CVE-2024-54677

Aliases:GHSA-653p-vg55-5652BIT-tomcat-2024-54677
Advisory lineage Upstream: 0 Downstream: 13
Modified
Published: 17 Dec 2024, 12:35
Last modified:03 Nov 2025, 19:32

Vulnerability Summary

Overall Risk (default)
low
21/100
CVSS Score
5.3 MEDIUM
v3.1 (cve.org)
EPSS Score
1.23% LOW
1% probability -0.03%
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected

Timeline

17 Dec 2024, 12:35
Published
Vulnerability first disclosed
03 Nov 2025, 19:32
Last Modified
Vulnerability information updated

Description

Uncontrolled Resource Consumption vulnerability in the examples web application provided with Apache Tomcat leads to denial of service. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.1, from 10.1.0-M1 through 10.1.33, from 9.0.0.M1 through 9.9.97. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 though 8.5.100. Other, older, EOL versions may also be affected. Users are recommended to upgrade to version 11.0.2, 10.1.34 or 9.0.98, which fixes the issue.

CVSS Metrics

  • v4.0MEDIUMScore: 6.9CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U
  • v3.1MEDIUMScore: 5.3CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

EPSS Trends

Current EPSS score: 1.23% Percentile: 79%

Techniques & Countermeasures

  • CWE-400Uncontrolled Resource Consumption

    The product does not properly control the allocation and maintenance of a limited resource.

Affected Systems

  • apache software foundationapache tomcat

    ≥ 11.0.0-M1, ≤ 11.0.1 | ≥ 10.1.0-M1, ≤ 10.1.33 | ≥ 9.0.0.M1, ≤ 9.0.97 | ≥ 8.5.0, ≤ 8.5.100

  • UnknownTomcat

    ≥ 9.0.0, < 9.0.98 | ≥ 10.1.0, < 10.1.34 | ≥ 11.0.0, < 11.0.2

  • org.apache.tomcattomcat

    ≥ 11.0.0-M1, < 11.0.2 | ≥ 10.1.0-M1, < 10.1.34 | ≥ 9.0.0.M1, < 9.0.98

  • org.apache.tomcattomcat-catalina

    ≥ 11.0.0-M1, < 11.0.2 | ≥ 10.1.0-M1, < 10.1.34 | ≥ 9.0.0.M1, < 9.0.98 | ≥ 8.5.0, ≤ 8.5.100

  • netappbootstrap_os

    na

References (34)