Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M20, from 10.1.0-M1 through 10.1.24, from 9.0.13 through 9.0.89. Older, unsupported versions may also be affected. Users are recommended to upgrade to version 11.0.0-M21, 10.1.25, or 9.0.90, which fixes the issue. Apache Tomcat, under certain configurations on any platform, allows an attacker to cause an OutOfMemoryError by abusing the TLS handshake process.
History

Fri, 22 Nov 2024 12:00:00 +0000


Thu, 07 Nov 2024 17:15:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache tomcat
CPEs cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*
Vendors & Products Apache
Apache tomcat
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Thu, 07 Nov 2024 07:45:00 +0000

Type Values Removed Values Added
Description A vulnerability was found in Tomcat. Under certain configurations on any platform, this flaw allows an attacker to cause an OutOfMemoryError by abusing the TLS handshake process. Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M20, from 10.1.0-M1 through 10.1.24, from 9.0.13 through 9.0.89. Older, unsupported versions may also be affected. Users are recommended to upgrade to version 11.0.0-M21, 10.1.25, or 9.0.90, which fixes the issue. Apache Tomcat, under certain configurations on any platform, allows an attacker to cause an OutOfMemoryError by abusing the TLS handshake process.
Title tomcat: Denial of Service in Tomcat Apache Tomcat: Denial of Service
Weaknesses CWE-770
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

cvssV3_1

{'score': 8.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H'}


Wed, 30 Oct 2024 02:30:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:rhel_aus:8.2
cpe:/a:redhat:rhel_aus:8.6
cpe:/a:redhat:rhel_e4s:8.6
cpe:/a:redhat:rhel_tus:8.6

Tue, 29 Oct 2024 02:15:00 +0000

Type Values Removed Values Added
First Time appeared Redhat rhel Aus
Redhat rhel E4s
Redhat rhel Tus
CPEs cpe:/a:redhat:rhel_aus:8.4
cpe:/a:redhat:rhel_e4s:8.4
cpe:/a:redhat:rhel_eus:9.0
cpe:/a:redhat:rhel_tus:8.4
Vendors & Products Redhat rhel Aus
Redhat rhel E4s
Redhat rhel Tus

Fri, 11 Oct 2024 14:45:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:rhel_eus:8.8

Thu, 10 Oct 2024 14:30:00 +0000

Type Values Removed Values Added
First Time appeared Redhat enterprise Linux
Redhat rhel Eus
CPEs cpe:/a:redhat:enterprise_linux:8
cpe:/a:redhat:enterprise_linux:9
cpe:/a:redhat:rhel_eus:9.2
Vendors & Products Redhat enterprise Linux
Redhat rhel Eus

Wed, 02 Oct 2024 02:15:00 +0000

Type Values Removed Values Added
First Time appeared Redhat
Redhat jboss Enterprise Web Server
CPEs cpe:/a:redhat:jboss_enterprise_web_server:5.8
cpe:/a:redhat:jboss_enterprise_web_server:5.8::el7
cpe:/a:redhat:jboss_enterprise_web_server:5.8::el8
cpe:/a:redhat:jboss_enterprise_web_server:5.8::el9
cpe:/a:redhat:jboss_enterprise_web_server:6.0
cpe:/a:redhat:jboss_enterprise_web_server:6.0::el8
cpe:/a:redhat:jboss_enterprise_web_server:6.0::el9
Vendors & Products Redhat
Redhat jboss Enterprise Web Server

Wed, 25 Sep 2024 22:45:00 +0000

Type Values Removed Values Added
Description No description is available for this CVE. A vulnerability was found in Tomcat. Under certain configurations on any platform, this flaw allows an attacker to cause an OutOfMemoryError by abusing the TLS handshake process.

Wed, 25 Sep 2024 17:15:00 +0000

Type Values Removed Values Added
Description No description is available for this CVE.
Title tomcat: Denial of Service in Tomcat
Weaknesses CWE-400
References
Metrics threat_severity

None

cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Important


cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published: 2024-11-07T07:37:32.224Z

Updated: 2024-11-07T16:36:00.935Z

Reserved: 2024-06-12T16:27:23.740Z

Link: CVE-2024-38286

cve-icon Vulnrichment

Updated: 2024-11-07T08:03:33.093Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2024-11-07T08:15:13.007

Modified: 2024-11-21T09:25:17.487

Link: CVE-2024-38286

cve-icon Redhat

Severity : Important

Publid Date: 2024-09-23T00:00:00Z

Links: CVE-2024-38286 - Bugzilla