \"11.0.0-M23\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"11.0.0-M26\"}, {\"status\": \"affected\", \"version\": \"10.1.27\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"10.1.30\"}, {\"status\": \"affected\", \"version\": \"9.0.92\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"9.0.95\"}], \"defaultStatus\": \"unaffected\"}], \"references\": [{\"url\": \"https://lists.apache.org/thread/ty376mrxy1mmxtw3ogo53nc9l3co3dfs\", \"tags\": [\"vendor-advisory\"]}], \"x_generator\": {\"engine\": \"Vulnogram 0.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Incorrect object re-cycling and re-use vulnerability in Apache Tomcat.\\u00a0Incorrect recycling of the request and response used by HTTP/2 requests \\ncould lead to request and/or response mix-up between users.\\n\\nThis issue affects Apache Tomcat: from 11.0.0-M23 through 11.0.0-M26, from 10.1.27 through 10.1.30, from 9.0.92 through 9.0.95.\\n\\nUsers are recommended to upgrade to version 11.0.0, 10.1.31 or 9.0.96, which fixes the issue.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"<p>Incorrect object re-cycling and re-use vulnerability in Apache Tomcat.&nbsp;Incorrect recycling of the request and response used by HTTP/2 requests \\ncould lead to request and/or response mix-up between users.</p><p>This issue affects Apache Tomcat: from 11.0.0-M23 through 11.0.0-M26, from 10.1.27 through 10.1.30, from 9.0.92 through 9.0.95.</p><p>Users are recommended to upgrade to version 11.0.0, 10.1.31 or 9.0.96, which fixes the issue.</p>\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"description\": \"Incorrect object re-cycling and re-use\"}]}], \"providerMetadata\": {\"orgId\": \"f0158376-9dc2-43b6-827c-5f631a4d8d09\", \"shortName\": \"apache\", \"dateUpdated\": \"2024-11-18T11:36:51.963Z\"}}}",
         cveMetadata: "{\"cveId\": \"CVE-2024-52317\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-11-18T18:03:24.879Z\", \"dateReserved\": \"2024-11-07T07:45:03.449Z\", \"assignerOrgId\": \"f0158376-9dc2-43b6-827c-5f631a4d8d09\", \"datePublished\": \"2024-11-18T11:36:51.963Z\", \"assignerShortName\": \"apache\"}",
         dataType: "CVE_RECORD",
         dataVersion: "5.1",
      },
   },
}


Log in or create an account to share your comment.

Security Advisory comment format.

This schema specifies the format of a comment related to a security advisory.

UUIDv4 of the comment
UUIDv4 of the Vulnerability-Lookup instance
When the comment was created originally
When the comment was last updated
Title of the comment
Description of the comment
The identifier of the vulnerability (CVE ID, GHSA-ID, PYSEC ID, etc.).



Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.