CVE-2024-34750

Improper Handling of Exceptional Conditions, Uncontrolled Resource Consumption vulnerability in Apache Tomcat. When processing an HTTP/2 stream, Tomcat did not handle some cases of excessive HTTP headers correctly. This led to a miscounting of active HTTP/2 streams which in turn led to the use of an incorrect infinite timeout which allowed connections to remain open which should have been closed. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M20, from 10.1.0-M1 through 10.1.24, from 9.0.0-M1 through 9.0.89. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 though 8.5.100. Other EOL versions may also be affected. Users are recommended to upgrade to version 11.0.0-M21, 10.1.25 or 9.0.90, which fixes the issue.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://lists.apache.org/thread/4kqf0bc9gxymjc2x7v3p7dvplnl77y8l	Vendor Advisory
https://lists.apache.org/thread/4kqf0bc9gxymjc2x7v3p7dvplnl77y8l	Vendor Advisory
https://security.netapp.com/advisory/ntap-20240816-0004/	Third Party Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:apache:tomcat::::::::
	cpe:2.3:a:apache:tomcat::::::::
	cpe:2.3:a:apache:tomcat:11.0.0:milestone1::::::
	cpe:2.3:a:apache:tomcat:11.0.0:milestone10::::::
	cpe:2.3:a:apache:tomcat:11.0.0:milestone11::::::
	cpe:2.3:a:apache:tomcat:11.0.0:milestone12::::::
	cpe:2.3:a:apache:tomcat:11.0.0:milestone13::::::
	cpe:2.3:a:apache:tomcat:11.0.0:milestone14::::::
	cpe:2.3:a:apache:tomcat:11.0.0:milestone15::::::
	cpe:2.3:a:apache:tomcat:11.0.0:milestone16::::::
	cpe:2.3:a:apache:tomcat:11.0.0:milestone17::::::
	cpe:2.3:a:apache:tomcat:11.0.0:milestone18::::::
	cpe:2.3:a:apache:tomcat:11.0.0:milestone19::::::
	cpe:2.3:a:apache:tomcat:11.0.0:milestone2::::::
	cpe:2.3:a:apache:tomcat:11.0.0:milestone20::::::
	cpe:2.3:a:apache:tomcat:11.0.0:milestone3::::::
	cpe:2.3:a:apache:tomcat:11.0.0:milestone4::::::
	cpe:2.3:a:apache:tomcat:11.0.0:milestone5::::::
	cpe:2.3:a:apache:tomcat:11.0.0:milestone6::::::
	cpe:2.3:a:apache:tomcat:11.0.0:milestone7::::::
	cpe:2.3:a:apache:tomcat:11.0.0:milestone8::::::
	cpe:2.3:a:apache:tomcat:11.0.0:milestone9::::::

Configuration 2 (hide)

cpe:2.3:a:netapp:ontap_tools:9:*:*:*:*:vmware_vsphere:*:*

History

29 Oct 2025, 12:15

Type	Values Removed	Values Added
Summary	(en) Improper Handling of Exceptional Conditions, Uncontrolled Resource Consumption vulnerability in Apache Tomcat. When processing an HTTP/2 stream, Tomcat did not handle some cases of excessive HTTP headers correctly. This led to a miscounting of active HTTP/2 streams which in turn led to the use of an incorrect infinite timeout which allowed connections to remain open which should have been closed. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M20, from 10.1.0-M1 through 10.1.24, from 9.0.0-M1 through 9.0.89. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 though 8.5.100. Users are recommended to upgrade to version 11.0.0-M21, 10.1.25 or 9.0.90, which fixes the issue.	(en) Improper Handling of Exceptional Conditions, Uncontrolled Resource Consumption vulnerability in Apache Tomcat. When processing an HTTP/2 stream, Tomcat did not handle some cases of excessive HTTP headers correctly. This led to a miscounting of active HTTP/2 streams which in turn led to the use of an incorrect infinite timeout which allowed connections to remain open which should have been closed. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M20, from 10.1.0-M1 through 10.1.24, from 9.0.0-M1 through 9.0.89. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 though 8.5.100. Other EOL versions may also be affected. Users are recommended to upgrade to version 11.0.0-M21, 10.1.25 or 9.0.90, which fixes the issue.

08 Aug 2025, 11:15

Type	Values Removed	Values Added
Summary	(en) Improper Handling of Exceptional Conditions, Uncontrolled Resource Consumption vulnerability in Apache Tomcat. When processing an HTTP/2 stream, Tomcat did not handle some cases of excessive HTTP headers correctly. This led to a miscounting of active HTTP/2 streams which in turn led to the use of an incorrect infinite timeout which allowed connections to remain open which should have been closed. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M20, from 10.1.0-M1 through 10.1.24, from 9.0.0-M1 through 9.0.89. Older, EOL versions may also be affected. Users are recommended to upgrade to version 11.0.0-M21, 10.1.25 or 9.0.90, which fixes the issue.	(en) Improper Handling of Exceptional Conditions, Uncontrolled Resource Consumption vulnerability in Apache Tomcat. When processing an HTTP/2 stream, Tomcat did not handle some cases of excessive HTTP headers correctly. This led to a miscounting of active HTTP/2 streams which in turn led to the use of an incorrect infinite timeout which allowed connections to remain open which should have been closed. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M20, from 10.1.0-M1 through 10.1.24, from 9.0.0-M1 through 9.0.89. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 though 8.5.100. Users are recommended to upgrade to version 11.0.0-M21, 10.1.25 or 9.0.90, which fixes the issue.

07 Aug 2025, 12:15

Type	Values Removed	Values Added
Summary	(en) Improper Handling of Exceptional Conditions, Uncontrolled Resource Consumption vulnerability in Apache Tomcat. When processing an HTTP/2 stream, Tomcat did not handle some cases of excessive HTTP headers correctly. This led to a miscounting of active HTTP/2 streams which in turn led to the use of an incorrect infinite timeout which allowed connections to remain open which should have been closed. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M20, from 10.1.0-M1 through 10.1.24, from 9.0.0-M1 through 9.0.89. Users are recommended to upgrade to version 11.0.0-M21, 10.1.25 or 9.0.90, which fixes the issue.	(en) Improper Handling of Exceptional Conditions, Uncontrolled Resource Consumption vulnerability in Apache Tomcat. When processing an HTTP/2 stream, Tomcat did not handle some cases of excessive HTTP headers correctly. This led to a miscounting of active HTTP/2 streams which in turn led to the use of an incorrect infinite timeout which allowed connections to remain open which should have been closed. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M20, from 10.1.0-M1 through 10.1.24, from 9.0.0-M1 through 9.0.89. Older, EOL versions may also be affected. Users are recommended to upgrade to version 11.0.0-M21, 10.1.25 or 9.0.90, which fixes the issue.

03 Jun 2025, 21:32

Type	Values Removed	Values Added
References	~~() https://lists.apache.org/thread/4kqf0bc9gxymjc2x7v3p7dvplnl77y8l -~~	() https://lists.apache.org/thread/4kqf0bc9gxymjc2x7v3p7dvplnl77y8l - Vendor Advisory
References	~~() https://security.netapp.com/advisory/ntap-20240816-0004/ -~~	() https://security.netapp.com/advisory/ntap-20240816-0004/ - Third Party Advisory
CPE		cpe:2.3:a:apache:tomcat:11.0.0:milestone19:::::: cpe:2.3:a:apache:tomcat:11.0.0:milestone9:::::: cpe:2.3:a:apache:tomcat:11.0.0:milestone13:::::: cpe:2.3:a:apache:tomcat:11.0.0:milestone4:::::: cpe:2.3:a:apache:tomcat:11.0.0:milestone8:::::: cpe:2.3:a:apache:tomcat:11.0.0:milestone6:::::: cpe:2.3:a:apache:tomcat:11.0.0:milestone10:::::: cpe:2.3:a:apache:tomcat:11.0.0:milestone2:::::: cpe:2.3:a:apache:tomcat:11.0.0:milestone5:::::: cpe:2.3:a:apache:tomcat:11.0.0:milestone1:::::: cpe:2.3:a:apache:tomcat:11.0.0:milestone12:::::: cpe:2.3:a:apache:tomcat:11.0.0:milestone7:::::: cpe:2.3:a:apache:tomcat:11.0.0:milestone15:::::: cpe:2.3:a:apache:tomcat:11.0.0:milestone18:::::: cpe:2.3:a:apache:tomcat:11.0.0:milestone11:::::: cpe:2.3:a:apache:tomcat:11.0.0:milestone14:::::: cpe:2.3:a:netapp:ontap_tools:9:::::vmware_vsphere:: cpe:2.3:a:apache:tomcat:11.0.0:milestone17:::::: cpe:2.3:a:apache:tomcat:11.0.0:milestone20:::::: cpe:2.3:a:apache:tomcat:::::::: cpe:2.3:a:apache:tomcat:11.0.0:milestone3:::::: cpe:2.3:a:apache:tomcat:11.0.0:milestone16::::::
First Time		Netapp Apache tomcat Netapp ontap Tools Apache

21 Nov 2024, 09:19

Type	Values Removed	Values Added
References		() https://security.netapp.com/advisory/ntap-20240816-0004/ -
References	~~() https://lists.apache.org/thread/4kqf0bc9gxymjc2x7v3p7dvplnl77y8l -~~	() https://lists.apache.org/thread/4kqf0bc9gxymjc2x7v3p7dvplnl77y8l -

09 Jul 2024, 16:22

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 7.5

05 Jul 2024, 12:55

Type	Values Removed	Values Added
Summary		(es) Manejo inadecuado de condiciones excepcionales, vulnerabilidad de consumo incontrolado de recursos en Apache Tomcat. Al procesar una secuencia HTTP/2, Tomcat no manejó correctamente algunos casos de encabezados HTTP excesivos. Esto llevó a un conteo erróneo de flujos HTTP/2 activos que a su vez llevó al uso de un tiempo de espera infinito incorrecto que permitió que las conexiones permanecieran abiertas y que deberían haberse cerrado. Este problema afecta a Apache Tomcat: desde 11.0.0-M1 hasta 11.0.0-M20, desde 10.1.0-M1 hasta 10.1.24, desde 9.0.0-M1 hasta 9.0.89. Se recomienda a los usuarios actualizar a la versión 11.0.0-M21, 10.1.25 o 9.0.90, que soluciona el problema.

03 Jul 2024, 20:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-07-03 20:15

Updated : 2025-10-29 12:15

NVD link : CVE-2024-34750

Mitre link : CVE-2024-34750

CVE.ORG link : CVE-2024-34750

JSON object : View

Products Affected

netapp

ontap_tools

apache

tomcat

CWE

CWE-400

Uncontrolled Resource Consumption

CWE-755

Improper Handling of Exceptional Conditions

7.5 /10