IM
IronMonkey Threat Research

CVE-2024-52317 MEDIUM

Published: 2024-11-18 | Last Modified: 2025-05-15 | Status: Analyzed

Description

Incorrect object re-cycling and re-use vulnerability in Apache Tomcat. Incorrect recycling of the request and response used by HTTP/2 requests could lead to request and/or response mix-up between users. This issue affects Apache Tomcat: from 11.0.0-M23 through 11.0.0-M26, from 10.1.27 through 10.1.30, from 9.0.92 through 9.0.95. Users are recommended to upgrade to version 11.0.0, 10.1.31 or 9.0.96, which fixes the issue.

Additional Descriptions (1)

Vulnerabilidad de reutilización y reciclaje incorrecto de objetos en Apache Tomcat. El reciclaje incorrecto de la solicitud y la respuesta utilizadas por las solicitudes HTTP/2 podría provocar una confusión de solicitudes y/o respuestas entre usuarios. Este problema afecta a Apache Tomcat: desde 11.0.0-M23 hasta 11.0.0-M26, desde 10.1.27 hasta 10.1.30, desde 9.0.92 hasta 9.0.95. Se recomienda a los usuarios que actualicen a la versión 11.0.0, 10.1.31 o 9.0.96, que soluciona el problema.

CVSS Metrics

Base Score: 6.5 (MEDIUM)

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Attack VectorNETWORK
Attack ComplexityLOW
Privileges RequiredNONE
User InteractionNONE
ScopeUNCHANGED
Confidentiality ImpactLOW
Integrity ImpactLOW
Availability ImpactNONE

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0

Type: Secondary

Exploitability Score: 3.9

Impact Score: 2.5

Weaknesses

Source Type Description
134c704f-9b21-4f2e-91b3-4a467353bcc0 Secondary
en CWE-326

Affected Products

Vendor Product Version Update Type
apache tomcat * <built-in method update of dict object at 0x75d8082a11c0> Application
apache tomcat * <built-in method update of dict object at 0x75d827ca3740> Application
apache tomcat 11.0.0 <built-in method update of dict object at 0x75d8082a3a80> Application
apache tomcat 11.0.0 <built-in method update of dict object at 0x75d827ca1780> Application
apache tomcat 11.0.0 <built-in method update of dict object at 0x75d827ca1700> Application
apache tomcat 11.0.0 <built-in method update of dict object at 0x75d827ca2b40> Application

Affected Configurations

Operator: OR

Vulnerable CPE
Yes cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*
Yes cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*
Yes cpe:2.3:a:apache:tomcat:11.0.0:milestone23:*:*:*:*:*:*
Yes cpe:2.3:a:apache:tomcat:11.0.0:milestone24:*:*:*:*:*:*
Yes cpe:2.3:a:apache:tomcat:11.0.0:milestone25:*:*:*:*:*:*
Yes cpe:2.3:a:apache:tomcat:11.0.0:milestone26:*:*:*:*:*:*

References

Notification
Message here