Homepage
About Snyk

Allocation of Resources Without Limits or Throttling Affecting tomcat10 package, versions <10.1.25-1

Severity

 Recommended
low

Based on default assessment until relevant scores are available

    Threat Intelligence

    EPSS
    0.04% (11th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-DEBIAN13-TOMCAT10-8073021
  • published 24 Sep 2024
  • disclosed 7 Nov 2024
Report a new vulnerability Found a mistake?

Introduced: 24 Sep 2024

CVE-2024-38286 Open this link in a new tab
CWE-770 Open this link in a new tab

How to fix?

Upgrade Debian:13 tomcat10 to version 10.1.25-1 or higher.

NVD Description

Note: Versions mentioned in the description apply only to the upstream tomcat10 package and not the tomcat10 package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat.

This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M20, from 10.1.0-M1 through 10.1.24, from 9.0.13 through 9.0.89. Older, unsupported versions may also be affected.

Users are recommended to upgrade to version 11.0.0-M21, 10.1.25, or 9.0.90, which fixes the issue.

Apache Tomcat, under certain configurations on any platform, allows an attacker to cause an OutOfMemoryError by abusing the TLS handshake process.

CVSS Scores

version 3.1
Expand this section

Red Hat

7.5 high
  • Attack Vector (AV)
    Network
  • Attack Complexity (AC)
    Low
  • Privileges Required (PR)
    None
  • User Interaction (UI)
    None
  • Scope (S)
    Unchanged
  • Confidentiality (C)
    None
  • Integrity (I)
    None
  • Availability (A)
    High