oss-sec mailing list archives

CVE-2024-52317: Apache Tomcat: Request/response mix-up with HTTP/2

From: Mark Thomas <markt () apache org>
Date: Mon, 18 Nov 2024 11:37:25 +0000

Severity: important

Affected versions:

- Apache Tomcat 11.0.0-M23 through 11.0.0-M26
- Apache Tomcat 10.1.27 through 10.1.30
- Apache Tomcat 9.0.92 through 9.0.95

Description:

Incorrect object re-cycling and re-use vulnerability in Apache Tomcat.Incorrect recycling of the request and response used by HTTP/2 requests

could lead to request and/or response mix-up between users.

This issue affects Apache Tomcat: from 11.0.0-M23 through 11.0.0-M26,from 10.1.27 through 10.1.30, from 9.0.92 through 9.0.95.

Users are recommended to upgrade to version 11.0.0, 10.1.31 or 9.0.96,which fixes the issue.


References:

https://lists.apache.org/thread/ty376mrxy1mmxtw3ogo53nc9l3co3dfs
https://tomcat.apache.org/
https://www.cve.org/CVERecord?id=CVE-2024-52317

Current thread:

CVE-2024-52317: Apache Tomcat: Request/response mix-up with HTTP/2 Mark Thomas (Nov 18)