CVE-2024-52317

MEDIUM

Apache Tomcat <11.0.0-M26,<10.1.30,<9.0.95 - Memory Corruption

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2024-52317. PoCs published by TAM-K592.

AI-analyzed exploit summary This PoC demonstrates CVE-2024-52317, an HTTP/2 data leakage vulnerability in Apache Tomcat. It sends multiple HTTP/2 requests to detect if responses contain data from other users due to improper resource recycling.

Description

Incorrect object re-cycling and re-use vulnerability in Apache Tomcat. Incorrect recycling of the request and response used by HTTP/2 requests could lead to request and/or response mix-up between users. This issue affects Apache Tomcat: from 11.0.0-M23 through 11.0.0-M26, from 10.1.27 through 10.1.30, from 9.0.92 through 9.0.95. Users are recommended to upgrade to version 11.0.0, 10.1.31 or 9.0.96, which fixes the issue.

Exploits (1)

nomisec WORKING POC 3 stars

by TAM-K592 · poc

https://github.com/TAM-K592/CVE-2024-52317

View Code ZIP pw:eip

This PoC demonstrates CVE-2024-52317, an HTTP/2 data leakage vulnerability in Apache Tomcat. It sends multiple HTTP/2 requests to detect if responses contain data from other users due to improper resource recycling.

Classification

Working Poc 90%

Attack Type

Info Leak

Complexity

Moderate

Reliability

Reliable

Target: Apache Tomcat (versions prior to 11.0.0, 10.1.31, 9.0.96)

No auth needed

Prerequisites: Target server with vulnerable Apache Tomcat version · HTTP/2 enabled on the target server

MITRE ATT&CK

T1189 - Drive-by Compromise T1040 - Network Sniffing

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3

Core References

Mailing List, Third Party Advisory

http://www.openwall.com/lists/oss-security/2024/11/18/3

Third Party Advisory

https://security.netapp.com/advisory/ntap-20250124-0004/

Mailing List, Vendor Advisory vendor-advisory

https://lists.apache.org/thread/ty376mrxy1mmxtw3ogo53nc9l3co3dfs

Scores

CVSS v3 6.5

EPSS 0.2107

EPSS Percentile 95.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-326

Status published

Products (4)

apache/tomcat 11.0.0 milestone23 (4 CPE variants)

apache/tomcat 9.0.92 - 9.0.96

org.apache.tomcat/tomcat-coyote 9.0.92 - 9.0.96Maven

org.apache.tomcat.embed/tomcat-embed-core 9.0.92 - 9.0.96Maven

Published Nov 18, 2024

Tracked Since Feb 18, 2026