Lucene search

K
tomcatApache TomcatTOMCAT:82BA0DC40ABA6C528A36EA786196208A
HistoryFeb 19, 2024 - 12:00 a.m.

Fixed in Apache Tomcat 11.0.0-M17

2024-02-1900:00:00
Apache Tomcat
tomcat.apache.org
12
websocket client
resource consumption
http/2 request
header limits
tomcat security team
public disclosure
software vulnerability

7 High

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

15.5%

Important: Denial of Service CVE-2024-23672

It was possible for a WebSocket client to keep a WebSocket connection open leading to increased resource consumption.

This was fixed with commit b0e3b1bd.

This issue was identified by the Tomcat Security Team on 17 January 2024. The issue was made public on 13 March 2024.

Affects: 11.0.0-M1 to 11.0.0-M16

Important: Denial of Service CVE-2024-24549

When processing an HTTP/2 request, if the request exceeded any of the configured limits for headers, the associated HTTP/2 stream was not reset until after all of the headers had been processed.

This was fixed with commit 810f49d5.

This issue was reported to the Tomcat Security Team on 24 January 2024. The issue was made public on 13 March 2024.

Affects: 11.0.0-M1 to 11.0.0-M16