Title: CVE-2024-34750 org.apache.tomcat:tomcat-coyote 9.0.87
Defect Dojo link: https://defectdojo.dagali.talendinc.com/finding/452586
Severity: High
Due Date: Oct. 4, 2024
CWE: CWE-400
CVE: CVE-2024-34750
CVSSv3 Score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Product/Engagement/Test: Studio / trivy-sca_studio / Trivy Scan
Vulnerable Component: org.apache.tomcat:tomcat-coyote 9.0.87
Source File: plugins/org.talend.designer.maven.repo.tcksdk_8.0.2.20240706_1616/repository/maven_repository/org/apache/tomcat/tomcat-coyote/9.0.87/tomcat-coyote-9.0.87.jar
Description:
tomcat: Improper Handling of Exceptional Conditions
{}Target:{} Java
{}Type:{} jar
{}Fixed version:{} 11.0.0-M21, 10.1.25, 9.0.90
Improper Handling of Exceptional Conditions, Uncontrolled Resource Consumption vulnerability in Apache Tomcat. When processing an HTTP/2 stream, Tomcat did not handle some cases of excessive HTTP headers correctly. This led to a miscounting of active HTTP/2 streams which in turn led to the use of an incorrect infinite timeout which allowed connections to remain open which should have been closed.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M20, from 10.1.0-M1 through 10.1.24, from 9.0.0-M1 through 9.0.89.
Users are recommended to upgrade to version 11.0.0-M21, 10.1.25 or 9.0.90, which fixes the issue.
Mitigation:
11.0.0-M21, 10.1.25, 9.0.90
References:
https://access.redhat.com/security/cve/CVE-2024-34750
https://github.com/apache/tomcat
https://github.com/apache/tomcat/commit/2344a4c0d03e307ba6b8ab6dc8b894cc8bac63f2
https://github.com/apache/tomcat/commit/2afae300c9ac9c0e516e2e9de580847d925365c3
https://github.com/apache/tomcat/commit/9fec9a82887853402833a80b584e3762c7423f5f
https://lists.apache.org/thread/4kqf0bc9gxymjc2x7v3p7dvplnl77y8l
https://nvd.nist.gov/vuln/detail/CVE-2024-34750
https://tomcat.apache.org/security-10.html
https://tomcat.apache.org/security-11.html
https://tomcat.apache.org/security-9.html
https://www.cve.org/CVERecord?id=CVE-2024-34750
Reporter: (infosec-scans) (security-scan@talend.com)
TCK tomcat usage
https://tomcat.apache.org/
Tomcat is Jakarta Server Pages™ is an open source implementation of the Jakarta technology.
It helps software developers create dynamically generated web pages based on HTML, XML, or other document types.
TCK is using it for its server.