Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <a669283f-bc2a-4f0c-9b9d-1e2c0598772a@apache.org>
Date: Mon, 18 Nov 2024 11:37:25 +0000
From: Mark Thomas <markt@...che.org>
To: oss-security@...ts.openwall.com
Subject: CVE-2024-52317: Apache Tomcat: Request/response mix-up with HTTP/2

Severity: important

Affected versions:

- Apache Tomcat 11.0.0-M23 through 11.0.0-M26
- Apache Tomcat 10.1.27 through 10.1.30
- Apache Tomcat 9.0.92 through 9.0.95

Description:

Incorrect object re-cycling and re-use vulnerability in Apache Tomcat. 
Incorrect recycling of the request and response used by HTTP/2 requests
could lead to request and/or response mix-up between users.

This issue affects Apache Tomcat: from 11.0.0-M23 through 11.0.0-M26, 
from 10.1.27 through 10.1.30, from 9.0.92 through 9.0.95.

Users are recommended to upgrade to version 11.0.0, 10.1.31 or 9.0.96, 
which fixes the issue.

References:

https://lists.apache.org/thread/ty376mrxy1mmxtw3ogo53nc9l3co3dfs
https://tomcat.apache.org/
https://www.cve.org/CVERecord?id=CVE-2024-52317

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.