CVE-2024-38286

Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M20, from 10.1.0-M1 through 10.1.24, from 9.0.13 through 9.0.89. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.35 through 8.5.100 and 7.0.92 through 7.0.109. Other EOL versions may also be affected. Users are recommended to upgrade to version 11.0.0-M21, 10.1.25, or 9.0.90, which fixes the issue. Apache Tomcat, under certain configurations on any platform, allows an attacker to cause an OutOfMemoryError by abusing the TLS handshake process.

CVSS v3 8.6 HIGH

8.6^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 4.0

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope CHANGED

References

Link	Resource
https://lists.apache.org/thread/wms60cvbsz3fpbz9psxtfx8r41jl6d4s	Mailing List
http://www.openwall.com/lists/oss-security/2024/09/23/2	Mailing List
https://lists.debian.org/debian-lts-announce/2025/01/msg00009.html
https://security.netapp.com/advisory/ntap-20241101-0010/	Third Party Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:apache:tomcat::::::::
	cpe:2.3:a:apache:tomcat::::::::
	cpe:2.3:a:apache:tomcat:10.1.0:milestone1::::::
	cpe:2.3:a:apache:tomcat:10.1.0:milestone10::::::
	cpe:2.3:a:apache:tomcat:10.1.0:milestone11::::::
	cpe:2.3:a:apache:tomcat:10.1.0:milestone12::::::
	cpe:2.3:a:apache:tomcat:10.1.0:milestone13::::::
	cpe:2.3:a:apache:tomcat:10.1.0:milestone14::::::
	cpe:2.3:a:apache:tomcat:10.1.0:milestone15::::::
	cpe:2.3:a:apache:tomcat:10.1.0:milestone16::::::
	cpe:2.3:a:apache:tomcat:10.1.0:milestone17::::::
	cpe:2.3:a:apache:tomcat:10.1.0:milestone18::::::
	cpe:2.3:a:apache:tomcat:10.1.0:milestone19::::::
	cpe:2.3:a:apache:tomcat:10.1.0:milestone2::::::
	cpe:2.3:a:apache:tomcat:10.1.0:milestone20::::::
	cpe:2.3:a:apache:tomcat:10.1.0:milestone3::::::
	cpe:2.3:a:apache:tomcat:10.1.0:milestone4::::::
	cpe:2.3:a:apache:tomcat:10.1.0:milestone5::::::
	cpe:2.3:a:apache:tomcat:10.1.0:milestone6::::::
	cpe:2.3:a:apache:tomcat:10.1.0:milestone7::::::
	cpe:2.3:a:apache:tomcat:10.1.0:milestone8::::::
	cpe:2.3:a:apache:tomcat:10.1.0:milestone9::::::
	cpe:2.3:a:apache:tomcat:11.0.0:milestone1::::::
	cpe:2.3:a:apache:tomcat:11.0.0:milestone10::::::
	cpe:2.3:a:apache:tomcat:11.0.0:milestone11::::::
	cpe:2.3:a:apache:tomcat:11.0.0:milestone12::::::
	cpe:2.3:a:apache:tomcat:11.0.0:milestone13::::::
	cpe:2.3:a:apache:tomcat:11.0.0:milestone14::::::
	cpe:2.3:a:apache:tomcat:11.0.0:milestone15::::::
	cpe:2.3:a:apache:tomcat:11.0.0:milestone16::::::
	cpe:2.3:a:apache:tomcat:11.0.0:milestone17::::::
	cpe:2.3:a:apache:tomcat:11.0.0:milestone18::::::
	cpe:2.3:a:apache:tomcat:11.0.0:milestone19::::::
	cpe:2.3:a:apache:tomcat:11.0.0:milestone2::::::
	cpe:2.3:a:apache:tomcat:11.0.0:milestone20::::::
	cpe:2.3:a:apache:tomcat:11.0.0:milestone3::::::
	cpe:2.3:a:apache:tomcat:11.0.0:milestone4::::::
	cpe:2.3:a:apache:tomcat:11.0.0:milestone5::::::
	cpe:2.3:a:apache:tomcat:11.0.0:milestone6::::::
	cpe:2.3:a:apache:tomcat:11.0.0:milestone7::::::
	cpe:2.3:a:apache:tomcat:11.0.0:milestone8::::::
	cpe:2.3:a:apache:tomcat:11.0.0:milestone9::::::

Configuration 2 (hide)

OR	cpe:2.3:a:netapp:ontap_tools:9:::::vmware_vsphere::
	cpe:2.3:a:netapp:ontap_tools:10:::::vmware_vsphere::

History

03 Nov 2025, 21:16

Type	Values Removed	Values Added
References		() https://lists.debian.org/debian-lts-announce/2025/01/msg00009.html -

29 Oct 2025, 12:15

Type	Values Removed	Values Added
Summary	(en) Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M20, from 10.1.0-M1 through 10.1.24, from 9.0.13 through 9.0.89. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.35 through 8.5.100 and 7.0.92 through 7.0.109. Users are recommended to upgrade to version 11.0.0-M21, 10.1.25, or 9.0.90, which fixes the issue. Apache Tomcat, under certain configurations on any platform, allows an attacker to cause an OutOfMemoryError by abusing the TLS handshake process.	(en) Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M20, from 10.1.0-M1 through 10.1.24, from 9.0.13 through 9.0.89. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.35 through 8.5.100 and 7.0.92 through 7.0.109. Other EOL versions may also be affected. Users are recommended to upgrade to version 11.0.0-M21, 10.1.25, or 9.0.90, which fixes the issue. Apache Tomcat, under certain configurations on any platform, allows an attacker to cause an OutOfMemoryError by abusing the TLS handshake process.

08 Aug 2025, 11:15

Type	Values Removed	Values Added
Summary	(en) Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M20, from 10.1.0-M1 through 10.1.24, from 9.0.13 through 9.0.89. Older, EOL versions may also be affected. Users are recommended to upgrade to version 11.0.0-M21, 10.1.25, or 9.0.90, which fixes the issue. Apache Tomcat, under certain configurations on any platform, allows an attacker to cause an OutOfMemoryError by abusing the TLS handshake process.	(en) Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M20, from 10.1.0-M1 through 10.1.24, from 9.0.13 through 9.0.89. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.35 through 8.5.100 and 7.0.92 through 7.0.109. Users are recommended to upgrade to version 11.0.0-M21, 10.1.25, or 9.0.90, which fixes the issue. Apache Tomcat, under certain configurations on any platform, allows an attacker to cause an OutOfMemoryError by abusing the TLS handshake process.

07 Aug 2025, 12:15

Type	Values Removed	Values Added
Summary	(en) Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M20, from 10.1.0-M1 through 10.1.24, from 9.0.13 through 9.0.89. Older, unsupported versions may also be affected. Users are recommended to upgrade to version 11.0.0-M21, 10.1.25, or 9.0.90, which fixes the issue. Apache Tomcat, under certain configurations on any platform, allows an attacker to cause an OutOfMemoryError by abusing the TLS handshake process.	(en) Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M20, from 10.1.0-M1 through 10.1.24, from 9.0.13 through 9.0.89. Older, EOL versions may also be affected. Users are recommended to upgrade to version 11.0.0-M21, 10.1.25, or 9.0.90, which fixes the issue. Apache Tomcat, under certain configurations on any platform, allows an attacker to cause an OutOfMemoryError by abusing the TLS handshake process.

11 Feb 2025, 16:15

Type	Values Removed	Values Added
CPE		cpe:2.3:a:apache:tomcat:10.1.0:milestone11:::::: cpe:2.3:a:apache:tomcat:10.1.0:milestone20:::::: cpe:2.3:a:apache:tomcat:11.0.0:milestone20:::::: cpe:2.3:a:apache:tomcat:11.0.0:milestone5:::::: cpe:2.3:a:apache:tomcat:11.0.0:milestone1:::::: cpe:2.3:a:apache:tomcat:10.1.0:milestone10:::::: cpe:2.3:a:apache:tomcat:11.0.0:milestone7:::::: cpe:2.3:a:apache:tomcat:11.0.0:milestone18:::::: cpe:2.3:a:apache:tomcat:11.0.0:milestone6:::::: cpe:2.3:a:apache:tomcat:10.1.0:milestone14:::::: cpe:2.3:a:netapp:ontap_tools:10:::::vmware_vsphere:: cpe:2.3:a:apache:tomcat:11.0.0:milestone19:::::: cpe:2.3:a:apache:tomcat:10.1.0:milestone19:::::: cpe:2.3:a:apache:tomcat:10.1.0:milestone3:::::: cpe:2.3:a:apache:tomcat:10.1.0:milestone17:::::: cpe:2.3:a:apache:tomcat:11.0.0:milestone4:::::: cpe:2.3:a:apache:tomcat:11.0.0:milestone11:::::: cpe:2.3:a:apache:tomcat:10.1.0:milestone18:::::: cpe:2.3:a:apache:tomcat:10.1.0:milestone16:::::: cpe:2.3:a:apache:tomcat:11.0.0:milestone10:::::: cpe:2.3:a:apache:tomcat:11.0.0:milestone14:::::: cpe:2.3:a:apache:tomcat:11.0.0:milestone12:::::: cpe:2.3:a:apache:tomcat:10.1.0:milestone9:::::: cpe:2.3:a:apache:tomcat:11.0.0:milestone13:::::: cpe:2.3:a:apache:tomcat:10.1.0:milestone7:::::: cpe:2.3:a:apache:tomcat:11.0.0:milestone15:::::: cpe:2.3:a:apache:tomcat:10.1.0:milestone12:::::: cpe:2.3:a:apache:tomcat:11.0.0:milestone2:::::: cpe:2.3:a:apache:tomcat:11.0.0:milestone3:::::: cpe:2.3:a:apache:tomcat:10.1.0:milestone4:::::: cpe:2.3:a:apache:tomcat:11.0.0:milestone8:::::: cpe:2.3:a:apache:tomcat:11.0.0:milestone16:::::: cpe:2.3:a:apache:tomcat:10.1.0:milestone5:::::: cpe:2.3:a:apache:tomcat:11.0.0:milestone9:::::: cpe:2.3:a:apache:tomcat:10.1.0:milestone13:::::: cpe:2.3:a:apache:tomcat:10.1.0:milestone2:::::: cpe:2.3:a:apache:tomcat:::::::: cpe:2.3:a:apache:tomcat:10.1.0:milestone1:::::: cpe:2.3:a:apache:tomcat:10.1.0:milestone8:::::: cpe:2.3:a:apache:tomcat:11.0.0:milestone17:::::: cpe:2.3:a:netapp:ontap_tools:9:::::vmware_vsphere:: cpe:2.3:a:apache:tomcat:10.1.0:milestone15:::::: cpe:2.3:a:apache:tomcat:10.1.0:milestone6::::::
First Time		Apache tomcat Netapp Netapp ontap Tools Apache
References	~~() https://lists.apache.org/thread/wms60cvbsz3fpbz9psxtfx8r41jl6d4s -~~	() https://lists.apache.org/thread/wms60cvbsz3fpbz9psxtfx8r41jl6d4s - Mailing List
References	~~() http://www.openwall.com/lists/oss-security/2024/09/23/2 -~~	() http://www.openwall.com/lists/oss-security/2024/09/23/2 - Mailing List
References	~~() https://security.netapp.com/advisory/ntap-20241101-0010/ -~~	() https://security.netapp.com/advisory/ntap-20241101-0010/ - Third Party Advisory

Information

Published : 2024-11-07 08:15

Updated : 2025-11-03 21:16

NVD link : CVE-2024-38286

Mitre link : CVE-2024-38286

CVE.ORG link : CVE-2024-38286

JSON object : View

Products Affected

apache

tomcat

netapp

ontap_tools

CWE

CWE-770

Allocation of Resources Without Limits or Throttling

8.6 /10