CVE-2024-38286 HIGH

CVE-2024-38286: Apache Tomcat: Denial of Service

Vendor Apache Software Foundation

Product Apache Tomcat

Weakness CWE-770 · Uncontrolled resource consumption

Published November 7, 2024

Last update November 3, 2025

View on NVD All CVEs

CVSS base score

8.6/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality None

Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

What the vulnerability does

Description

Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M20, from 10.1.0-M1 through 10.1.24, from 9.0.13 through 9.0.89. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.35 through 8.5.100 and 7.0.92 through 7.0.109. Other EOL versions may also be affected. Users are recommended to upgrade to version 11.0.0-M21, 10.1.25, or 9.0.90, which fixes the issue. Apache Tomcat, under certain configurations on any platform, allows an attacker to cause an OutOfMemoryError by abusing the TLS handshake process.

Key dates

Disclosure timeline

November 7, 2024 CVE published

November 3, 2025 Record updated

Identifiers

CVE CVE-2024-38286

CWE CWE-770

CVSS 8.6 / HIGH

Affected versions

Vendor Apache Software Foundation

Product Apache Tomcat

Affected ≥ 11.0.0-M1 and ≤ 11.0.0-M20

Vendor Apache Software Foundation

Product Apache Tomcat

Affected ≥ 10.1.0-M1 and ≤ 10.1.24

Vendor Apache Software Foundation

Product Apache Tomcat

Affected ≥ 9.0.13 and ≤ 9.0.89

Vendor Apache Software Foundation

Product Apache Tomcat

Affected ≥ 8.5.35 and ≤ 8.5.100

Vendor Apache Software Foundation

Product Apache Tomcat

Affected ≥ 7.0.92 and ≤ 7.0.109