CVE-2024-52317

MEDIUM

Apache Tomcat <11.0.0-M26,<10.1.30,<9.0.95 - Memory Corruption

Title source: llm

Description

Incorrect object re-cycling and re-use vulnerability in Apache Tomcat. Incorrect recycling of the request and response used by HTTP/2 requests could lead to request and/or response mix-up between users. This issue affects Apache Tomcat: from 11.0.0-M23 through 11.0.0-M26, from 10.1.27 through 10.1.30, from 9.0.92 through 9.0.95. Users are recommended to upgrade to version 11.0.0, 10.1.31 or 9.0.96, which fixes the issue.

Exploits (1)

nomisec WORKING POC 3 stars

by TAM-K592 · poc

https://github.com/TAM-K592/CVE-2024-52317

View Code ZIP pw:eip

References (3)

[Mailing List, Vendor Advisory] https://lists.apache.org/thread/ty376mrxy1mmxtw3ogo53nc9l3co3dfs

[Mailing List, Third Party Advisory] http://www.openwall.com/lists/oss-security/2024/11/18/3

[Third Party Advisory] https://security.netapp.com/advisory/ntap-20250124-0004/

Scores

CVSS v3 6.5

EPSS 0.2107

EPSS Percentile 95.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Details

CWE

CWE-326

Status published

Products (4)

apache/tomcat 11.0.0 milestone23 (4 CPE variants)

apache/tomcat 9.0.92 - 9.0.96

org.apache.tomcat/tomcat-coyote 9.0.92 - 9.0.96Maven

org.apache.tomcat.embed/tomcat-embed-core 9.0.92 - 9.0.96Maven

Published Nov 18, 2024

Tracked Since Feb 18, 2026