CVE-2024-52317

ANC

MediumConfirmedExploit available

Incorrect object re-cycling and re-use vulnerability in Apache Tomcat. Incorrect recycling of the request and response used by HTTP/2 req…

CVSS

6.5

Medium

EPSS

0.21

p95

Published

2024-01-01

Updated

2024-01-01

Description

Incorrect object re-cycling and re-use vulnerability in Apache Tomcat. Incorrect recycling of the request and response used by HTTP/2 requests could lead to request and/or response mix-up between users. This issue affects Apache Tomcat: from 11.0.0-M23 through 11.0.0-M26, from 10.1.27 through 10.1.30, from 9.0.92 through 9.0.95. Users are recommended to upgrade to version 11.0.0, 10.1.31 or 9.0.96, which fixes the issue.

Tags · CWE

Pre-auth

CWE-326

CAPEC-20

CAPEC-112

CAPEC-192

Affected products

Tomcat 9.0.92–9.0.96Tomcat 10.1.27–10.1.31Tomcat

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Timeline

2024-01-01

Published

2024-01-01

Updated

CVSS 3.1 breakdown

Attack Vector

AV: N

Network (N)

Attack Complexity

AC: L

Low (L)

Privileges Required

PR: N

None (N)

User Interaction

UI: N

None (N)

Scope

S: U

Unchanged (U)

Confidentiality Impact

C: L

Low (L)

Integrity Impact

I: L

Low (L)

Availability Impact

A: N

None (N)

Exploit indicators

EPSS

0.211 · p95

Known exploited (KEV)

MITRE ATT&CK

Inferred via CAPEC

T1110Brute Force

└ via CAPEC-112 · CWE-326

Known exploits — Сканер-ВС

CVE-2024-52317

github-poc · https://github.com/TAM-K592/CVE-2024-52317

Enterprise

Affected software

Product	Vendor	Status
		Tracked
		Tracked
tomcat10		Tracked
tomcat10		Tracked
tomcat10		Tracked
tomcat10		Tracked
tomcat10		Tracked
tomcat10		Tracked
tomcat9		Tracked
tomcat9		Tracked
tomcat9		Tracked
tomcat9		Tracked
tomcat9		Tracked
tomcat9		Tracked
tomcat9		Tracked
tomcat	*	Tracked

Source databases

ANC

DEB

CVE

UBU

Related vulnerabilities

BDU:2024-10295