{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-54677", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "state": "PUBLISHED", "assignerShortName": "apache", "dateReserved": "2024-12-05T07:31:33.851Z", "datePublished": "2024-12-17T12:35:50.948Z", "dateUpdated": "2025-01-31T15:02:50.435Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Apache Tomcat", "vendor": "Apache Software Foundation", "versions": [{"lessThanOrEqual": "11.0.1", "status": "affected", "version": "11.0.0-M1", "versionType": "semver"}, {"lessThanOrEqual": "10.1.33", "status": "affected", "version": "10.1.0-M1", "versionType": "semver"}, {"lessThanOrEqual": "9.0.97", "status": "affected", "version": "9.0.0.M1", "versionType": "semver"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>Uncontrolled Resource Consumption vulnerability in the examples web application provided with Apache Tomcat leads to denial of service.</p><p>This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.1, from 10.1.0-M1 through 10.1.33, from 9.0.0.M1 through 9.9.97.</p><p>Users are recommended to upgrade to version 11.0.2, 10.1.34 or 9.0.98, which fixes the issue.</p>"}], "value": "Uncontrolled Resource Consumption vulnerability in the examples web application provided with Apache Tomcat leads to denial of service.\n\nThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.1, from 10.1.0-M1 through 10.1.33, from 9.0.0.M1 through 9.9.97.\n\nUsers are recommended to upgrade to version 11.0.2, 10.1.34 or 9.0.98, which fixes the issue."}], "metrics": [{"other": {"content": {"text": "low"}, "type": "Textual description of severity"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-400", "description": "CWE-400 Uncontrolled Resource Consumption", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2024-12-18T07:08:30.439Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://lists.apache.org/thread/tdtbbxpg5trdwc2wnopcth9ccvdftq2n"}], "source": {"discovery": "EXTERNAL"}, "title": "Apache Tomcat: DoS in examples web application", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2024-12-17T16:41:40.093839Z", "id": "CVE-2024-54677", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-12-17T16:45:33.335Z"}}, {"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2024/12/17/5"}, {"url": "http://www.openwall.com/lists/oss-security/2024/12/17/6"}, {"url": "http://www.openwall.com/lists/oss-security/2024/12/18/1"}, {"url": "https://security.netapp.com/advisory/ntap-20250131-0006/"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2025-01-31T15:02:50.435Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2024/12/17/5"}, {"url": "http://www.openwall.com/lists/oss-security/2024/12/17/6"}, {"url": "http://www.openwall.com/lists/oss-security/2024/12/18/1"}, {"url": "https://security.netapp.com/advisory/ntap-20250131-0006/"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2025-01-31T15:02:50.435Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2024-54677", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-12-17T16:41:40.093839Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-12-17T16:44:44.876Z"}}], "cna": {"title": "Apache Tomcat: DoS in examples web application", "source": {"discovery": "EXTERNAL"}, "metrics": [{"other": {"type": "Textual description of severity", "content": {"text": "low"}}}], "affected": [{"vendor": "Apache Software Foundation", "product": "Apache Tomcat", "versions": [{"status": "affected", "version": "11.0.0-M1", "versionType": "semver", "lessThanOrEqual": "11.0.1"}, {"status": "affected", "version": "10.1.0-M1", "versionType": "semver", "lessThanOrEqual": "10.1.33"}, {"status": "affected", "version": "9.0.0.M1", "versionType": "semver", "lessThanOrEqual": "9.0.97"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://lists.apache.org/thread/tdtbbxpg5trdwc2wnopcth9ccvdftq2n", "tags": ["vendor-advisory"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "Uncontrolled Resource Consumption vulnerability in the examples web application provided with Apache Tomcat leads to denial of service.\n\nThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.1, from 10.1.0-M1 through 10.1.33, from 9.0.0.M1 through 9.9.97.\n\nUsers are recommended to upgrade to version 11.0.2, 10.1.34 or 9.0.98, which fixes the issue.", "supportingMedia": [{"type": "text/html", "value": "<p>Uncontrolled Resource Consumption vulnerability in the examples web application provided with Apache Tomcat leads to denial of service.</p><p>This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.1, from 10.1.0-M1 through 10.1.33, from 9.0.0.M1 through 9.9.97.</p><p>Users are recommended to upgrade to version 11.0.2, 10.1.34 or 9.0.98, which fixes the issue.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-400", "description": "CWE-400 Uncontrolled Resource Consumption"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2024-12-18T07:08:30.439Z"}}}, "cveMetadata": {"cveId": "CVE-2024-54677", "state": "PUBLISHED", "dateUpdated": "2025-01-31T15:02:50.435Z", "dateReserved": "2024-12-05T07:31:33.851Z", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "datePublished": "2024-12-17T12:35:50.948Z", "assignerShortName": "apache"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Uncontrolled Resource Consumption vulnerability in the examples web application provided with Apache Tomcat leads to denial of service.\n\nThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.1, from 10.1.0-M1 through 10.1.33, from 9.0.0.M1 through 9.9.97.\n\nUsers are recommended to upgrade to version 11.0.2, 10.1.34 or 9.0.98, which fixes the issue."}, {"lang": "es", "value": "La vulnerabilidad de consumo descontrolado de recursos en la aplicaci\u00f3n web de ejemplo proporcionada con Apache Tomcat provoca una denegaci\u00f3n de servicio. Este problema afecta a Apache Tomcat: desde 11.0.0-M1 hasta 11.0.1, desde 10.1.0-M1 hasta 10.1.33, desde 9.0.0.M1 hasta 9.9.97. Se recomienda a los usuarios que actualicen a la versi\u00f3n 11.0.2, 10.1.34 o 9.0.98, que soluciona el problema."}], "id": "CVE-2024-54677", "lastModified": "2025-01-31T15:15:14.050", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2024-12-17T13:15:18.957", "references": [{"source": "security@apache.org", "url": "https://lists.apache.org/thread/tdtbbxpg5trdwc2wnopcth9ccvdftq2n"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.openwall.com/lists/oss-security/2024/12/17/5"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.openwall.com/lists/oss-security/2024/12/17/6"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.openwall.com/lists/oss-security/2024/12/18/1"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://security.netapp.com/advisory/ntap-20250131-0006/"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-400"}], "source": "security@apache.org", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2025:3609", "cpe": "cpe:/a:redhat:jboss_enterprise_web_server:6.1", "package": "org.apache.tomcat/tomcat", "product_name": "Red Hat JBoss Web Server 6", "release_date": "2025-04-07T00:00:00Z"}, {"advisory": "RHSA-2025:3608", "cpe": "cpe:/a:redhat:jboss_enterprise_web_server:6.1::el8", "package": "jws6-tomcat-0:10.1.36-6.redhat_00007.1.el8jws", "product_name": "Red Hat JBoss Web Server 6.1 on RHEL 8", "release_date": "2025-04-07T00:00:00Z"}, {"advisory": "RHSA-2025:3608", "cpe": "cpe:/a:redhat:jboss_enterprise_web_server:6.1::el8", "package": "jws6-tomcat-jakartaee-migration-0:1.0.6-2.redhat_00003.1.el8jws", "product_name": "Red Hat JBoss Web Server 6.1 on RHEL 8", "release_date": "2025-04-07T00:00:00Z"}, {"advisory": "RHSA-2025:3608", "cpe": "cpe:/a:redhat:jboss_enterprise_web_server:6.1::el8", "package": "jws6-tomcat-native-0:1.3.1-1.redhat_1.el8jws", "product_name": "Red Hat JBoss Web Server 6.1 on RHEL 8", "release_date": "2025-04-07T00:00:00Z"}, {"advisory": "RHSA-2025:3608", "cpe": "cpe:/a:redhat:jboss_enterprise_web_server:6.1::el9", "package": "jws6-tomcat-0:10.1.36-6.redhat_00007.1.el9jws", "product_name": "Red Hat JBoss Web Server 6.1 on RHEL 9", "release_date": "2025-04-07T00:00:00Z"}, {"advisory": "RHSA-2025:3608", "cpe": "cpe:/a:redhat:jboss_enterprise_web_server:6.1::el9", "package": "jws6-tomcat-jakartaee-migration-0:1.0.6-2.redhat_00003.1.el9jws", "product_name": "Red Hat JBoss Web Server 6.1 on RHEL 9", "release_date": "2025-04-07T00:00:00Z"}, {"advisory": "RHSA-2025:3608", "cpe": "cpe:/a:redhat:jboss_enterprise_web_server:6.1::el9", "package": "jws6-tomcat-native-0:1.3.1-1.redhat_1.el9jws", "product_name": "Red Hat JBoss Web Server 6.1 on RHEL 9", "release_date": "2025-04-07T00:00:00Z"}], "bugzilla": {"description": "tomcat: Apache Tomcat: DoS in examples web application", "id": "2332815", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2332815"}, "csaw": false, "cvss3": {"cvss3_base_score": "3.7", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L", "status": "verified"}, "cwe": "CWE-400", "details": ["Uncontrolled Resource Consumption vulnerability in the examples web application provided with Apache Tomcat leads to denial of service.\nThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.1, from 10.1.0-M1 through 10.1.33, from 9.0.0.M1 through 9.9.97.\nUsers are recommended to upgrade to version 11.0.2, 10.1.34 or 9.0.98, which fixes the issue.", "A flaw was found in the \"examples\" web application of Apache Tomcat. Numerous examples within that application did not place limits on uploaded data. This vulnerability can potentially trigger an out-of-memory (OOM) error, leading to a denial of service."], "name": "CVE-2024-54677", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Fix deferred", "package_name": "tomcat6", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "tomcat", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "pki-deps:10.6/pki-servlet-engine", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "tomcat", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "pki-servlet-engine", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "tomcat", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_web_server:5", "fix_state": "Fix deferred", "package_name": "org.apache.tomcat/tomcat", "product_name": "Red Hat JBoss Web Server 5"}], "public_date": "2024-12-17T12:35:50Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-54677\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-54677\nhttps://lists.apache.org/thread/tdtbbxpg5trdwc2wnopcth9ccvdftq2n"], "statement": "By default, the examples web application is only accessible to the localhost.", "threat_severity": "Low"}