VulnerableCode Vulnerability Details

Search for vulnerabilities

Vulnerability details: VCID-cvmu-3hdx-3kdn

Essentials
Severities (101)
References (20)
Severity details (21)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-cvmu-3hdx-3kdn
Aliases	CVE-2024-52317 GHSA-qvf5-hvjx-wm27
Summary	Incorrect object re-cycling and re-use vulnerability in Apache Tomcat. Incorrect recycling of the request and response used by HTTP/2 requests could lead to request and/or response mix-up between users. This issue affects Apache Tomcat: from 11.0.0-M23 through 11.0.0-M26, from 10.1.27 through 10.1.30, from 9.0.92 through 9.0.95. Users are recommended to upgrade to version 11.0.0, 10.1.31 or 9.0.96, which fixes the issue.
Status	Published
Exploitability	0.5
Weighted Severity	8.0
Risk	4.0
Affected and Fixed Packages	Package Details

Weaknesses (3)

CWE-326	Inadequate Encryption Strength
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities

System	Score	Found at
cvssv3	6.5	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-52317.json
epss	0.00043	https://api.first.org/data/v1/epss?cve=CVE-2024-52317
epss	0.00043	https://api.first.org/data/v1/epss?cve=CVE-2024-52317
epss	0.00043	https://api.first.org/data/v1/epss?cve=CVE-2024-52317
epss	0.00043	https://api.first.org/data/v1/epss?cve=CVE-2024-52317
epss	0.00043	https://api.first.org/data/v1/epss?cve=CVE-2024-52317
epss	0.00043	https://api.first.org/data/v1/epss?cve=CVE-2024-52317
epss	0.00043	https://api.first.org/data/v1/epss?cve=CVE-2024-52317
epss	0.00043	https://api.first.org/data/v1/epss?cve=CVE-2024-52317
epss	0.00043	https://api.first.org/data/v1/epss?cve=CVE-2024-52317
epss	0.00043	https://api.first.org/data/v1/epss?cve=CVE-2024-52317
epss	0.00043	https://api.first.org/data/v1/epss?cve=CVE-2024-52317
epss	0.00043	https://api.first.org/data/v1/epss?cve=CVE-2024-52317
epss	0.00043	https://api.first.org/data/v1/epss?cve=CVE-2024-52317
epss	0.00043	https://api.first.org/data/v1/epss?cve=CVE-2024-52317
epss	0.00539	https://api.first.org/data/v1/epss?cve=CVE-2024-52317
epss	0.00559	https://api.first.org/data/v1/epss?cve=CVE-2024-52317
epss	0.006	https://api.first.org/data/v1/epss?cve=CVE-2024-52317
epss	0.006	https://api.first.org/data/v1/epss?cve=CVE-2024-52317
epss	0.006	https://api.first.org/data/v1/epss?cve=CVE-2024-52317
epss	0.006	https://api.first.org/data/v1/epss?cve=CVE-2024-52317
epss	0.006	https://api.first.org/data/v1/epss?cve=CVE-2024-52317
epss	0.006	https://api.first.org/data/v1/epss?cve=CVE-2024-52317
epss	0.006	https://api.first.org/data/v1/epss?cve=CVE-2024-52317
epss	0.006	https://api.first.org/data/v1/epss?cve=CVE-2024-52317
epss	0.006	https://api.first.org/data/v1/epss?cve=CVE-2024-52317
epss	0.006	https://api.first.org/data/v1/epss?cve=CVE-2024-52317
epss	0.00757	https://api.first.org/data/v1/epss?cve=CVE-2024-52317
epss	0.00757	https://api.first.org/data/v1/epss?cve=CVE-2024-52317
epss	0.00757	https://api.first.org/data/v1/epss?cve=CVE-2024-52317
epss	0.00757	https://api.first.org/data/v1/epss?cve=CVE-2024-52317
epss	0.00757	https://api.first.org/data/v1/epss?cve=CVE-2024-52317
epss	0.00757	https://api.first.org/data/v1/epss?cve=CVE-2024-52317
epss	0.00757	https://api.first.org/data/v1/epss?cve=CVE-2024-52317
epss	0.00757	https://api.first.org/data/v1/epss?cve=CVE-2024-52317
epss	0.00757	https://api.first.org/data/v1/epss?cve=CVE-2024-52317
epss	0.00757	https://api.first.org/data/v1/epss?cve=CVE-2024-52317
epss	0.00757	https://api.first.org/data/v1/epss?cve=CVE-2024-52317
epss	0.00757	https://api.first.org/data/v1/epss?cve=CVE-2024-52317
epss	0.00757	https://api.first.org/data/v1/epss?cve=CVE-2024-52317
epss	0.00757	https://api.first.org/data/v1/epss?cve=CVE-2024-52317
epss	0.00757	https://api.first.org/data/v1/epss?cve=CVE-2024-52317
epss	0.00757	https://api.first.org/data/v1/epss?cve=CVE-2024-52317
epss	0.00757	https://api.first.org/data/v1/epss?cve=CVE-2024-52317
epss	0.00918	https://api.first.org/data/v1/epss?cve=CVE-2024-52317
epss	0.00918	https://api.first.org/data/v1/epss?cve=CVE-2024-52317
epss	0.00918	https://api.first.org/data/v1/epss?cve=CVE-2024-52317
epss	0.00918	https://api.first.org/data/v1/epss?cve=CVE-2024-52317
epss	0.00918	https://api.first.org/data/v1/epss?cve=CVE-2024-52317
epss	0.00918	https://api.first.org/data/v1/epss?cve=CVE-2024-52317
epss	0.00918	https://api.first.org/data/v1/epss?cve=CVE-2024-52317
epss	0.00918	https://api.first.org/data/v1/epss?cve=CVE-2024-52317
epss	0.00918	https://api.first.org/data/v1/epss?cve=CVE-2024-52317
epss	0.00918	https://api.first.org/data/v1/epss?cve=CVE-2024-52317
epss	0.00918	https://api.first.org/data/v1/epss?cve=CVE-2024-52317
epss	0.00918	https://api.first.org/data/v1/epss?cve=CVE-2024-52317
epss	0.00918	https://api.first.org/data/v1/epss?cve=CVE-2024-52317
epss	0.00918	https://api.first.org/data/v1/epss?cve=CVE-2024-52317
epss	0.03556	https://api.first.org/data/v1/epss?cve=CVE-2024-52317
epss	0.03556	https://api.first.org/data/v1/epss?cve=CVE-2024-52317
epss	0.03556	https://api.first.org/data/v1/epss?cve=CVE-2024-52317
epss	0.03556	https://api.first.org/data/v1/epss?cve=CVE-2024-52317
epss	0.03556	https://api.first.org/data/v1/epss?cve=CVE-2024-52317
epss	0.03556	https://api.first.org/data/v1/epss?cve=CVE-2024-52317
epss	0.03556	https://api.first.org/data/v1/epss?cve=CVE-2024-52317
epss	0.03556	https://api.first.org/data/v1/epss?cve=CVE-2024-52317
epss	0.03556	https://api.first.org/data/v1/epss?cve=CVE-2024-52317
epss	0.03556	https://api.first.org/data/v1/epss?cve=CVE-2024-52317
epss	0.03556	https://api.first.org/data/v1/epss?cve=CVE-2024-52317
epss	0.03556	https://api.first.org/data/v1/epss?cve=CVE-2024-52317
epss	0.03556	https://api.first.org/data/v1/epss?cve=CVE-2024-52317
epss	0.03556	https://api.first.org/data/v1/epss?cve=CVE-2024-52317
epss	0.03556	https://api.first.org/data/v1/epss?cve=CVE-2024-52317
epss	0.03556	https://api.first.org/data/v1/epss?cve=CVE-2024-52317
epss	0.03556	https://api.first.org/data/v1/epss?cve=CVE-2024-52317
epss	0.03556	https://api.first.org/data/v1/epss?cve=CVE-2024-52317
epss	0.03556	https://api.first.org/data/v1/epss?cve=CVE-2024-52317
epss	0.03556	https://api.first.org/data/v1/epss?cve=CVE-2024-52317
epss	0.03805	https://api.first.org/data/v1/epss?cve=CVE-2024-52317
epss	0.03805	https://api.first.org/data/v1/epss?cve=CVE-2024-52317
epss	0.10132	https://api.first.org/data/v1/epss?cve=CVE-2024-52317
apache_tomcat	Important	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-52317
cvssv3.1	6.5	https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv3.1_qr	MODERATE	https://github.com/advisories/GHSA-qvf5-hvjx-wm27
cvssv3.1	6.5	https://github.com/apache/tomcat
generic_textual	MODERATE	https://github.com/apache/tomcat
cvssv3.1	6.5	https://github.com/apache/tomcat/commit/146f94f87ea398fb592c7a20a5ccbef95e9dd72b
generic_textual	MODERATE	https://github.com/apache/tomcat/commit/146f94f87ea398fb592c7a20a5ccbef95e9dd72b
cvssv3.1	6.5	https://github.com/apache/tomcat/commit/47307ee27abcdea2ee40e33897aca760083de46a
generic_textual	MODERATE	https://github.com/apache/tomcat/commit/47307ee27abcdea2ee40e33897aca760083de46a
cvssv3.1	6.5	https://github.com/apache/tomcat/commit/9e840ccacb40881c03a03b1e0746bfba7369b3bd
generic_textual	MODERATE	https://github.com/apache/tomcat/commit/9e840ccacb40881c03a03b1e0746bfba7369b3bd
cvssv3.1	6.5	https://lists.apache.org/thread/ty376mrxy1mmxtw3ogo53nc9l3co3dfs
generic_textual	MODERATE	https://lists.apache.org/thread/ty376mrxy1mmxtw3ogo53nc9l3co3dfs
ssvc	Track	https://lists.apache.org/thread/ty376mrxy1mmxtw3ogo53nc9l3co3dfs
cvssv3.1	6.5	https://nvd.nist.gov/vuln/detail/CVE-2024-52317
generic_textual	MODERATE	https://nvd.nist.gov/vuln/detail/CVE-2024-52317
cvssv3.1	6.5	https://security.netapp.com/advisory/ntap-20250124-0004
generic_textual	MODERATE	https://security.netapp.com/advisory/ntap-20250124-0004
cvssv3.1	6.5	http://www.openwall.com/lists/oss-security/2024/11/18/3
generic_textual	MODERATE	http://www.openwall.com/lists/oss-security/2024/11/18/3

Reference id	Reference type	URL
		https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-52317.json
		https://api.first.org/data/v1/epss?cve=CVE-2024-52317
		https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
		https://github.com/apache/tomcat
		https://github.com/apache/tomcat/commit/146f94f87ea398fb592c7a20a5ccbef95e9dd72b
		https://github.com/apache/tomcat/commit/47307ee27abcdea2ee40e33897aca760083de46a
		https://github.com/apache/tomcat/commit/9e840ccacb40881c03a03b1e0746bfba7369b3bd
		https://lists.apache.org/thread/ty376mrxy1mmxtw3ogo53nc9l3co3dfs
		https://nvd.nist.gov/vuln/detail/CVE-2024-52317
		https://security.netapp.com/advisory/ntap-20250124-0004
		https://security.netapp.com/advisory/ntap-20250124-0004/
		http://www.openwall.com/lists/oss-security/2024/11/18/3
2326973		https://bugzilla.redhat.com/show_bug.cgi?id=2326973
cpe:2.3:a:apache:tomcat::::::::		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:tomcat::::::::
cpe:2.3:a:apache:tomcat:11.0.0:milestone23::::::		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:tomcat:11.0.0:milestone23::::::
cpe:2.3:a:apache:tomcat:11.0.0:milestone24::::::		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:tomcat:11.0.0:milestone24::::::
cpe:2.3:a:apache:tomcat:11.0.0:milestone25::::::		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:tomcat:11.0.0:milestone25::::::
cpe:2.3:a:apache:tomcat:11.0.0:milestone26::::::		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:tomcat:11.0.0:milestone26::::::
CVE-2024-52317		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-52317
GHSA-qvf5-hvjx-wm27		https://github.com/advisories/GHSA-qvf5-hvjx-wm27

No exploits are available.

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-52317.json

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N Found at https://github.com/apache/tomcat

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N Found at https://github.com/apache/tomcat/commit/146f94f87ea398fb592c7a20a5ccbef95e9dd72b

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N Found at https://github.com/apache/tomcat/commit/47307ee27abcdea2ee40e33897aca760083de46a

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N Found at https://github.com/apache/tomcat/commit/9e840ccacb40881c03a03b1e0746bfba7369b3bd

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N Found at https://lists.apache.org/thread/ty376mrxy1mmxtw3ogo53nc9l3co3dfs

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-11-18T14:44:38Z/ Found at https://lists.apache.org/thread/ty376mrxy1mmxtw3ogo53nc9l3co3dfs

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2024-52317

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N Found at https://security.netapp.com/advisory/ntap-20250124-0004

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N Found at http://www.openwall.com/lists/oss-security/2024/11/18/3

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Exploit Prediction Scoring System (EPSS)

Percentile	0.10278
EPSS Score	0.00043
Published At	Nov. 20, 2024, midnight

Date	Actor	Action	Source	VulnerableCode Version
2024-11-18T23:02:17.351875+00:00	SUSE Severity Score Importer	Import	https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml	34.3.2