CVE-2024-52317
Incorrect object re-cycling vulnerability in tomcat-embed-core (Maven)
What is CVE-2024-52317 About?
This Apache Tomcat vulnerability, affecting versions from 11.0.0-M23 through 11.0.0-M26, 10.1.27 through 10.1.30, and 9.0.92 through 9.0.95, is due to incorrect recycling and reuse of request and response objects in HTTP/2 requests. This can lead to a mix-up of requests and/or responses between different users. The impact is information disclosure or session compromise for other users. Exploitation would likely be complex but could lead to serious data leakage.
Affected Software
- org.apache.tomcat.embed:tomcat-embed-core
- >9.0.92, <9.0.96
- >10.1.27, <10.1.31
- >11.0.0-M23, <11.0.0
- org.apache.tomcat:tomcat-coyote
- >9.0.92, <9.0.96
- >10.1.27, <10.1.31
- >11.0.0-M23, <11.0.0
Technical Details
The vulnerability in Apache Tomcat's HTTP/2 implementation arises from an incorrect object recycling and reuse mechanism for request and response objects. In environments with heavy HTTP/2 traffic, particularly under concurrent conditions, Tomcat may improperly reallocate a request or response object that still contains remnants of data from a previous user's interaction to a new user. This means that a user's request might inadvertently incorporate parts of another user's request, or a user could receive a response intended for a different client. This mix-up compromises isolation between users, leading to information disclosure, potential session hijacking, or incorrect application behavior.
What is the Impact of CVE-2024-52317?
Successful exploitation may allow attackers to access or modify data belonging to other users, potentially leading to unauthorized information disclosure, session hijacking, or denial of service by corrupting legitimate user interactions.
What is the Exploitability of CVE-2024-52317?
Exploiting this vulnerability would require traffic analysis and precise timing to trigger the described request/response mix-up, making it complex. An attacker would likely need to send specially crafted HTTP/2 requests and observe responses, potentially over a sustained period, to detect and exploit the object reuse flaw. No specific authentication is required to interact with the HTTP/2 endpoint, making it potentially accessible to unauthenticated users. This is a remote vulnerability. No specific privilege is required, as the issue stems from an architectural flaw in how Tomcat handles HTTP/2 objects. The likelihood of exploitation increases in high-traffic HTTP/2 environments where the race conditions leading to object mix-up are more probable, but precise exploitation remains challenging.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| TAM-K592 | Link | CVE-2024-52317 - Apache Tomcat HTTP/2 Data Leakage Vulnerability |
What are the Available Fixes for CVE-2024-52317?
Available Upgrade Options
- org.apache.tomcat.embed:tomcat-embed-core
- >9.0.92, <9.0.96 → Upgrade to 9.0.96
- org.apache.tomcat.embed:tomcat-embed-core
- >10.1.27, <10.1.31 → Upgrade to 10.1.31
- org.apache.tomcat.embed:tomcat-embed-core
- >11.0.0-M23, <11.0.0 → Upgrade to 11.0.0
- org.apache.tomcat:tomcat-coyote
- >9.0.92, <9.0.96 → Upgrade to 9.0.96
- org.apache.tomcat:tomcat-coyote
- >10.1.27, <10.1.31 → Upgrade to 10.1.31
- org.apache.tomcat:tomcat-coyote
- >11.0.0-M23, <11.0.0 → Upgrade to 11.0.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://security.netapp.com/advisory/ntap-20250124-0004/
- http://www.openwall.com/lists/oss-security/2024/11/18/3
- https://lists.apache.org/thread/ty376mrxy1mmxtw3ogo53nc9l3co3dfs
- https://nvd.nist.gov/vuln/detail/CVE-2024-52317
- https://github.com/apache/tomcat/commit/47307ee27abcdea2ee40e33897aca760083de46a
- http://www.openwall.com/lists/oss-security/2024/11/18/3
- https://lists.apache.org/thread/ty376mrxy1mmxtw3ogo53nc9l3co3dfs
- https://osv.dev/vulnerability/GHSA-qvf5-hvjx-wm27
- https://security.netapp.com/advisory/ntap-20250124-0004
- https://github.com/apache/tomcat
What are Similar Vulnerabilities to CVE-2024-52317?
Similar Vulnerabilities: CVE-2021-33045 , CVE-2022-42289 , CVE-2023-45648 , CVE-2024-21722 , CVE-2024-2322
