CVE-2024-54677
Description
Uncontrolled Resource Consumption vulnerability in the examples web application provided with Apache Tomcat leads to denial of service. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.1, from 10.1.0-M1 through 10.1.33, from 9.0.0.M1 through 9.9.97. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 though 8.5.100. Other, older, EOL versions may also be affected. Users are recommended to upgrade to version 11.0.2, 10.1.34 or 9.0.98, which fixes the issue.
Predictions
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
No mitigations published for this CVE yet.
The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or โ if you've already worked around this in production โ publish your fix to the community-verified tier.
โ Propose a mitigation on Community โ Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here withsource_tier=community-verified.
OS impact
SUSE Affected 1 release
| Version | Status | Fixed in |
|---|---|---|
| โ | Affected | โ |
Debian Fixed 5 releases
| Version | Status | Fixed in |
|---|---|---|
| trixie | Fixed | 10.1.34-1 |
| sid | Fixed | 10.1.34-1 |
| forky | Fixed | 10.1.34-1 |
| bullseye | Fixed | 9.0.107-0+deb11u1 |
| bookworm | Fixed | 10.1.34-0+deb12u1 |
Package impact
| Ecosystem | Package | Vulnerable | Fixed |
|---|---|---|---|
| Maven | org.apache.tomcat:tomcat | >=11.0.0-M1,<11.0.2 | 11.0.2 |
| Maven | org.apache.tomcat:tomcat | >=10.1.0-M1,<10.1.34 | 10.1.34 |
| Maven | org.apache.tomcat:tomcat | >=9.0.0.M1,<9.0.98 | 9.0.98 |
| Maven | org.apache.tomcat:tomcat-catalina | >=8.5.0,<=8.5.100 | |
| MAVEN | org.apache.tomcat:tomcat | >= 9.0.0.M1, < 9.0.98 | 9.0.98 |
| MAVEN | org.apache.tomcat:tomcat | >= 10.1.0-M1, < 10.1.34 | 10.1.34 |
| MAVEN | org.apache.tomcat:tomcat | >= 11.0.0-M1, < 11.0.2 | 11.0.2 |
| MAVEN | org.apache.tomcat:tomcat-catalina | >= 8.5.0, <= 8.5.100 | |
References
- https://nvd.nist.gov/vuln/detail/CVE-2024-54677
- https://github.com/apache/tomcat/commit/f57a9d9847c1038be61f5818d73b8be907c460d4
- https://github.com/apache/tomcat/commit/e8c16cdba833884e1bd49fff1f1cb699da177585
- https://github.com/apache/tomcat/commit/dbec927859d9484cb8bd680a7c67b1a560f48444
- https://github.com/apache/tomcat/commit/d63a10afc142b12f462a15f7d10f79fd80ff94eb
- https://github.com/apache/tomcat/commit/cb1707685472994e9d924746f8c91cb116fa5213
- https://github.com/apache/tomcat/commit/c2f7ce21c3fb12caefee87c517a8bb4f80700044
- https://github.com/apache/tomcat/commit/c0a23927ea5e061ca3fdff695138464179fe674a
- https://github.com/apache/tomcat/commit/bbd82e9593314ade4cfd57248f9285fbad686f66
- https://github.com/apache/tomcat/commit/aa5b4d0043289cf054f531ec55126c980d3572e1
- https://github.com/apache/tomcat/commit/a95bf2b0303442a2c9a1ac364b0e63b56049e33a
- https://github.com/apache/tomcat/commit/9ffd23fc27f5d1fc95bf97e5cea175c8968f4533
- https://github.com/apache/tomcat/commit/84c4af76e7a10fc7f8630ce62e6a46632ea4a90e
- https://github.com/apache/tomcat/commit/84065e26ca4555e63a922bb29b13b0a1c86b7654
- https://github.com/apache/tomcat/commit/75ff7e8622edcc024b268677aa789ee8f0880ecc
- https://github.com/apache/tomcat/commit/722814668708c42a61b0c1e340b15bc2b785c0d1
- https://github.com/apache/tomcat/commit/721544ea28e92549824b106be954a9f411867a1c
- https://github.com/apache/tomcat/commit/54e56495e9a106218efe9fc9c79d976c0032bbfd
- https://github.com/apache/tomcat/commit/4f0236606961176257b883213e1621b1859ed746
- https://github.com/apache/tomcat/commit/4d5cc6538d91386f950373ac8120e98c2c78ed3a
- https://github.com/apache/tomcat/commit/4a335c6dcba8d6f8a54629eda392a50da267bdf4
- https://github.com/apache/tomcat/commit/3315a9027a7eaab18f42625b97b569940ff1365d
- https://github.com/apache/tomcat/commit/1d88dd3ffaed76188dd4ee32ce77709ce6e153cd
- https://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.1.34
- https://security.netapp.com/advisory/ntap-20250131-0006
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.