CVE-2024-52317
Published: 18 November 2024
Summary
CVE-2024-52317 is a medium-severity Inadequate Encryption Strength (CWE-326) vulnerability in Apache Tomcat. Its CVSS base score is 6.5 (Medium).
Operationally, ranked in the top 4.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
Apache Tomcat contains an incorrect object recycling vulnerability affecting HTTP/2 request and response handling. The flaw impacts versions 11.0.0-M23 through 11.0.0-M26, 10.1.27 through 10.1.30, and 9.0.92 through 9.0.95, where request and response objects may be incorrectly reused across different users, resulting in potential information mixing.
An unauthenticated remote attacker can exploit the issue over the network without user interaction. Successful exploitation allows partial disclosure or modification of request and response data belonging to other users, corresponding to the reported CVSS 6.5 rating.
Apache Tomcat project advisories recommend immediate upgrade to versions 11.0.0, 10.1.31, or 9.0.96 to resolve the recycling defect. Corresponding notices appear on the Apache mailing lists, oss-security, and downstream vendor bulletins such as NetApp.
EPSS scores have remained stable near 0.21 with no material post-disclosure increase.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-3305
Vulnerability details
Incorrect object re-cycling and re-use vulnerability in Apache Tomcat. Incorrect recycling of the request and response used by HTTP/2 requests could lead to request and/or response mix-up between users. This issue affects Apache Tomcat: from 11.0.0-M23 through 11.0.0-M26, from 10.1.27…
more
through 10.1.30, from 9.0.92 through 9.0.95. Users are recommended to upgrade to version 11.0.0, 10.1.31 or 9.0.96, which fixes the issue.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Maintaining currency with technologies and practices reduces selection of encryption mechanisms that provide inadequate strength.
Updated assessments identify when previously adequate encryption strength no longer meets current attack capabilities or compliance drivers.
Establishment procedures require selection and generation of keys with adequate length and strength for the chosen algorithm.
Specifies required cryptography types and parameters, preventing selection of inadequate encryption strength.
Prompt patching corrects inadequate encryption strength when vendors release updates that increase key sizes or algorithm security.