PT-2024-2570 · Apache+11 · Apache Tomcat+13

Bartek Nowotarski

·

Published

2024-02-19

·

Updated

2026-05-29

·

CVE-2024-24549

CVSS v2.0

7.8

High

VectorAV:N/AC:L/Au:N/C:N/I:N/A:C
Name of the Vulnerable Software and Affected Versions Apache Tomcat versions prior to 11.0.0-M1, 10.1.0-M1, 9.0.0-M1, 8.5.0 through 8.5.98.
Description The vulnerability in Apache Tomcat is due to improper input validation for HTTP/2 requests, leading to potential DoS conditions. If the request exceeded any of the configured limits for headers, the associated HTTP/2 stream was not reset until after all of the headers had been processed. This issue affects Apache Tomcat versions from 11.0.0-M1 through 11.0.0-M16, from 10.1.0-M1 through 10.1.18, from 9.0.0-M1 through 9.0.85, from 8.5.0 through 8.5.98. Users are recommended to upgrade to version 11.0.0-M17, 10.1.19, 9.0.86 or 8.5.99 which fix the issue.
Recommendations To resolve the issue, users are recommended to upgrade to the latest version of Apache Tomcat, specifically to versions 11.0.0-M17, 10.1.19, 9.0.86, or 8.5.99. Upgrading to these versions will fix the vulnerability and prevent potential DoS conditions. Additionally, users can temporarily disable the vulnerableFunction() function until a patch is available, or restrict access to the vulnerable module to minimize the risk of exploitation. However, these are temporary measures and should not be used as a permanent solution. Users should follow the release notes for the latest version of Confluence Data Center and Server and download the latest version from the download center.
Note: The CVSS score and vector are not provided in the input data, but they are mentioned in the descriptions as having a CVSS Score of 7.5 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. The CVSS score and vector are used to describe the severity of the vulnerability but are not included in the input data.
Recommendations for each affected version:
  • Apache Tomcat version 11.0.0-M1: Upgrade to version 11.0.0-M17.
  • Apache Tomcat version 10.1.0-M1: Upgrade to version 10.1.19.
  • Apache Tomcat version 9.0.0-M1: Upgrade to version 9.0.86.
  • Apache Tomcat version 8.5.0: Upgrade to version 8.5.99.
In summary, the vulnerability in Apache Tomcat affects versions prior to 11.0.0-M1, 10.1.0-M1, 9.0.0-M1, 8.5.0 through 8.5.98, and users are recommended to upgrade to the latest version to fix the issue. The CVSS score and vector are mentioned but not provided in the input data. The recommendations for each affected version are to upgrade to the specified fixed versions.

Exploit

Fix

DoS

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-20

Related Identifiers

ALSA-2024:3307
ALSA-2024:3666
ALSA-2024_1134
ALSA-2024_1444
ALSA-2024_3307
ALSA-2024_3666
ALSA-2025_11333
ALSA-2025_11335
ALSA-2025_16880
ALSA-2025_3645
ALSA-2025_3683
ALT-PU-2025-1726
ALT-PU-2025-2379
ALT-PU-2025-9146
BDU:2024-02608
BIT-TOMCAT-2024-24549
CESA-2024_3666
CVE-2024-24549
DLA-3779-1
DSA-5665-1
DSA-5667-1
ELSA-2024-3307
ELSA-2024-3666
GHSA-7W75-32CG-R6G2
INFSA-2024_3307
INFSA-2024_3666
MGASA-2024-0090
OESA-2024-2402
OESA-2024-2403
OESA-2024-2404
OESA-2024-2405
OESA-2024-2460
OPENSUSE-SU-2024:13832-1
OPENSUSE-SU-2024:13833-1
OPENSUSE-SU-2024_1204-1
OPENSUSE-SU-2024_1345-1
RHSA-2024:1318
RHSA-2024:1324
RHSA-2024:3307
RHSA-2024:3308
RHSA-2024:3666
RHSA-2024:3814
RHSA-2024_3307
RHSA-2024_3666
RLSA-2024:3307
RLSA-2024:3666
RLSA-2024_3307
RLSA-2024_3666
SUSE-SU-2024:1204-1
SUSE-SU-2024:1205-1
SUSE-SU-2024:1345-1
SUSE-SU-2024_1204-1
SUSE-SU-2024_1205-1
SUSE-SU-2024_1345-1
SUSE-SU-2026:1058-1
USN-7562-1

Affected Products

Alt Linux
Almalinux
Apache Tomcat
Astra Linux
Bamboo
Bitbucket
Centos
Confluence
Linuxmint
Red Hat
Red Os
Rocky Linux
Suse
Ubuntu