CVE-2024-38286

Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat.

This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M20, from 10.1.0-M1 through 10.1.24, from 9.0.13 through 9.0.89.


The following versions were EOL at the time the CVE was created but are 
known to be affected: 8.5.35 through 8.5.100 and 7.0.92 through 7.0.109.Other EOL versions may also be affected.


Users are recommended to upgrade to version 11.0.0-M21, 10.1.25, or 9.0.90, which fixes the issue.



Apache Tomcat, under certain configurations on any platform, allows an attacker to cause an OutOfMemoryError by abusing the TLS handshake process.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
8.6 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
apacheCNA
8.6 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
CVEADP
---
---
CISA-ADPADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 66%
VendorProductVersion
apachetomcat
9.0.13 ≤
𝑥
< 9.0.90
apachetomcat
10.1.1 ≤
𝑥
< 10.1.25
apachetomcat
10.1.0:milestone1
apachetomcat
10.1.0:milestone10
apachetomcat
10.1.0:milestone11
apachetomcat
10.1.0:milestone12
apachetomcat
10.1.0:milestone13
apachetomcat
10.1.0:milestone14
apachetomcat
10.1.0:milestone15
apachetomcat
10.1.0:milestone16
apachetomcat
10.1.0:milestone17
apachetomcat
10.1.0:milestone18
apachetomcat
10.1.0:milestone19
apachetomcat
10.1.0:milestone2
apachetomcat
10.1.0:milestone20
apachetomcat
10.1.0:milestone3
apachetomcat
10.1.0:milestone4
apachetomcat
10.1.0:milestone5
apachetomcat
10.1.0:milestone6
apachetomcat
10.1.0:milestone7
apachetomcat
10.1.0:milestone8
apachetomcat
10.1.0:milestone9
apachetomcat
11.0.0:milestone1
apachetomcat
11.0.0:milestone10
apachetomcat
11.0.0:milestone11
apachetomcat
11.0.0:milestone12
apachetomcat
11.0.0:milestone13
apachetomcat
11.0.0:milestone14
apachetomcat
11.0.0:milestone15
apachetomcat
11.0.0:milestone16
apachetomcat
11.0.0:milestone17
apachetomcat
11.0.0:milestone18
apachetomcat
11.0.0:milestone19
apachetomcat
11.0.0:milestone2
apachetomcat
11.0.0:milestone20
apachetomcat
11.0.0:milestone3
apachetomcat
11.0.0:milestone4
apachetomcat
11.0.0:milestone5
apachetomcat
11.0.0:milestone6
apachetomcat
11.0.0:milestone7
apachetomcat
11.0.0:milestone8
apachetomcat
11.0.0:milestone9
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
tomcat10
bookworm
10.1.34-0+deb12u2
fixed
bookworm (security)
10.1.34-0+deb12u2
fixed
trixie
10.1.40-1
fixed
forky
10.1.46-1
fixed
sid
10.1.46-1
fixed
tomcat9
bullseye
vulnerable
bullseye (security)
9.0.107-0+deb11u1
fixed
bookworm
9.0.70-2
fixed
trixie
9.0.95-1
fixed
forky
9.0.111-1
fixed
sid
9.0.111-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
tomcat6
questing
dne
plucky
dne
oracular
dne
noble
dne
jammy
dne
focal
dne
xenial
not-affected
trusty
not-affected
tomcat7
questing
dne
plucky
dne
oracular
dne
noble
dne
jammy
dne
focal
dne
bionic
not-affected
xenial
not-affected
trusty
not-affected
tomcat8
questing
dne
plucky
dne
oracular
dne
noble
dne
jammy
dne
focal
dne
bionic
needed
xenial
not-affected
tomcat10
questing
not-affected
plucky
not-affected
oracular
not-affected
noble
Fixed 10.1.16-1ubuntu0.1~esm2
released
jammy
dne
focal
dne
tomcat9
questing
Fixed 9.0.70-2ubuntu3
released
plucky
Fixed 9.0.70-2ubuntu1.25.04.2
released
oracular
Fixed 9.0.70-2ubuntu1.24.10.2
released
noble
Fixed 9.0.70-2ubuntu0.1+esm2
released
jammy
Fixed 9.0.58-1ubuntu0.2+esm3
released
focal
Fixed 9.0.31-1ubuntu0.9+esm2
released
bionic
Fixed 9.0.16-3ubuntu0.18.04.2+esm7
released
Common Weakness Enumeration
References
https://lists.apache.org/thread/wms60cvbsz3fpbz9psxtfx8r41jl6d4s
http://www.openwall.com/lists/oss-security/2024/09/23/2
https://lists.debian.org/debian-lts-announce/2025/01/msg00009.html
https://security.netapp.com/advisory/ntap-20241101-0010/