CVE-2024-38286HIGHCVSS 8.6

Apache Tomcat Allocation of Resources Without Limits or Throttling vulnerability

Published Nov 7, 2024·Updated Jul 1, 2026

Description

Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M20, from 10.1.0-M1 through 10.1.24, from 9.0.13 through 9.0.89. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.35 through 8.5.100 and 7.0.92 through 7.0.109. Users are recommended to upgrade to version 11.0.0-M21, 10.1.25, or 9.0.90, which fixes the issue. Apache Tomcat, under certain configurations on any platform, allows an attacker to cause an OutOfMemoryError by abusing the TLS handshake process.

Affected Packages (2)

org.apache.tomcat:tomcat-coyoteMAVEN
From 11.0.0-M1
Fixed in 11.0.0-M21
org.apache.tomcat.embed:tomcat-embed-coreMAVEN
From 11.0.0-M1
Fixed in 11.0.0-M21

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

References

View on NVD Search GitHub Search Google

Get alerted for CVEs like this

Register your stack and get notified within minutes when a matching CVE drops.

Start monitoring free