Cyber Resilience

CVE-2024-34750

HighDDoS

Published: 03 July 2024

Published
03 July 2024
Modified
03 November 2025
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.2154 95.8th percentile
Risk Priority 28 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-34750 is a high-severity Uncontrolled Resource Consumption (CWE-400) vulnerability in Apache Tomcat. Its CVSS base score is 7.5 (High).

Operationally, ranked in the top 4.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

CVE-2024-34750 is an uncontrolled resource consumption vulnerability in Apache Tomcat stemming from improper handling of exceptional conditions during HTTP/2 stream processing. Affected versions fail to correctly manage cases involving excessive HTTP headers, resulting in miscounting of active streams and application of an infinite timeout that leaves connections open when they should be terminated. The issue impacts Tomcat releases 11.0.0-M1 through 11.0.0-M20, 10.1.0-M1 through 10.1.24, and 9.0.0-M1 through 9.0.89, as well as earlier end-of-life branches including 8.5.0 through 8.5.100.

Remote attackers without authentication can exploit the flaw by sending crafted HTTP/2 requests containing large numbers of headers. Successful exploitation produces a denial-of-service condition by exhausting server resources through persistent open connections, consistent with the CVSS 7.5 rating that emphasizes high availability impact over confidentiality or integrity.

Apache Tomcat project advisories direct users to upgrade immediately to the patched releases 11.0.0-M21, 10.1.25, or 9.0.90. Corresponding notices from distributors such as Debian and NetApp reiterate the same remediation steps and reference the original Apache announcement for further details.

EPSS scores have remained essentially flat near 0.22 with no material post-disclosure climb.

EU & UK References

Vulnerability details

Improper Handling of Exceptional Conditions, Uncontrolled Resource Consumption vulnerability in Apache Tomcat. When processing an HTTP/2 stream, Tomcat did not handle some cases of excessive HTTP headers correctly. This led to a miscounting of active HTTP/2 streams which in turn…

more

led to the use of an incorrect infinite timeout which allowed connections to remain open which should have been closed. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M20, from 10.1.0-M1 through 10.1.24, from 9.0.0-M1 through 9.0.89. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 though 8.5.100. Other EOL versions may also be affected. Users are recommended to upgrade to version 11.0.0-M21, 10.1.25 or 9.0.90, which fixes the issue.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

apache
tomcat
11.0.0 · 9.0.0 — 9.0.90 · 10.1.0 — 10.1.25
netapp
ontap tools
9

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-400 CWE-755

Updated contingency plans include current procedures to detect, contain, and recover from resource exhaustion, limiting an attacker's ability to sustain impact from uncontrolled consumption.

addresses: CWE-400 CWE-755

MTTF monitoring plus ready substitutes directly mitigate sustained resource exhaustion by allowing component swap before or at failure.

addresses: CWE-400

Limiting concurrent sessions directly prevents uncontrolled resource consumption by capping the number of active sessions per user or account.

addresses: CWE-755

Provides defined handling (alert and additional actions) for the exceptional condition of audit logging failure.

addresses: CWE-400

Analysis identifies uncontrolled resource consumption indicative of denial-of-service or abuse attempts.

addresses: CWE-755

Supplies a concrete handling action (safe mode) for exceptional conditions, mitigating risks from improper or absent handling that could allow continued attacks.

addresses: CWE-755

By preparing users for contingency scenarios, the control promotes proper handling of exceptional conditions instead of default or unsafe behaviors.

addresses: CWE-400

Contingency plan testing includes resource exhaustion scenarios to verify recovery, making it harder for attackers to sustain exploits that cause uncontrolled consumption.

References