Insufficient Session Expiration Affecting org.apache.tomcat.embed:tomcat-embed-core package, versions [,9.0.90) [10.1.0-M1,10.1.25) [11.0.0-M1,11.0.0-M21)
Threat Intelligence
EPSS
0.04% (11th
percentile)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-JAVA-ORGAPACHETOMCATEMBED-7430175
- published 7 Jul 2024
- disclosed 3 Jul 2024
- credit devme4f
Introduced: 3 Jul 2024
CVE-2024-34750 Open this link in a new tabHow to fix?
Upgrade org.apache.tomcat.embed:tomcat-embed-core
to version 9.0.90, 10.1.25, 11.0.0-M21 or higher.
Overview
org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.
Affected versions of this package are vulnerable to Insufficient Session Expiration due to an infinite timeout being assigned to an open connection improperly, in http2/Stream.java
. An attacker can force this situation by sending an HTTP/2 stream with excessive headers, causing an out-of-memory error or exhausting maxConnections
.