CVE-2024-38286

Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M20, from 10.1.0-M1 through 10.1.24, from 9.0.13 through 9.0.89. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.35 through 8.5.100 and 7.0.92 through 7.0.109. Users are recommended to upgrade to version 11.0.0-M21, 10.1.25, or 9.0.90, which fixes the issue. Apache Tomcat, under certain configurations on any platform, allows an attacker to cause an OutOfMemoryError by abusing the TLS handshake process.

CVSS v3 8.6 HIGH

8.6^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 4.0

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope CHANGED

References

Link	Resource
https://lists.apache.org/thread/wms60cvbsz3fpbz9psxtfx8r41jl6d4s	Mailing List
http://www.openwall.com/lists/oss-security/2024/09/23/2	Mailing List
https://security.netapp.com/advisory/ntap-20241101-0010/	Third Party Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:apache:tomcat::::::::
	cpe:2.3:a:apache:tomcat::::::::
	cpe:2.3:a:apache:tomcat:10.1.0:milestone1::::::
	cpe:2.3:a:apache:tomcat:10.1.0:milestone10::::::
	cpe:2.3:a:apache:tomcat:10.1.0:milestone11::::::
	cpe:2.3:a:apache:tomcat:10.1.0:milestone12::::::
	cpe:2.3:a:apache:tomcat:10.1.0:milestone13::::::
	cpe:2.3:a:apache:tomcat:10.1.0:milestone14::::::
	cpe:2.3:a:apache:tomcat:10.1.0:milestone15::::::
	cpe:2.3:a:apache:tomcat:10.1.0:milestone16::::::
	cpe:2.3:a:apache:tomcat:10.1.0:milestone17::::::
	cpe:2.3:a:apache:tomcat:10.1.0:milestone18::::::
	cpe:2.3:a:apache:tomcat:10.1.0:milestone19::::::
	cpe:2.3:a:apache:tomcat:10.1.0:milestone2::::::
	cpe:2.3:a:apache:tomcat:10.1.0:milestone20::::::
	cpe:2.3:a:apache:tomcat:10.1.0:milestone3::::::
	cpe:2.3:a:apache:tomcat:10.1.0:milestone4::::::
	cpe:2.3:a:apache:tomcat:10.1.0:milestone5::::::
	cpe:2.3:a:apache:tomcat:10.1.0:milestone6::::::
	cpe:2.3:a:apache:tomcat:10.1.0:milestone7::::::
	cpe:2.3:a:apache:tomcat:10.1.0:milestone8::::::
	cpe:2.3:a:apache:tomcat:10.1.0:milestone9::::::
	cpe:2.3:a:apache:tomcat:11.0.0:milestone1::::::
	cpe:2.3:a:apache:tomcat:11.0.0:milestone10::::::
	cpe:2.3:a:apache:tomcat:11.0.0:milestone11::::::
	cpe:2.3:a:apache:tomcat:11.0.0:milestone12::::::
	cpe:2.3:a:apache:tomcat:11.0.0:milestone13::::::
	cpe:2.3:a:apache:tomcat:11.0.0:milestone14::::::
	cpe:2.3:a:apache:tomcat:11.0.0:milestone15::::::
	cpe:2.3:a:apache:tomcat:11.0.0:milestone16::::::
	cpe:2.3:a:apache:tomcat:11.0.0:milestone17::::::
	cpe:2.3:a:apache:tomcat:11.0.0:milestone18::::::
	cpe:2.3:a:apache:tomcat:11.0.0:milestone19::::::
	cpe:2.3:a:apache:tomcat:11.0.0:milestone2::::::
	cpe:2.3:a:apache:tomcat:11.0.0:milestone20::::::
	cpe:2.3:a:apache:tomcat:11.0.0:milestone3::::::
	cpe:2.3:a:apache:tomcat:11.0.0:milestone4::::::
	cpe:2.3:a:apache:tomcat:11.0.0:milestone5::::::
	cpe:2.3:a:apache:tomcat:11.0.0:milestone6::::::
	cpe:2.3:a:apache:tomcat:11.0.0:milestone7::::::
	cpe:2.3:a:apache:tomcat:11.0.0:milestone8::::::
	cpe:2.3:a:apache:tomcat:11.0.0:milestone9::::::

Configuration 2 (hide)

OR	cpe:2.3:a:netapp:ontap_tools:9:::::vmware_vsphere::
	cpe:2.3:a:netapp:ontap_tools:10:::::vmware_vsphere::

History

08 Aug 2025, 11:15

Type	Values Removed	Values Added
Summary	(en) Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M20, from 10.1.0-M1 through 10.1.24, from 9.0.13 through 9.0.89. Older, EOL versions may also be affected. Users are recommended to upgrade to version 11.0.0-M21, 10.1.25, or 9.0.90, which fixes the issue. Apache Tomcat, under certain configurations on any platform, allows an attacker to cause an OutOfMemoryError by abusing the TLS handshake process.	(en) Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M20, from 10.1.0-M1 through 10.1.24, from 9.0.13 through 9.0.89. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.35 through 8.5.100 and 7.0.92 through 7.0.109. Users are recommended to upgrade to version 11.0.0-M21, 10.1.25, or 9.0.90, which fixes the issue. Apache Tomcat, under certain configurations on any platform, allows an attacker to cause an OutOfMemoryError by abusing the TLS handshake process.

07 Aug 2025, 12:15

Type	Values Removed	Values Added
Summary	(en) Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M20, from 10.1.0-M1 through 10.1.24, from 9.0.13 through 9.0.89. Older, unsupported versions may also be affected. Users are recommended to upgrade to version 11.0.0-M21, 10.1.25, or 9.0.90, which fixes the issue. Apache Tomcat, under certain configurations on any platform, allows an attacker to cause an OutOfMemoryError by abusing the TLS handshake process.	(en) Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M20, from 10.1.0-M1 through 10.1.24, from 9.0.13 through 9.0.89. Older, EOL versions may also be affected. Users are recommended to upgrade to version 11.0.0-M21, 10.1.25, or 9.0.90, which fixes the issue. Apache Tomcat, under certain configurations on any platform, allows an attacker to cause an OutOfMemoryError by abusing the TLS handshake process.

11 Feb 2025, 16:15

Type	Values Removed	Values Added
CPE		cpe:2.3:a:apache:tomcat:10.1.0:milestone11:::::: cpe:2.3:a:apache:tomcat:11.0.0:milestone9:::::: cpe:2.3:a:apache:tomcat:10.1.0:milestone13:::::: cpe:2.3:a:apache:tomcat:11.0.0:milestone1:::::: cpe:2.3:a:apache:tomcat:11.0.0:milestone13:::::: cpe:2.3:a:apache:tomcat:11.0.0:milestone4:::::: cpe:2.3:a:apache:tomcat:11.0.0:milestone16:::::: cpe:2.3:a:apache:tomcat:11.0.0:milestone14:::::: cpe:2.3:a:apache:tomcat:10.1.0:milestone15:::::: cpe:2.3:a:apache:tomcat:10.1.0:milestone12:::::: cpe:2.3:a:apache:tomcat:11.0.0:milestone3:::::: cpe:2.3:a:apache:tomcat:10.1.0:milestone5:::::: cpe:2.3:a:apache:tomcat:11.0.0:milestone18:::::: cpe:2.3:a:apache:tomcat:10.1.0:milestone18:::::: cpe:2.3:a:apache:tomcat:11.0.0:milestone6:::::: cpe:2.3:a:apache:tomcat:11.0.0:milestone15:::::: cpe:2.3:a:apache:tomcat:11.0.0:milestone20:::::: cpe:2.3:a:apache:tomcat:11.0.0:milestone7:::::: cpe:2.3:a:apache:tomcat:::::::: cpe:2.3:a:apache:tomcat:11.0.0:milestone5:::::: cpe:2.3:a:apache:tomcat:10.1.0:milestone10:::::: cpe:2.3:a:apache:tomcat:11.0.0:milestone12:::::: cpe:2.3:a:apache:tomcat:11.0.0:milestone8:::::: cpe:2.3:a:apache:tomcat:10.1.0:milestone4:::::: cpe:2.3:a:apache:tomcat:10.1.0:milestone1:::::: cpe:2.3:a:apache:tomcat:11.0.0:milestone11:::::: cpe:2.3:a:apache:tomcat:11.0.0:milestone2:::::: cpe:2.3:a:apache:tomcat:10.1.0:milestone19:::::: cpe:2.3:a:netapp:ontap_tools:9:::::vmware_vsphere:: cpe:2.3:a:apache:tomcat:11.0.0:milestone17:::::: cpe:2.3:a:apache:tomcat:10.1.0:milestone6:::::: cpe:2.3:a:apache:tomcat:10.1.0:milestone20:::::: cpe:2.3:a:apache:tomcat:10.1.0:milestone16:::::: cpe:2.3:a:apache:tomcat:11.0.0:milestone19:::::: cpe:2.3:a:apache:tomcat:10.1.0:milestone2:::::: cpe:2.3:a:apache:tomcat:10.1.0:milestone14:::::: cpe:2.3:a:apache:tomcat:10.1.0:milestone8:::::: cpe:2.3:a:apache:tomcat:10.1.0:milestone17:::::: cpe:2.3:a:apache:tomcat:11.0.0:milestone10:::::: cpe:2.3:a:apache:tomcat:10.1.0:milestone9:::::: cpe:2.3:a:apache:tomcat:10.1.0:milestone7:::::: cpe:2.3:a:netapp:ontap_tools:10:::::vmware_vsphere:: cpe:2.3:a:apache:tomcat:10.1.0:milestone3::::::
First Time		Netapp Netapp ontap Tools Apache Apache tomcat
References	~~() https://lists.apache.org/thread/wms60cvbsz3fpbz9psxtfx8r41jl6d4s -~~	() https://lists.apache.org/thread/wms60cvbsz3fpbz9psxtfx8r41jl6d4s - Mailing List
References	~~() http://www.openwall.com/lists/oss-security/2024/09/23/2 -~~	() http://www.openwall.com/lists/oss-security/2024/09/23/2 - Mailing List
References	~~() https://security.netapp.com/advisory/ntap-20241101-0010/ -~~	() https://security.netapp.com/advisory/ntap-20241101-0010/ - Third Party Advisory

21 Nov 2024, 09:25

Type	Values Removed	Values Added
References		() http://www.openwall.com/lists/oss-security/2024/09/23/2 - () https://security.netapp.com/advisory/ntap-20241101-0010/ -

08 Nov 2024, 19:01

Type	Values Removed	Values Added
Summary		(es) Vulnerabilidad de asignación de recursos sin límites o limitación de recursos en Apache Tomcat. Este problema afecta a Apache Tomcat: desde la versión 11.0.0-M1 hasta la 11.0.0-M20, desde la versión 10.1.0-M1 hasta la 10.1.24, desde la versión 9.0.13 hasta la 9.0.89. También pueden verse afectadas versiones anteriores no compatibles. Se recomienda a los usuarios que actualicen a la versión 11.0.0-M21, 10.1.25 o 9.0.90, que soluciona el problema. Apache Tomcat, en determinadas configuraciones de cualquier plataforma, permite a un atacante provocar un error OutOfMemoryError abusando del proceso de enlace TLS.

07 Nov 2024, 08:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-11-07 08:15

Updated : 2025-08-08 11:15

NVD link : CVE-2024-38286

Mitre link : CVE-2024-38286

CVE.ORG link : CVE-2024-38286

JSON object : View

Products Affected

netapp

ontap_tools

apache

tomcat

CWE

CWE-770

Allocation of Resources Without Limits or Throttling

8.6 /10