Get a Demo

CVE

CVE-2024-38286

Apache Tomcat Allocation of Resources Without Limits or Throttling vulnerability

Description

Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat.

This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M20, from 10.1.0-M1 through 10.1.24, from 9.0.13 through 9.0.89. Older, unsupported versions may also be affected.

Users are recommended to upgrade to version 11.0.0-M21, 10.1.25, or 9.0.90, which fixes the issue.

Apache Tomcat, under certain configurations on any platform, allows an attacker to cause an OutOfMemoryError by abusing the TLS handshake process.

Base CVSS

8.6

EPSS Score

0.96%

Introduced Version

6.0.13

Fix Available

11.0.0-M21,9.0.90,10.1.25

Fix without Upgrading

Available Patches

Package

CVEs Fixed

Lines of Code Changed

Package Name

org.apache.tomcat:tomcat-coyote

References

https://github.com/apache/tomcat/commit/3197862639732e16ec1164557bcd289ebc116c93

https://github.com/apache/tomcat/commit/3344c17cef094da4bb616f4186ed32039627b543

http://www.openwall.com/lists/oss-security/2024/09/23/2

https://github.com/apache/tomcat/commit/76c5cce6f0bcef14b0c21c38910371ca7d322d13

https://nvd.nist.gov/vuln/detail/CVE-2024-38286

https://security.netapp.com/advisory/ntap-20241101-0010

https://lists.apache.org/thread/wms60cvbsz3fpbz9psxtfx8r41jl6d4s

https://github.com/apache/tomcat

AppSec for the Software Development Revolution

Endor Labs builds a complete graph of your software estate, so teams can pinpoint and fix critical risks in complex, dependency-rich code—whether it was written by humans or AI.

Welcome to the resistance

Oops! Something went wrong, please try again.

Get a Demo

Let's Patch It!

References

AppSec for the Software Development Revolution