Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2024-24549 (GCVE-0-2024-24549)
Vulnerability from cvelistv5 – Published: 2024-03-13 15:46 – Updated: 2025-10-29 11:56
VLAI?
EPSS
Title
Apache Tomcat: HTTP/2 header handling DoS
Summary
Denial of Service due to improper input validation vulnerability for HTTP/2 requests in Apache Tomcat. When processing an HTTP/2 request, if the request exceeded any of the configured limits for headers, the associated HTTP/2 stream was not reset until after all of the headers had been processed.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M16, from 10.1.0-M1 through 10.1.18, from 9.0.0-M1 through 9.0.85, from 8.5.0 through 8.5.98. Other, older, EOL versions may also be affected.
Users are recommended to upgrade to version 11.0.0-M17, 10.1.19, 9.0.86 or 8.5.99 which fix the issue.
Severity ?
No CVSS data available.
CWE
- CWE-20 - Improper Input Validation
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Tomcat |
Affected:
11.0.0-M1 , ≤ 11.0.0-M16
(semver)
Affected: 10.1.0-M1 , ≤ 10.1.18 (semver) Affected: 9.0.0-M1 , ≤ 9.0.85 (semver) Affected: 8.5.0 , ≤ 8.5.98 (semver) Unknown: 10.0.0-M1 , ≤ 10.0.27 (semver) |
Credits
Bartek Nowotarski
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-24549",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-03-15T15:00:56.854044Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-04T21:26:52.708Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T23:19:52.712Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/4c50rmomhbbsdgfjsgwlb51xdwfjdcvg"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20240402-0002/"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2024/04/msg00001.html"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2024/03/13/3"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/736G4GPZWS2DSQO5WKXO3G6OMZKFEK55/"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3UWIS5MMGYDZBLJYT674ZI5AWFHDZ46B/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache Tomcat",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "11.0.0-M16",
"status": "affected",
"version": "11.0.0-M1",
"versionType": "semver"
},
{
"lessThanOrEqual": "10.1.18",
"status": "affected",
"version": "10.1.0-M1",
"versionType": "semver"
},
{
"lessThanOrEqual": "9.0.85",
"status": "affected",
"version": "9.0.0-M1",
"versionType": "semver"
},
{
"lessThanOrEqual": "8.5.98",
"status": "affected",
"version": "8.5.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "10.0.27",
"status": "unknown",
"version": "10.0.0-M1",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Bartek Nowotarski"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Denial of Service due to improper input validation vulnerability for HTTP/2 requests in Apache Tomcat. When processing an HTTP/2 request, if the request exceeded any of the configured limits for headers, the associated HTTP/2 stream was not reset until after all of the headers had been processed.\u003cp\u003eThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M16, from 10.1.0-M1 through 10.1.18, from 9.0.0-M1 through 9.0.85, from 8.5.0 through 8.5.98.\u0026nbsp;Other, older, EOL versions may also be affected.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 11.0.0-M17, 10.1.19, 9.0.86 or 8.5.99 which fix the issue.\u003c/p\u003e"
}
],
"value": "Denial of Service due to improper input validation vulnerability for HTTP/2 requests in Apache Tomcat. When processing an HTTP/2 request, if the request exceeded any of the configured limits for headers, the associated HTTP/2 stream was not reset until after all of the headers had been processed.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M16, from 10.1.0-M1 through 10.1.18, from 9.0.0-M1 through 9.0.85, from 8.5.0 through 8.5.98.\u00a0Other, older, EOL versions may also be affected.\n\nUsers are recommended to upgrade to version 11.0.0-M17, 10.1.19, 9.0.86 or 8.5.99 which fix the issue."
}
],
"metrics": [
{
"other": {
"content": {
"text": "important"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-29T11:56:23.336Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/4c50rmomhbbsdgfjsgwlb51xdwfjdcvg"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Apache Tomcat: HTTP/2 header handling DoS",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2024-24549",
"datePublished": "2024-03-13T15:46:53.085Z",
"dateReserved": "2024-01-25T12:05:42.034Z",
"dateUpdated": "2025-10-29T11:56:23.336Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://lists.apache.org/thread/4c50rmomhbbsdgfjsgwlb51xdwfjdcvg\", \"tags\": [\"vendor-advisory\", \"x_transferred\"]}, {\"url\": \"https://security.netapp.com/advisory/ntap-20240402-0002/\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://lists.debian.org/debian-lts-announce/2024/04/msg00001.html\", \"tags\": [\"x_transferred\"]}, {\"url\": \"http://www.openwall.com/lists/oss-security/2024/03/13/3\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/736G4GPZWS2DSQO5WKXO3G6OMZKFEK55/\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3UWIS5MMGYDZBLJYT674ZI5AWFHDZ46B/\", \"tags\": [\"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-01T23:19:52.712Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"NONE\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-24549\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-03-15T15:00:56.854044Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-05-23T19:01:17.867Z\"}}], \"cna\": {\"title\": \"Apache Tomcat: HTTP/2 header handling DoS\", \"source\": {\"discovery\": \"EXTERNAL\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Bartek Nowotarski\"}], \"metrics\": [{\"other\": {\"type\": \"Textual description of severity\", \"content\": {\"text\": \"important\"}}}], \"affected\": [{\"vendor\": \"Apache Software Foundation\", \"product\": \"Apache Tomcat\", \"versions\": [{\"status\": \"affected\", \"version\": \"11.0.0-M1\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"11.0.0-M16\"}, {\"status\": \"affected\", \"version\": \"10.1.0-M1\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"10.1.18\"}, {\"status\": \"affected\", \"version\": \"9.0.0-M1\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"9.0.85\"}, {\"status\": \"affected\", \"version\": \"8.5.0\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"8.5.98\"}, {\"status\": \"unknown\", \"version\": \"10.0.0-M1\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"10.0.27\"}], \"defaultStatus\": \"unaffected\"}], \"references\": [{\"url\": \"https://lists.apache.org/thread/4c50rmomhbbsdgfjsgwlb51xdwfjdcvg\", \"tags\": [\"vendor-advisory\"]}], \"x_generator\": {\"engine\": \"Vulnogram 0.1.0-dev\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Denial of Service due to improper input validation vulnerability for HTTP/2 requests in Apache Tomcat. When processing an HTTP/2 request, if the request exceeded any of the configured limits for headers, the associated HTTP/2 stream was not reset until after all of the headers had been processed.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M16, from 10.1.0-M1 through 10.1.18, from 9.0.0-M1 through 9.0.85, from 8.5.0 through 8.5.98.\\u00a0Other, older, EOL versions may also be affected.\\n\\nUsers are recommended to upgrade to version 11.0.0-M17, 10.1.19, 9.0.86 or 8.5.99 which fix the issue.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"Denial of Service due to improper input validation vulnerability for HTTP/2 requests in Apache Tomcat. When processing an HTTP/2 request, if the request exceeded any of the configured limits for headers, the associated HTTP/2 stream was not reset until after all of the headers had been processed.\u003cp\u003eThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M16, from 10.1.0-M1 through 10.1.18, from 9.0.0-M1 through 9.0.85, from 8.5.0 through 8.5.98.\u0026nbsp;Other, older, EOL versions may also be affected.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 11.0.0-M17, 10.1.19, 9.0.86 or 8.5.99 which fix the issue.\u003c/p\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-20\", \"description\": \"CWE-20 Improper Input Validation\"}]}], \"providerMetadata\": {\"orgId\": \"f0158376-9dc2-43b6-827c-5f631a4d8d09\", \"shortName\": \"apache\", \"dateUpdated\": \"2025-10-29T11:56:23.336Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2024-24549\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-10-29T11:56:23.336Z\", \"dateReserved\": \"2024-01-25T12:05:42.034Z\", \"assignerOrgId\": \"f0158376-9dc2-43b6-827c-5f631a4d8d09\", \"datePublished\": \"2024-03-13T15:46:53.085Z\", \"assignerShortName\": \"apache\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
FKIE_CVE-2024-24549
Vulnerability from fkie_nvd - Published: 2024-03-13 16:15 - Updated: 2025-10-29 12:15
Severity ?
Summary
Denial of Service due to improper input validation vulnerability for HTTP/2 requests in Apache Tomcat. When processing an HTTP/2 request, if the request exceeded any of the configured limits for headers, the associated HTTP/2 stream was not reset until after all of the headers had been processed.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M16, from 10.1.0-M1 through 10.1.18, from 9.0.0-M1 through 9.0.85, from 8.5.0 through 8.5.98. Other, older, EOL versions may also be affected.
Users are recommended to upgrade to version 11.0.0-M17, 10.1.19, 9.0.86 or 8.5.99 which fix the issue.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| apache | tomcat | * | |
| apache | tomcat | * | |
| apache | tomcat | * | |
| apache | tomcat | 11.0.0 | |
| apache | tomcat | 11.0.0 | |
| apache | tomcat | 11.0.0 | |
| apache | tomcat | 11.0.0 | |
| apache | tomcat | 11.0.0 | |
| apache | tomcat | 11.0.0 | |
| apache | tomcat | 11.0.0 | |
| apache | tomcat | 11.0.0 | |
| apache | tomcat | 11.0.0 | |
| apache | tomcat | 11.0.0 | |
| apache | tomcat | 11.0.0 | |
| apache | tomcat | 11.0.0 | |
| apache | tomcat | 11.0.0 | |
| apache | tomcat | 11.0.0 | |
| apache | tomcat | 11.0.0 | |
| apache | tomcat | 11.0.0 | |
| debian | debian_linux | 10.0 | |
| fedoraproject | fedora | 39 | |
| fedoraproject | fedora | 40 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E75E39D1-9AAE-4F50-9FA8-C1936AAFA896",
"versionEndExcluding": "8.5.99",
"versionStartIncluding": "8.5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B1B2F3FF-1EF4-43FB-896D-C975E058978D",
"versionEndExcluding": "9.0.86",
"versionStartIncluding": "9.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*",
"matchCriteriaId": "03C34A60-381C-4EBD-A116-B700BB41F751",
"versionEndExcluding": "10.1.19",
"versionStartIncluding": "10.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:11.0.0:milestone1:*:*:*:*:*:*",
"matchCriteriaId": "D1AA7FF6-E8E7-4BF6-983E-0A99B0183008",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:11.0.0:milestone10:*:*:*:*:*:*",
"matchCriteriaId": "57088BDD-A136-45EF-A8A1-2EBF79CEC2CE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:11.0.0:milestone11:*:*:*:*:*:*",
"matchCriteriaId": "B32D1D7A-A04F-444E-8F45-BB9A9E4B0199",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:11.0.0:milestone12:*:*:*:*:*:*",
"matchCriteriaId": "0092FB35-3B00-484F-A24D-7828396A4FF6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:11.0.0:milestone13:*:*:*:*:*:*",
"matchCriteriaId": "CB557E88-FA9D-4B69-AA6F-EAEE7F9B01AC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:11.0.0:milestone14:*:*:*:*:*:*",
"matchCriteriaId": "72D3C6F1-84FA-4F82-96C1-9A8DA1C1F30F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:11.0.0:milestone15:*:*:*:*:*:*",
"matchCriteriaId": "3521C81B-37D9-48FC-9540-D0D333B9A4A4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:11.0.0:milestone16:*:*:*:*:*:*",
"matchCriteriaId": "02A84634-A8F2-4BA9-B9F3-BEF36AEC5480",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:11.0.0:milestone2:*:*:*:*:*:*",
"matchCriteriaId": "2AAD52CE-94F5-4F98-A027-9A7E68818CB6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:11.0.0:milestone3:*:*:*:*:*:*",
"matchCriteriaId": "F1F981F5-035A-4EDD-8A9F-481EE8BC7FF7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:11.0.0:milestone4:*:*:*:*:*:*",
"matchCriteriaId": "03A171AF-2EC8-4422-912C-547CDB58CAAA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:11.0.0:milestone5:*:*:*:*:*:*",
"matchCriteriaId": "538E68C4-0BA4-495F-AEF8-4EF6EE7963CF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:11.0.0:milestone6:*:*:*:*:*:*",
"matchCriteriaId": "49350A6E-5E1D-45B2-A874-3B8601B3ADCC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:11.0.0:milestone7:*:*:*:*:*:*",
"matchCriteriaId": "5F50942F-DF54-46C0-8371-9A476DD3EEA3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:11.0.0:milestone8:*:*:*:*:*:*",
"matchCriteriaId": "D12C2C95-B79F-4AA4-8CE3-99A3EE7991AB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:11.0.0:milestone9:*:*:*:*:*:*",
"matchCriteriaId": "98792138-DD56-42DF-9612-3BDC65EEC117",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*",
"matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:fedoraproject:fedora:39:*:*:*:*:*:*:*",
"matchCriteriaId": "B8EDB836-4E6A-4B71-B9B2-AA3E03E0F646",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:fedoraproject:fedora:40:*:*:*:*:*:*:*",
"matchCriteriaId": "CA277A6C-83EC-4536-9125-97B84C4FAF59",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Denial of Service due to improper input validation vulnerability for HTTP/2 requests in Apache Tomcat. When processing an HTTP/2 request, if the request exceeded any of the configured limits for headers, the associated HTTP/2 stream was not reset until after all of the headers had been processed.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M16, from 10.1.0-M1 through 10.1.18, from 9.0.0-M1 through 9.0.85, from 8.5.0 through 8.5.98.\u00a0Other, older, EOL versions may also be affected.\n\nUsers are recommended to upgrade to version 11.0.0-M17, 10.1.19, 9.0.86 or 8.5.99 which fix the issue."
},
{
"lang": "es",
"value": "Denegaci\u00f3n de servicio debido a una vulnerabilidad de validaci\u00f3n de entrada incorrecta para solicitudes HTTP/2 en Apache Tomcat. Al procesar una solicitud HTTP/2, si la solicitud exced\u00eda cualquiera de los l\u00edmites configurados para los encabezados, la secuencia HTTP/2 asociada no se restablec\u00eda hasta que se hubieran procesado todos los encabezados. Este problema afecta a Apache Tomcat: desde 11.0.0- M1 hasta 11.0.0-M16, desde 10.1.0-M1 hasta 10.1.18, desde 9.0.0-M1 hasta 9.0.85, desde 8.5.0 hasta 8.5.98. Se recomienda a los usuarios actualizar a la versi\u00f3n 11.0.0-M17, 10.1.19, 9.0.86 u 8.5.99, que solucionan el problema."
}
],
"id": "CVE-2024-24549",
"lastModified": "2025-10-29T12:15:34.440",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2024-03-13T16:15:29.373",
"references": [
{
"source": "security@apache.org",
"tags": [
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread/4c50rmomhbbsdgfjsgwlb51xdwfjdcvg"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List"
],
"url": "http://www.openwall.com/lists/oss-security/2024/03/13/3"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread/4c50rmomhbbsdgfjsgwlb51xdwfjdcvg"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2024/04/msg00001.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3UWIS5MMGYDZBLJYT674ZI5AWFHDZ46B/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/736G4GPZWS2DSQO5WKXO3G6OMZKFEK55/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://security.netapp.com/advisory/ntap-20240402-0002/"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
],
"source": "security@apache.org",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
CERTFR-2024-AVI-0432
Vulnerability from certfr_avis - Published: 2024-05-22 - Updated: 2024-05-22
De multiples vulnérabilités ont été découvertes dans les produits Atlassian. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, un déni de service à distance et une atteinte à la confidentialité des données.
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
Impacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| Atlassian | Confluence | Confluence Data Center versions antérieures à 8.9.1 | ||
| Atlassian | Confluence | Confluence Data Center versions antérieures à 7.19.22 | ||
| Atlassian | Jira | Jira Software Data Center versions antérieures à 9.8.0 | ||
| Atlassian | Jira | Jira Software Data Center versions antérieures à 9.11.3 | ||
| Atlassian | Jira | Jira Software Server versions antérieures à 9.12.7 | ||
| Atlassian | Jira | Jira Software Data Center versions antérieures à 9.12.0 | ||
| Atlassian | Jira | Jira Software Server versions antérieures à 9.15.2 | ||
| Atlassian | Confluence | Confluence Data Center versions antérieures à 8.5.9 | ||
| Atlassian | Jira | Jira Software Data Center versions antérieures à 9.7.2 | ||
| Atlassian | Jira | Jira Software Server versions antérieures à 9.4.20 | ||
| Atlassian | Jira | Jira Software Data Center versions antérieures à 9.15.2 | ||
| Atlassian | Jira | Jira Software Data Center versions antérieures à 9.4.20 | ||
| Atlassian | Jira | Jira Software Data Center versions antérieures à 9.12.7 |
References
| Title | Publication Time | Tags | ||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Confluence Data Center versions ant\u00e9rieures \u00e0 8.9.1",
"product": {
"name": "Confluence",
"vendor": {
"name": "Atlassian",
"scada": false
}
}
},
{
"description": "Confluence Data Center versions ant\u00e9rieures \u00e0 7.19.22",
"product": {
"name": "Confluence",
"vendor": {
"name": "Atlassian",
"scada": false
}
}
},
{
"description": "Jira Software Data Center versions ant\u00e9rieures \u00e0 9.8.0",
"product": {
"name": "Jira",
"vendor": {
"name": "Atlassian",
"scada": false
}
}
},
{
"description": "Jira Software Data Center versions ant\u00e9rieures \u00e0 9.11.3",
"product": {
"name": "Jira",
"vendor": {
"name": "Atlassian",
"scada": false
}
}
},
{
"description": "Jira Software Server versions ant\u00e9rieures \u00e0 9.12.7",
"product": {
"name": "Jira",
"vendor": {
"name": "Atlassian",
"scada": false
}
}
},
{
"description": "Jira Software Data Center versions ant\u00e9rieures \u00e0 9.12.0",
"product": {
"name": "Jira",
"vendor": {
"name": "Atlassian",
"scada": false
}
}
},
{
"description": "Jira Software Server versions ant\u00e9rieures \u00e0 9.15.2",
"product": {
"name": "Jira",
"vendor": {
"name": "Atlassian",
"scada": false
}
}
},
{
"description": "Confluence Data Center versions ant\u00e9rieures \u00e0 8.5.9",
"product": {
"name": "Confluence",
"vendor": {
"name": "Atlassian",
"scada": false
}
}
},
{
"description": "Jira Software Data Center versions ant\u00e9rieures \u00e0 9.7.2",
"product": {
"name": "Jira",
"vendor": {
"name": "Atlassian",
"scada": false
}
}
},
{
"description": "Jira Software Server versions ant\u00e9rieures \u00e0 9.4.20",
"product": {
"name": "Jira",
"vendor": {
"name": "Atlassian",
"scada": false
}
}
},
{
"description": "Jira Software Data Center versions ant\u00e9rieures \u00e0 9.15.2",
"product": {
"name": "Jira",
"vendor": {
"name": "Atlassian",
"scada": false
}
}
},
{
"description": "Jira Software Data Center versions ant\u00e9rieures \u00e0 9.4.20",
"product": {
"name": "Jira",
"vendor": {
"name": "Atlassian",
"scada": false
}
}
},
{
"description": "Jira Software Data Center versions ant\u00e9rieures \u00e0 9.12.7",
"product": {
"name": "Jira",
"vendor": {
"name": "Atlassian",
"scada": false
}
}
}
],
"affected_systems_content": "",
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [
{
"name": "CVE-2024-1597",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-1597"
},
{
"name": "CVE-2023-45859",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-45859"
},
{
"name": "CVE-2022-25647",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-25647"
},
{
"name": "CVE-2022-41966",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-41966"
},
{
"name": "CVE-2024-23672",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-23672"
},
{
"name": "CVE-2024-24549",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-24549"
},
{
"name": "CVE-2024-22257",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-22257"
},
{
"name": "CVE-2024-21683",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-21683"
}
],
"initial_release_date": "2024-05-22T00:00:00",
"last_revision_date": "2024-05-22T00:00:00",
"links": [],
"reference": "CERTFR-2024-AVI-0432",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2024-05-22T00:00:00.000000"
}
],
"risks": [
{
"description": "D\u00e9ni de service \u00e0 distance"
},
{
"description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits Atlassian. Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer une ex\u00e9cution de code arbitraire \u00e0 distance, un d\u00e9ni de service \u00e0 distance et une atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es.",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits Atlassian",
"vendor_advisories": [
{
"published_at": "2024-05-21",
"title": "Bulletin de s\u00e9curit\u00e9 Atlassian JSWSERVER-25950",
"url": "https://jira.atlassian.com/browse/JSWSERVER-25950"
},
{
"published_at": "2024-05-21",
"title": "Bulletin de s\u00e9curit\u00e9 Atlassian JSWSERVER-25949",
"url": "https://jira.atlassian.com/browse/JSWSERVER-25949"
},
{
"published_at": "2024-05-21",
"title": "Bulletin de s\u00e9curit\u00e9 Atlassian CONFSERVER-95839",
"url": "https://jira.atlassian.com/browse/CONFSERVER-95839"
},
{
"published_at": "2024-05-21",
"title": "Bulletin de s\u00e9curit\u00e9 Atlassian JSWSERVER-25896",
"url": "https://jira.atlassian.com/browse/JSWSERVER-25896"
},
{
"published_at": "2024-05-21",
"title": "Bulletin de s\u00e9curit\u00e9 Atlassian CONFSERVER-95834",
"url": "https://jira.atlassian.com/browse/CONFSERVER-95834"
},
{
"published_at": "2024-05-21",
"title": "Bulletin de s\u00e9curit\u00e9 Atlassian CONFSERVER-95832",
"url": "https://jira.atlassian.com/browse/CONFSERVER-95832"
},
{
"published_at": "2024-05-21",
"title": "Bulletin de s\u00e9curit\u00e9 Atlassian JSWSERVER-25948",
"url": "https://jira.atlassian.com/browse/JSWSERVER-25948"
},
{
"published_at": "2024-05-21",
"title": "Bulletin de s\u00e9curit\u00e9 Atlassian JSWSERVER-25905",
"url": "https://jira.atlassian.com/browse/JSWSERVER-25905"
}
]
}
CERTFR-2024-AVI-0514
Vulnerability from certfr_avis - Published: 2024-06-21 - Updated: 2024-06-21
De multiples vulnérabilités ont été découvertes dans les produits IBM. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, une élévation de privilèges et un déni de service à distance.
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
Impacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| IBM | Watson Explorer | Watson Explorer DAE Foundational Components versions 11.0.x antérieures à 11.0.2 Fix Pack 19 | ||
| IBM | Db2 | Db2 on Cloud Pak for Data versions antérieures à v5.0 | ||
| IBM | Storage Protect | Storage Protect for Virtual Environments: Data Protection pour Hyper-V et VMware versions 8.1.x antérieures à 8.1.23.0 | ||
| IBM | Sterling Connect:Direct | Sterling Connect:Direct pour Microsoft Windows versions 6.3.x antérieures à 6.3.0.3_iFix004 | ||
| IBM | Watson Explorer | Watson Explorer DAE Analytical Components versions 11.0.x antérieures à 11.0.2 Fix Pack 19 | ||
| IBM | Watson Explorer | Watson Explorer DAE Foundational Components versions 12.0.x antérieures à 12.0.3.15 | ||
| IBM | Sterling Connect:Direct | Sterling Connect:Direct pour Microsoft Windows versions 6.1.x antérieures à 6.1.0.2_iFix087 | ||
| IBM | Sterling Connect:Direct | Sterling Connect:Direct pour Microsoft Windows versions 6.0.x antérieures à 6.0.0.4_iFix088 | ||
| IBM | Watson Explorer | Watson Explorer DAE Analytical Components versions 12.0.x antérieures à 12.0.3.15 | ||
| IBM | Db2 | Db2 Warehouse on Cloud Pak for Data versions antérieures à v5.0 | ||
| IBM | QRadar | QRadar Suite Software versions 1.10.x antérieures à 1.10.22.0 | ||
| IBM | Sterling Connect:Direct | Sterling Connect:Direct pour Microsoft Windows versions 6.2.x antérieures à 6.2.0.6_iFix020 | ||
| IBM | Cloud Pak | Cloud Pak for Security versions 1.10.x antérieures à 1.10.22.0 | ||
| IBM | Storage Protect | Storage Protect Backup-Archive Client versions 8.1.x antérieures à 8.1.23.0 |
References
| Title | Publication Time | Tags | ||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Watson Explorer DAE Foundational Components versions 11.0.x ant\u00e9rieures \u00e0 11.0.2 Fix Pack 19",
"product": {
"name": "Watson Explorer",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "Db2 on Cloud Pak for Data versions ant\u00e9rieures \u00e0 v5.0",
"product": {
"name": "Db2",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "Storage Protect for Virtual Environments: Data Protection pour Hyper-V et VMware versions 8.1.x ant\u00e9rieures \u00e0 8.1.23.0",
"product": {
"name": "Storage Protect",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "Sterling Connect:Direct pour Microsoft Windows versions 6.3.x ant\u00e9rieures \u00e0 6.3.0.3_iFix004",
"product": {
"name": "Sterling Connect:Direct",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "Watson Explorer DAE Analytical Components versions 11.0.x ant\u00e9rieures \u00e0 11.0.2 Fix Pack 19",
"product": {
"name": "Watson Explorer",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "Watson Explorer DAE Foundational Components versions 12.0.x ant\u00e9rieures \u00e0 12.0.3.15",
"product": {
"name": "Watson Explorer",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "Sterling Connect:Direct pour Microsoft Windows versions 6.1.x ant\u00e9rieures \u00e0 6.1.0.2_iFix087",
"product": {
"name": "Sterling Connect:Direct",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "Sterling Connect:Direct pour Microsoft Windows versions 6.0.x ant\u00e9rieures \u00e0 6.0.0.4_iFix088",
"product": {
"name": "Sterling Connect:Direct",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "Watson Explorer DAE Analytical Components versions 12.0.x ant\u00e9rieures \u00e0 12.0.3.15",
"product": {
"name": "Watson Explorer",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "Db2 Warehouse on Cloud Pak for Data versions ant\u00e9rieures \u00e0 v5.0",
"product": {
"name": "Db2",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "QRadar Suite Software versions 1.10.x ant\u00e9rieures \u00e0 1.10.22.0",
"product": {
"name": "QRadar",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "Sterling Connect:Direct pour Microsoft Windows versions 6.2.x ant\u00e9rieures \u00e0 6.2.0.6_iFix020",
"product": {
"name": "Sterling Connect:Direct",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "Cloud Pak for Security versions 1.10.x ant\u00e9rieures \u00e0 1.10.22.0",
"product": {
"name": "Cloud Pak",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "Storage Protect Backup-Archive Client versions 8.1.x ant\u00e9rieures \u00e0 8.1.23.0",
"product": {
"name": "Storage Protect",
"vendor": {
"name": "IBM",
"scada": false
}
}
}
],
"affected_systems_content": "",
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [
{
"name": "CVE-2020-2803",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-2803"
},
{
"name": "CVE-2024-29041",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-29041"
},
{
"name": "CVE-2024-28849",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-28849"
},
{
"name": "CVE-2021-2163",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-2163"
},
{
"name": "CVE-2023-45288",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-45288"
},
{
"name": "CVE-2024-3772",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-3772"
},
{
"name": "CVE-2021-2161",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-2161"
},
{
"name": "CVE-2023-3817",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-3817"
},
{
"name": "CVE-2024-34351",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-34351"
},
{
"name": "CVE-2022-21299",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-21299"
},
{
"name": "CVE-2020-2773",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-2773"
},
{
"name": "CVE-2020-2805",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-2805"
},
{
"name": "CVE-2020-2830",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-2830"
},
{
"name": "CVE-2020-2781",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-2781"
},
{
"name": "CVE-2023-28322",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-28322"
},
{
"name": "CVE-2022-21305",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-21305"
},
{
"name": "CVE-2024-22243",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-22243"
},
{
"name": "CVE-2024-29857",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-29857"
},
{
"name": "CVE-2023-5363",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-5363"
},
{
"name": "CVE-2024-24557",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-24557"
},
{
"name": "CVE-2023-22795",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-22795"
},
{
"name": "CVE-2024-23082",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-23082"
},
{
"name": "CVE-2024-25026",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-25026"
},
{
"name": "CVE-2020-8565",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-8565"
},
{
"name": "CVE-2024-28180",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-28180"
},
{
"name": "CVE-2024-22262",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-22262"
},
{
"name": "CVE-2021-32052",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-32052"
},
{
"name": "CVE-2024-30172",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-30172"
},
{
"name": "CVE-2023-35116",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-35116"
},
{
"name": "CVE-2024-23672",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-23672"
},
{
"name": "CVE-2023-3978",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-3978"
},
{
"name": "CVE-2024-29131",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-29131"
},
{
"name": "CVE-2024-22329",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-22329"
},
{
"name": "CVE-2020-2659",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-2659"
},
{
"name": "CVE-2024-30251",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-30251"
},
{
"name": "CVE-2024-27306",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-27306"
},
{
"name": "CVE-2024-23807",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-23807"
},
{
"name": "CVE-2023-28321",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-28321"
},
{
"name": "CVE-2019-11250",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-11250"
},
{
"name": "CVE-2024-29133",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-29133"
},
{
"name": "CVE-2022-21365",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-21365"
},
{
"name": "CVE-2022-21294",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-21294"
},
{
"name": "CVE-2024-27289",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-27289"
},
{
"name": "CVE-2024-38329",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-38329"
},
{
"name": "CVE-2022-34169",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-34169"
},
{
"name": "CVE-2022-21341",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-21341"
},
{
"name": "CVE-2024-24549",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-24549"
},
{
"name": "CVE-2020-2604",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-2604"
},
{
"name": "CVE-2022-21340",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-21340"
},
{
"name": "CVE-2024-23081",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-23081"
},
{
"name": "CVE-2022-21293",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-21293"
},
{
"name": "CVE-2020-2800",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-2800"
},
{
"name": "CVE-2022-21282",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-21282"
},
{
"name": "CVE-2022-21349",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-21349"
},
{
"name": "CVE-2024-30171",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-30171"
},
{
"name": "CVE-2021-20264",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-20264"
},
{
"name": "CVE-2022-21248",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-21248"
},
{
"name": "CVE-2024-29180",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-29180"
},
{
"name": "CVE-2024-22259",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-22259"
},
{
"name": "CVE-2024-22257",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-22257"
},
{
"name": "CVE-2023-47726",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-47726"
},
{
"name": "CVE-2020-2757",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-2757"
},
{
"name": "CVE-2023-42282",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-42282"
},
{
"name": "CVE-2023-39325",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-39325"
},
{
"name": "CVE-2024-1681",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-1681"
},
{
"name": "CVE-2023-3446",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-3446"
},
{
"name": "CVE-2024-24786",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-24786"
},
{
"name": "CVE-2024-22354",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-22354"
},
{
"name": "CVE-2020-2756",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-2756"
},
{
"name": "CVE-2022-21476",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-21476"
},
{
"name": "CVE-2022-21541",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-21541"
},
{
"name": "CVE-2022-21360",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-21360"
},
{
"name": "CVE-2022-21296",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-21296"
},
{
"name": "CVE-2022-21540",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-21540"
},
{
"name": "CVE-2023-38545",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-38545"
}
],
"initial_release_date": "2024-06-21T00:00:00",
"last_revision_date": "2024-06-21T00:00:00",
"links": [],
"reference": "CERTFR-2024-AVI-0514",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2024-06-21T00:00:00.000000"
}
],
"risks": [
{
"description": "D\u00e9ni de service \u00e0 distance"
},
{
"description": "Injection de code indirecte \u00e0 distance (XSS)"
},
{
"description": "Injection de requ\u00eates ill\u00e9gitimes par rebond (CSRF)"
},
{
"description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
},
{
"description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
},
{
"description": "Non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
},
{
"description": "\u00c9l\u00e9vation de privil\u00e8ges"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits IBM. Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer une ex\u00e9cution de code arbitraire \u00e0 distance, une \u00e9l\u00e9vation de privil\u00e8ges et un d\u00e9ni de service \u00e0 distance.",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits IBM",
"vendor_advisories": [
{
"published_at": "2024-06-19",
"title": "Bulletin de s\u00e9curit\u00e9 IBM 7158042",
"url": "https://www.ibm.com/support/pages/node/7158042"
},
{
"published_at": "2024-06-17",
"title": "Bulletin de s\u00e9curit\u00e9 IBM 7157662",
"url": "https://www.ibm.com/support/pages/node/7157662"
},
{
"published_at": "2024-06-17",
"title": "Bulletin de s\u00e9curit\u00e9 IBM 7157750",
"url": "https://www.ibm.com/support/pages/node/7157750"
},
{
"published_at": "2024-06-18",
"title": "Bulletin de s\u00e9curit\u00e9 IBM 7157924",
"url": "https://www.ibm.com/support/pages/node/7157924"
},
{
"published_at": "2024-06-17",
"title": "Bulletin de s\u00e9curit\u00e9 IBM 7157753",
"url": "https://www.ibm.com/support/pages/node/7157753"
},
{
"published_at": "2024-06-20",
"title": "Bulletin de s\u00e9curit\u00e9 IBM 7157847",
"url": "https://www.ibm.com/support/pages/node/7157847"
},
{
"published_at": "2024-06-18",
"title": "Bulletin de s\u00e9curit\u00e9 IBM 7157927",
"url": "https://www.ibm.com/support/pages/node/7157927"
},
{
"published_at": "2024-06-18",
"title": "Bulletin de s\u00e9curit\u00e9 IBM 7157929",
"url": "https://www.ibm.com/support/pages/node/7157929"
}
]
}
CERTFR-2024-AVI-0404
Vulnerability from certfr_avis - Published: 2024-05-15 - Updated: 2024-05-15
De multiples vulnérabilités ont été découvertes dans les produits Fortinet. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, un déni de service à distance, une atteinte à la confidentialité des données.
Solution
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
NoneImpacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| Fortinet | FortiProxy | FortiProxy 7.0.x versions antérieures à 7.0.14 | ||
| Fortinet | FortiProxy | FortiProxy 7.4.x versions antérieures à 7.4.2 | ||
| Fortinet | N/A | FortiWebManager 6.0.x toutes versions | ||
| Fortinet | FortiWeb | FortiWeb 7.0.x toutes versions pour la vulnérabilité CVE-2024-23665 | ||
| Fortinet | FortiNAC | FortiNAC 8.7.x toutes versions | ||
| Fortinet | FortiNAC | FortiNAC 8.8.x toutes versions | ||
| Fortinet | FortiWeb | FortiWeb 7.2.x versions antérieures à 7.2.8 | ||
| Fortinet | FortiSOAR | FortiSOAR 7.0.x toutes versions | ||
| Fortinet | N/A | FortiAuthenticator 6.6.x versions antérieures à 6.6.1 | ||
| Fortinet | FortiSOAR | FortiSOAR cyops Connector versions antérieures à 2.1.0 | ||
| Fortinet | FortiNAC | FortiNAC 9.4.x versions antérieures à 9.4.5 | ||
| Fortinet | FortiProxy | FortiProxy 7.2.x versions antérieures à 7.2.8 | ||
| Fortinet | FortiOS | FortiOS 6.4.x toutes versions | ||
| Fortinet | FortiADC | FortiADC 6.2.x toutes versions | ||
| Fortinet | FortiOS | FortiOS 6.0.x toutes versions | ||
| Fortinet | FortiADC | FortiADC 7.4.x versions antérieures à 7.4.2 | ||
| Fortinet | FortiSwitchManager | FortiSwitchManager 7.0.x versions antérieures à 7.0.3 | ||
| Fortinet | FortiADC | FortiADC 7.0.x toutes versions | ||
| Fortinet | FortiNAC | FortiNAC 9.2.x toutes versions | ||
| Fortinet | FortiOS | FortiOS 6.2.x toutes versions | ||
| Fortinet | N/A | FortiAuthenticator 6.4.x toutes versions | ||
| Fortinet | FortiOS | FortiOS 7.0.x versions antérieures à 7.0.13 | ||
| Fortinet | FortiPortal | FortiPortal 7.0.x versions antérieures à 7.0.7 | ||
| Fortinet | FortiADC | FortiADC 7.1.x toutes versions | ||
| Fortinet | FortiWeb | FortiWeb 6.3.x toutes versions | ||
| Fortinet | FortiSOAR | FortiSOAR 7.3.x versions antérieures à 7.3.1 | ||
| Fortinet | FortiPAM | FortiPAM 1.1.x versions antérieures à 1.1.1 | ||
| Fortinet | FortiSOAR | FortiSOAR 7.2.x toutes versions | ||
| Fortinet | FortiProxy | FortiProxy 1.1.x toutes versions | ||
| Fortinet | FortiSandbox | FortiSandbox 4.4.x versions antérieures à 4.4.5 | ||
| Fortinet | N/A | FortiVoice 7.0.x versions antérieures à 7.0.2 | ||
| Fortinet | FortiProxy | FortiProxy 1.2.x toutes versions | ||
| Fortinet | N/A | FortiWebManager 7.0.x versions antérieures à 7.0.5 | ||
| Fortinet | N/A | FortiWebManager 6.3.x versions antérieures à 6.3.1 | ||
| Fortinet | FortiProxy | FortiProxy 2.0.x toutes versions | ||
| Fortinet | FortiWeb | FortiWeb 7.0.x versions antérieures à 7.0.9 | ||
| Fortinet | FortiWeb | FortiWeb 7.4.x versions antérieures à 7.4.3 | ||
| Fortinet | N/A | FortiWebManager 6.2.x versions antérieures à 6.2.5 | ||
| Fortinet | N/A | FortiVoice 6.0.x toutes versions | ||
| Fortinet | N/A | FortiWebManager 7.2.x versions antérieures à 7.2.1 | ||
| Fortinet | FortiWeb | FortiWeb 6.4.x toutes versions | ||
| Fortinet | FortiOS | FortiOS 7.0 toutes versions pour les vulnérabilités CVE-2023-36640 et CVE-2023-45583 | ||
| Fortinet | FortiPAM | FortiPAM 1.0.x toutes versions | ||
| Fortinet | FortiOS | FortiOS 7.2.x versions antérieures à 7.2.8 | ||
| Fortinet | FortiSandbox | FortiSandbox 4.2.x versions antérieures à 4.2.7 | ||
| Fortinet | FortiPortal | FortiPortal 7.2.x versions antérieures à 7.2.2 | ||
| Fortinet | FortiNAC | FortiNAC 9.1.x toutes versions | ||
| Fortinet | FortiPortal | FortiPortal 6.0.x versions antérieures à 6.0.15 | ||
| Fortinet | N/A | FortiVoice 6.4.x versions antérieures à 6.4.9 | ||
| Fortinet | N/A | FortiAuthenticator 6.5.x versions antérieures à 6.5.4 | ||
| Fortinet | FortiADC | FortiADC 7.2.x versions antérieures à 7.2.4 | ||
| Fortinet | FortiOS | FortiOS 7.4.x versions antérieures à 7.4.2 | ||
| Fortinet | FortiSwitchManager | FortiSwitchManager 7.2.x versions antérieures à 7.2.3 | ||
| Fortinet | FortiNAC | FortiNAC 7.2.x versions antérieures à 7.2.4 | ||
| Fortinet | FortiProxy | FortiProxy 1.0.x toutes versions |
References
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "FortiProxy 7.0.x versions ant\u00e9rieures \u00e0 7.0.14",
"product": {
"name": "FortiProxy",
"vendor": {
"name": "Fortinet",
"scada": false
}
}
},
{
"description": "FortiProxy 7.4.x versions ant\u00e9rieures \u00e0 7.4.2",
"product": {
"name": "FortiProxy",
"vendor": {
"name": "Fortinet",
"scada": false
}
}
},
{
"description": "FortiWebManager 6.0.x toutes versions",
"product": {
"name": "N/A",
"vendor": {
"name": "Fortinet",
"scada": false
}
}
},
{
"description": "FortiWeb 7.0.x toutes versions pour la vuln\u00e9rabilit\u00e9 CVE-2024-23665",
"product": {
"name": "FortiWeb",
"vendor": {
"name": "Fortinet",
"scada": false
}
}
},
{
"description": "FortiNAC 8.7.x toutes versions",
"product": {
"name": "FortiNAC",
"vendor": {
"name": "Fortinet",
"scada": false
}
}
},
{
"description": "FortiNAC 8.8.x toutes versions",
"product": {
"name": "FortiNAC",
"vendor": {
"name": "Fortinet",
"scada": false
}
}
},
{
"description": "FortiWeb 7.2.x versions ant\u00e9rieures \u00e0 7.2.8",
"product": {
"name": "FortiWeb",
"vendor": {
"name": "Fortinet",
"scada": false
}
}
},
{
"description": "FortiSOAR 7.0.x toutes versions",
"product": {
"name": "FortiSOAR",
"vendor": {
"name": "Fortinet",
"scada": false
}
}
},
{
"description": "FortiAuthenticator 6.6.x versions ant\u00e9rieures \u00e0 6.6.1",
"product": {
"name": "N/A",
"vendor": {
"name": "Fortinet",
"scada": false
}
}
},
{
"description": "FortiSOAR cyops Connector versions ant\u00e9rieures \u00e0 2.1.0",
"product": {
"name": "FortiSOAR",
"vendor": {
"name": "Fortinet",
"scada": false
}
}
},
{
"description": "FortiNAC 9.4.x versions ant\u00e9rieures \u00e0 9.4.5",
"product": {
"name": "FortiNAC",
"vendor": {
"name": "Fortinet",
"scada": false
}
}
},
{
"description": "FortiProxy 7.2.x versions ant\u00e9rieures \u00e0 7.2.8",
"product": {
"name": "FortiProxy",
"vendor": {
"name": "Fortinet",
"scada": false
}
}
},
{
"description": "FortiOS 6.4.x toutes versions",
"product": {
"name": "FortiOS",
"vendor": {
"name": "Fortinet",
"scada": false
}
}
},
{
"description": "FortiADC 6.2.x toutes versions",
"product": {
"name": "FortiADC",
"vendor": {
"name": "Fortinet",
"scada": false
}
}
},
{
"description": "FortiOS 6.0.x toutes versions",
"product": {
"name": "FortiOS",
"vendor": {
"name": "Fortinet",
"scada": false
}
}
},
{
"description": "FortiADC 7.4.x versions ant\u00e9rieures \u00e0 7.4.2",
"product": {
"name": "FortiADC",
"vendor": {
"name": "Fortinet",
"scada": false
}
}
},
{
"description": "FortiSwitchManager 7.0.x versions ant\u00e9rieures \u00e0 7.0.3",
"product": {
"name": "FortiSwitchManager",
"vendor": {
"name": "Fortinet",
"scada": false
}
}
},
{
"description": "FortiADC 7.0.x toutes versions",
"product": {
"name": "FortiADC",
"vendor": {
"name": "Fortinet",
"scada": false
}
}
},
{
"description": "FortiNAC 9.2.x toutes versions",
"product": {
"name": "FortiNAC",
"vendor": {
"name": "Fortinet",
"scada": false
}
}
},
{
"description": "FortiOS 6.2.x toutes versions",
"product": {
"name": "FortiOS",
"vendor": {
"name": "Fortinet",
"scada": false
}
}
},
{
"description": "FortiAuthenticator 6.4.x toutes versions",
"product": {
"name": "N/A",
"vendor": {
"name": "Fortinet",
"scada": false
}
}
},
{
"description": "FortiOS 7.0.x versions ant\u00e9rieures \u00e0 7.0.13",
"product": {
"name": "FortiOS",
"vendor": {
"name": "Fortinet",
"scada": false
}
}
},
{
"description": "FortiPortal 7.0.x versions ant\u00e9rieures \u00e0 7.0.7",
"product": {
"name": "FortiPortal",
"vendor": {
"name": "Fortinet",
"scada": false
}
}
},
{
"description": "FortiADC 7.1.x toutes versions",
"product": {
"name": "FortiADC",
"vendor": {
"name": "Fortinet",
"scada": false
}
}
},
{
"description": "FortiWeb 6.3.x toutes versions",
"product": {
"name": "FortiWeb",
"vendor": {
"name": "Fortinet",
"scada": false
}
}
},
{
"description": "FortiSOAR 7.3.x versions ant\u00e9rieures \u00e0 7.3.1",
"product": {
"name": "FortiSOAR",
"vendor": {
"name": "Fortinet",
"scada": false
}
}
},
{
"description": "FortiPAM 1.1.x versions ant\u00e9rieures \u00e0 1.1.1",
"product": {
"name": "FortiPAM",
"vendor": {
"name": "Fortinet",
"scada": false
}
}
},
{
"description": "FortiSOAR 7.2.x toutes versions",
"product": {
"name": "FortiSOAR",
"vendor": {
"name": "Fortinet",
"scada": false
}
}
},
{
"description": "FortiProxy 1.1.x toutes versions",
"product": {
"name": "FortiProxy",
"vendor": {
"name": "Fortinet",
"scada": false
}
}
},
{
"description": "FortiSandbox 4.4.x versions ant\u00e9rieures \u00e0 4.4.5",
"product": {
"name": "FortiSandbox",
"vendor": {
"name": "Fortinet",
"scada": false
}
}
},
{
"description": "FortiVoice 7.0.x versions ant\u00e9rieures \u00e0 7.0.2",
"product": {
"name": "N/A",
"vendor": {
"name": "Fortinet",
"scada": false
}
}
},
{
"description": "FortiProxy 1.2.x toutes versions",
"product": {
"name": "FortiProxy",
"vendor": {
"name": "Fortinet",
"scada": false
}
}
},
{
"description": "FortiWebManager 7.0.x versions ant\u00e9rieures \u00e0 7.0.5",
"product": {
"name": "N/A",
"vendor": {
"name": "Fortinet",
"scada": false
}
}
},
{
"description": "FortiWebManager 6.3.x versions ant\u00e9rieures \u00e0 6.3.1",
"product": {
"name": "N/A",
"vendor": {
"name": "Fortinet",
"scada": false
}
}
},
{
"description": "FortiProxy 2.0.x toutes versions",
"product": {
"name": "FortiProxy",
"vendor": {
"name": "Fortinet",
"scada": false
}
}
},
{
"description": "FortiWeb 7.0.x versions ant\u00e9rieures \u00e0 7.0.9",
"product": {
"name": "FortiWeb",
"vendor": {
"name": "Fortinet",
"scada": false
}
}
},
{
"description": "FortiWeb 7.4.x versions ant\u00e9rieures \u00e0 7.4.3",
"product": {
"name": "FortiWeb",
"vendor": {
"name": "Fortinet",
"scada": false
}
}
},
{
"description": "FortiWebManager 6.2.x versions ant\u00e9rieures \u00e0 6.2.5",
"product": {
"name": "N/A",
"vendor": {
"name": "Fortinet",
"scada": false
}
}
},
{
"description": "FortiVoice 6.0.x toutes versions",
"product": {
"name": "N/A",
"vendor": {
"name": "Fortinet",
"scada": false
}
}
},
{
"description": "FortiWebManager 7.2.x versions ant\u00e9rieures \u00e0 7.2.1",
"product": {
"name": "N/A",
"vendor": {
"name": "Fortinet",
"scada": false
}
}
},
{
"description": "FortiWeb 6.4.x toutes versions",
"product": {
"name": "FortiWeb",
"vendor": {
"name": "Fortinet",
"scada": false
}
}
},
{
"description": "FortiOS 7.0 toutes versions pour les vuln\u00e9rabilit\u00e9s CVE-2023-36640 et CVE-2023-45583",
"product": {
"name": "FortiOS",
"vendor": {
"name": "Fortinet",
"scada": false
}
}
},
{
"description": "FortiPAM 1.0.x toutes versions",
"product": {
"name": "FortiPAM",
"vendor": {
"name": "Fortinet",
"scada": false
}
}
},
{
"description": "FortiOS 7.2.x versions ant\u00e9rieures \u00e0 7.2.8",
"product": {
"name": "FortiOS",
"vendor": {
"name": "Fortinet",
"scada": false
}
}
},
{
"description": "FortiSandbox 4.2.x versions ant\u00e9rieures \u00e0 4.2.7",
"product": {
"name": "FortiSandbox",
"vendor": {
"name": "Fortinet",
"scada": false
}
}
},
{
"description": "FortiPortal 7.2.x versions ant\u00e9rieures \u00e0 7.2.2",
"product": {
"name": "FortiPortal",
"vendor": {
"name": "Fortinet",
"scada": false
}
}
},
{
"description": "FortiNAC 9.1.x toutes versions",
"product": {
"name": "FortiNAC",
"vendor": {
"name": "Fortinet",
"scada": false
}
}
},
{
"description": "FortiPortal 6.0.x versions ant\u00e9rieures \u00e0 6.0.15",
"product": {
"name": "FortiPortal",
"vendor": {
"name": "Fortinet",
"scada": false
}
}
},
{
"description": "FortiVoice 6.4.x versions ant\u00e9rieures \u00e0 6.4.9",
"product": {
"name": "N/A",
"vendor": {
"name": "Fortinet",
"scada": false
}
}
},
{
"description": "FortiAuthenticator 6.5.x versions ant\u00e9rieures \u00e0 6.5.4",
"product": {
"name": "N/A",
"vendor": {
"name": "Fortinet",
"scada": false
}
}
},
{
"description": "FortiADC 7.2.x versions ant\u00e9rieures \u00e0 7.2.4",
"product": {
"name": "FortiADC",
"vendor": {
"name": "Fortinet",
"scada": false
}
}
},
{
"description": "FortiOS 7.4.x versions ant\u00e9rieures \u00e0 7.4.2",
"product": {
"name": "FortiOS",
"vendor": {
"name": "Fortinet",
"scada": false
}
}
},
{
"description": "FortiSwitchManager 7.2.x versions ant\u00e9rieures \u00e0 7.2.3",
"product": {
"name": "FortiSwitchManager",
"vendor": {
"name": "Fortinet",
"scada": false
}
}
},
{
"description": "FortiNAC 7.2.x versions ant\u00e9rieures \u00e0 7.2.4",
"product": {
"name": "FortiNAC",
"vendor": {
"name": "Fortinet",
"scada": false
}
}
},
{
"description": "FortiProxy 1.0.x toutes versions",
"product": {
"name": "FortiProxy",
"vendor": {
"name": "Fortinet",
"scada": false
}
}
}
],
"affected_systems_content": null,
"content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
"cves": [
{
"name": "CVE-2024-26007",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26007"
},
{
"name": "CVE-2024-27316",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-27316"
},
{
"name": "CVE-2023-40720",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-40720"
},
{
"name": "CVE-2023-45288",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-45288"
},
{
"name": "CVE-2023-48789",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-48789"
},
{
"name": "CVE-2024-21760",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-21760"
},
{
"name": "CVE-2023-44247",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-44247"
},
{
"name": "CVE-2024-31493",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-31493"
},
{
"name": "CVE-2024-23664",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-23664"
},
{
"name": "CVE-2023-50180",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-50180"
},
{
"name": "CVE-2024-23670",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-23670"
},
{
"name": "CVE-2024-3302",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-3302"
},
{
"name": "CVE-2024-27983",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-27983"
},
{
"name": "CVE-2023-45583",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-45583"
},
{
"name": "CVE-2024-31488",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-31488"
},
{
"name": "CVE-2023-46714",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-46714"
},
{
"name": "CVE-2024-23667",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-23667"
},
{
"name": "CVE-2024-23107",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-23107"
},
{
"name": "CVE-2024-23105",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-23105"
},
{
"name": "CVE-2024-24549",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-24549"
},
{
"name": "CVE-2023-45586",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-45586"
},
{
"name": "CVE-2024-23668",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-23668"
},
{
"name": "CVE-2023-36640",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-36640"
},
{
"name": "CVE-2024-31491",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-31491"
},
{
"name": "CVE-2024-23665",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-23665"
},
{
"name": "CVE-2024-30255",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-30255"
},
{
"name": "CVE-2024-28182",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-28182"
},
{
"name": "CVE-2024-23669",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-23669"
}
],
"initial_release_date": "2024-05-15T00:00:00",
"last_revision_date": "2024-05-15T00:00:00",
"links": [],
"reference": "CERTFR-2024-AVI-0404",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2024-05-15T00:00:00.000000"
}
],
"risks": [
{
"description": "D\u00e9ni de service \u00e0 distance"
},
{
"description": "Injection de code indirecte \u00e0 distance (XSS)"
},
{
"description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits\nFortinet. Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer\nune ex\u00e9cution de code arbitraire \u00e0 distance, un d\u00e9ni de service \u00e0\ndistance, une atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es.\n",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits Fortinet",
"vendor_advisories": [
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Fortinet FG-IR-23-225 du 14 mai 2024",
"url": "https://www.fortiguard.com/psirt/FG-IR-23-225"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Fortinet FG-IR-24-040 du 14 mai 2024",
"url": "https://www.fortiguard.com/psirt/FG-IR-24-040"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Fortinet FG-IR-23-282 du 14 mai 2024",
"url": "https://www.fortiguard.com/psirt/FG-IR-23-282"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Fortinet FG-IR-23-406 du 14 mai 2024",
"url": "https://www.fortiguard.com/psirt/FG-IR-23-406"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Fortinet FG-IR-23-137 du 14 mai 2024",
"url": "https://www.fortiguard.com/psirt/FG-IR-23-137"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Fortinet FG-IR-23-222 du 14 mai 2024",
"url": "https://www.fortiguard.com/psirt/FG-IR-23-222"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Fortinet FG-IR-24-052 du 14 mai 2024",
"url": "https://www.fortiguard.com/psirt/FG-IR-24-052"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Fortinet FG-IR-23-474 du 14 mai 2024",
"url": "https://www.fortiguard.com/psirt/FG-IR-23-474"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Fortinet FG-IR-23-195 du 14 mai 2024",
"url": "https://www.fortiguard.com/psirt/FG-IR-23-195"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Fortinet FG-IR-23-433 du 14 mai 2024",
"url": "https://www.fortiguard.com/psirt/FG-IR-23-433"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Fortinet FG-IR-24-021 du 14 mai 2024",
"url": "https://www.fortiguard.com/psirt/FG-IR-24-021"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Fortinet FG-IR-23-420 du 14 mai 2024",
"url": "https://www.fortiguard.com/psirt/FG-IR-23-420"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Fortinet FG-IR-24-054 du 14 mai 2024",
"url": "https://www.fortiguard.com/psirt/FG-IR-24-054"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Fortinet FG-IR-23-465 du 14 mai 2024",
"url": "https://www.fortiguard.com/psirt/FG-IR-23-465"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Fortinet FG-IR-23-415 du 14 mai 2024",
"url": "https://www.fortiguard.com/psirt/FG-IR-23-415"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Fortinet FG-IR-23-191 du 14 mai 2024",
"url": "https://www.fortiguard.com/psirt/FG-IR-23-191"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Fortinet FG-IR-24-017 du 14 mai 2024",
"url": "https://www.fortiguard.com/psirt/FG-IR-24-017"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Fortinet FG-IR-24-120 du 14 mai 2024",
"url": "https://www.fortiguard.com/psirt/FG-IR-24-120"
}
]
}
CERTFR-2024-AVI-1006
Vulnerability from certfr_avis - Published: 2024-11-20 - Updated: 2024-11-20
De multiples vulnérabilités ont été découvertes dans les produits Atlassian. Elles permettent à un attaquant de provoquer un déni de service à distance, une atteinte à la confidentialité des données et un contournement de la politique de sécurité.
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
Impacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| Atlassian | Jira | Jira Core Data Center versions 9.12.x antérieures à 9.12.15 LTS | ||
| Atlassian | Jira | Jira Service Management Data Center versions 5.17.x antérieures à 5.17.4 | ||
| Atlassian | Jira | Jira Core Server versions 10.1.x antérieures à 10.1.1 | ||
| Atlassian | Confluence | Confluence Server versions 8.5.x antérieures à 8.5.17 LTS | ||
| Atlassian | Jira | Jira Core Server versions 9.4.x antérieures à 9.4.28 LTS | ||
| Atlassian | Jira | Jira Core Server versions 9.17.x antérieures à 9.17.4 | ||
| Atlassian | Jira | Jira Service Management Server versions 5.17.x antérieures à 5.17.4 | ||
| Atlassian | Jira | Jira Service Management Data Center versions 10.1.x antérieures à 10.1.1 | ||
| Atlassian | Confluence | Confluence Data Center versions 8.x antérieures à 8.9.8 | ||
| Atlassian | Jira | Jira Core Data Center versions 9.17.x antérieures à 9.17.4 | ||
| Atlassian | Jira | Jira Core Server versions 9.12.x antérieures à 9.12.15 LTS | ||
| Atlassian | Jira | Jira Service Management Server versions 10.1.x antérieures à 10.1.1 | ||
| Atlassian | Confluence | Confluence Server versions 8.x antérieures à 8.9.8 | ||
| Atlassian | Jira | Jira Service Management Server versions 5.12.x antérieures à 5.12.15 LTS | ||
| Atlassian | Jira | Jira Core Data Center versions 9.4.x antérieures à 9.4.28 LTS | ||
| Atlassian | Jira | Jira Service Management Server versions 5.4.x antérieures à 5.4.28 LTS | ||
| Atlassian | Jira | Jira Core Data Center versions 10.1.x antérieures à 10.1.1 | ||
| Atlassian | Confluence | Confluence Data Center versions 8.5.x antérieures à 8.5.17 LTS | ||
| Atlassian | Confluence | Confluence Data Center versions 9.x antérieures à 9.1.1 | ||
| Atlassian | Jira | Jira Service Management Data Center versions 5.12.x antérieures à 5.12.15 LTS | ||
| Atlassian | Confluence | Confluence Data Center versions 7.19.x antérieures à 7.19.29 LTS | ||
| Atlassian | Confluence | Confluence Server versions 7.19.x antérieures à 7.19.29 LTS | ||
| Atlassian | Jira | Jira Service Management Data Center versions 5.4.x antérieures à 5.4.28 LTS |
References
| Title | Publication Time | Tags | ||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Jira Core Data Center versions 9.12.x ant\u00e9rieures \u00e0 9.12.15 LTS",
"product": {
"name": "Jira",
"vendor": {
"name": "Atlassian",
"scada": false
}
}
},
{
"description": "Jira Service Management Data Center versions 5.17.x ant\u00e9rieures \u00e0 5.17.4",
"product": {
"name": "Jira",
"vendor": {
"name": "Atlassian",
"scada": false
}
}
},
{
"description": "Jira Core Server versions 10.1.x ant\u00e9rieures \u00e0 10.1.1",
"product": {
"name": "Jira",
"vendor": {
"name": "Atlassian",
"scada": false
}
}
},
{
"description": "Confluence Server versions 8.5.x ant\u00e9rieures \u00e0 8.5.17 LTS",
"product": {
"name": "Confluence",
"vendor": {
"name": "Atlassian",
"scada": false
}
}
},
{
"description": "Jira Core Server versions 9.4.x ant\u00e9rieures \u00e0 9.4.28 LTS",
"product": {
"name": "Jira",
"vendor": {
"name": "Atlassian",
"scada": false
}
}
},
{
"description": "Jira Core Server versions 9.17.x ant\u00e9rieures \u00e0 9.17.4",
"product": {
"name": "Jira",
"vendor": {
"name": "Atlassian",
"scada": false
}
}
},
{
"description": "Jira Service Management Server versions 5.17.x ant\u00e9rieures \u00e0 5.17.4",
"product": {
"name": "Jira",
"vendor": {
"name": "Atlassian",
"scada": false
}
}
},
{
"description": "Jira Service Management Data Center versions 10.1.x ant\u00e9rieures \u00e0 10.1.1",
"product": {
"name": "Jira",
"vendor": {
"name": "Atlassian",
"scada": false
}
}
},
{
"description": "Confluence Data Center versions 8.x ant\u00e9rieures \u00e0 8.9.8",
"product": {
"name": "Confluence",
"vendor": {
"name": "Atlassian",
"scada": false
}
}
},
{
"description": "Jira Core Data Center versions 9.17.x ant\u00e9rieures \u00e0 9.17.4",
"product": {
"name": "Jira",
"vendor": {
"name": "Atlassian",
"scada": false
}
}
},
{
"description": "Jira Core Server versions 9.12.x ant\u00e9rieures \u00e0 9.12.15 LTS",
"product": {
"name": "Jira",
"vendor": {
"name": "Atlassian",
"scada": false
}
}
},
{
"description": "Jira Service Management Server versions 10.1.x ant\u00e9rieures \u00e0 10.1.1",
"product": {
"name": "Jira",
"vendor": {
"name": "Atlassian",
"scada": false
}
}
},
{
"description": "Confluence Server versions 8.x ant\u00e9rieures \u00e0 8.9.8",
"product": {
"name": "Confluence",
"vendor": {
"name": "Atlassian",
"scada": false
}
}
},
{
"description": "Jira Service Management Server versions 5.12.x ant\u00e9rieures \u00e0 5.12.15 LTS",
"product": {
"name": "Jira",
"vendor": {
"name": "Atlassian",
"scada": false
}
}
},
{
"description": "Jira Core Data Center versions 9.4.x ant\u00e9rieures \u00e0 9.4.28 LTS",
"product": {
"name": "Jira",
"vendor": {
"name": "Atlassian",
"scada": false
}
}
},
{
"description": "Jira Service Management Server versions 5.4.x ant\u00e9rieures \u00e0 5.4.28 LTS",
"product": {
"name": "Jira",
"vendor": {
"name": "Atlassian",
"scada": false
}
}
},
{
"description": "Jira Core Data Center versions 10.1.x ant\u00e9rieures \u00e0 10.1.1",
"product": {
"name": "Jira",
"vendor": {
"name": "Atlassian",
"scada": false
}
}
},
{
"description": "Confluence Data Center versions 8.5.x ant\u00e9rieures \u00e0 8.5.17 LTS",
"product": {
"name": "Confluence",
"vendor": {
"name": "Atlassian",
"scada": false
}
}
},
{
"description": "Confluence Data Center versions 9.x ant\u00e9rieures \u00e0 9.1.1",
"product": {
"name": "Confluence",
"vendor": {
"name": "Atlassian",
"scada": false
}
}
},
{
"description": "Jira Service Management Data Center versions 5.12.x ant\u00e9rieures \u00e0 5.12.15 LTS",
"product": {
"name": "Jira",
"vendor": {
"name": "Atlassian",
"scada": false
}
}
},
{
"description": "Confluence Data Center versions 7.19.x ant\u00e9rieures \u00e0 7.19.29 LTS",
"product": {
"name": "Confluence",
"vendor": {
"name": "Atlassian",
"scada": false
}
}
},
{
"description": "Confluence Server versions 7.19.x ant\u00e9rieures \u00e0 7.19.29 LTS",
"product": {
"name": "Confluence",
"vendor": {
"name": "Atlassian",
"scada": false
}
}
},
{
"description": "Jira Service Management Data Center versions 5.4.x ant\u00e9rieures \u00e0 5.4.28 LTS",
"product": {
"name": "Jira",
"vendor": {
"name": "Atlassian",
"scada": false
}
}
}
],
"affected_systems_content": "",
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [
{
"name": "CVE-2024-4068",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-4068"
},
{
"name": "CVE-2023-46234",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-46234"
},
{
"name": "CVE-2024-30172",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-30172"
},
{
"name": "CVE-2024-45801",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-45801"
},
{
"name": "CVE-2023-52428",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-52428"
},
{
"name": "CVE-2024-24549",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-24549"
},
{
"name": "CVE-2022-38900",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-38900"
},
{
"name": "CVE-2024-38816",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-38816"
}
],
"initial_release_date": "2024-11-20T00:00:00",
"last_revision_date": "2024-11-20T00:00:00",
"links": [],
"reference": "CERTFR-2024-AVI-1006",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2024-11-20T00:00:00.000000"
}
],
"risks": [
{
"description": "D\u00e9ni de service \u00e0 distance"
},
{
"description": "Injection de code indirecte \u00e0 distance (XSS)"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits Atlassian. Elles permettent \u00e0 un attaquant de provoquer un d\u00e9ni de service \u00e0 distance, une atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es et un contournement de la politique de s\u00e9curit\u00e9.",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits Atlassian",
"vendor_advisories": [
{
"published_at": "2024-11-19",
"title": "Bulletin de s\u00e9curit\u00e9 Atlassian CONFSERVER-98022",
"url": "https://jira.atlassian.com/browse/CONFSERVER-98022"
},
{
"published_at": "2024-11-19",
"title": "Bulletin de s\u00e9curit\u00e9 Atlassian CONFSERVER-98299",
"url": "https://jira.atlassian.com/browse/CONFSERVER-98299"
},
{
"published_at": "2024-11-19",
"title": "Bulletin de s\u00e9curit\u00e9 Atlassian CONFSERVER-98481",
"url": "https://jira.atlassian.com/browse/CONFSERVER-98481"
},
{
"published_at": "2024-11-19",
"title": "Bulletin de s\u00e9curit\u00e9 Atlassian CONFSERVER-98442",
"url": "https://jira.atlassian.com/browse/CONFSERVER-98442"
},
{
"published_at": "2024-11-19",
"title": "Bulletin de s\u00e9curit\u00e9 Atlassian JSDSERVER-15626",
"url": "https://jira.atlassian.com/browse/JSDSERVER-15626"
},
{
"published_at": "2024-11-19",
"title": "Bulletin de s\u00e9curit\u00e9 Atlassian JSDSERVER-15689",
"url": "https://jira.atlassian.com/browse/JSDSERVER-15689"
},
{
"published_at": "2024-11-19",
"title": "Bulletin de s\u00e9curit\u00e9 Atlassian CONFSERVER-98484",
"url": "https://jira.atlassian.com/browse/CONFSERVER-98484"
},
{
"published_at": "2024-11-19",
"title": "Bulletin de s\u00e9curit\u00e9 Atlassian JRASERVER-78199",
"url": "https://jira.atlassian.com/browse/JRASERVER-78199"
},
{
"published_at": "2024-11-19",
"title": "Bulletin de s\u00e9curit\u00e9 Atlassian CONFSERVER-98231",
"url": "https://jira.atlassian.com/browse/CONFSERVER-98231"
},
{
"published_at": "2024-11-19",
"title": "Bulletin de s\u00e9curit\u00e9 Atlassian CONFSERVER-98021",
"url": "https://jira.atlassian.com/browse/CONFSERVER-98021"
}
]
}
CERTFR-2024-AVI-0218
Vulnerability from certfr_avis - Published: 2024-03-14 - Updated: 2024-03-14
De multiples vulnérabilités ont été découvertes dans Apache Tomcat. Elles permettent à un attaquant de provoquer un déni de service à distance.
Solution
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
NoneImpacted products
References
| Title | Publication Time | Tags | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Apache Tomcat versions 8.x.x ant\u00e9rieures \u00e0 8.5.99",
"product": {
"name": "Tomcat",
"vendor": {
"name": "Apache",
"scada": false
}
}
},
{
"description": "Apache Tomcat versions 10.x.x ant\u00e9rieures \u00e0 10.1.19",
"product": {
"name": "Tomcat",
"vendor": {
"name": "Apache",
"scada": false
}
}
},
{
"description": "Apache Tomcat versions 9.x.x ant\u00e9rieures \u00e0 9.0.86",
"product": {
"name": "Tomcat",
"vendor": {
"name": "Apache",
"scada": false
}
}
}
],
"affected_systems_content": null,
"content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
"cves": [
{
"name": "CVE-2024-23672",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-23672"
},
{
"name": "CVE-2024-24549",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-24549"
}
],
"initial_release_date": "2024-03-14T00:00:00",
"last_revision_date": "2024-03-14T00:00:00",
"links": [],
"reference": "CERTFR-2024-AVI-0218",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2024-03-14T00:00:00.000000"
}
],
"risks": [
{
"description": "D\u00e9ni de service \u00e0 distance"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans Apache Tomcat.\nElles permettent \u00e0 un attaquant de provoquer un d\u00e9ni de service \u00e0\ndistance.\n",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans Apache Tomcat",
"vendor_advisories": [
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Apache Tomcat 9 du 14 mars 2024",
"url": "https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.86"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Apache Tomcat 10 du 14 mars 2024",
"url": "https://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.1.19"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Apache Tomcat 8 du 14 mars 2024",
"url": "https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.99"
}
]
}
CERTFR-2024-AVI-0595
Vulnerability from certfr_avis - Published: 2024-07-17 - Updated: 2024-07-17
De multiples vulnérabilités ont été découvertes dans Oracle MYSQL. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, un déni de service à distance et une atteinte à la confidentialité des données.
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
Impacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| Oracle | MySQL | MySQL Server versions 8.0.38, 8.4.1 et 9.0.0 sans les derniers correctifs de sécurité pour la vulnérabilité CVE-2024-21185 | ||
| Oracle | MySQL | MySQL Enterprise Monitor versions 8.x sans les derniers correctifs de sécurité | ||
| Oracle | MySQL | MySQL Connectors versions 8.x sans les derniers correctifs de sécurité | ||
| Oracle | MySQL | MySQL Workbench versions antérieures à 8.0.38 | ||
| Oracle | MySQL | MySQL Cluster versions 7.5.x antérieures à 7.5.35, versions 7.6.x antérieures à 7.6.31, versions 8.0.x antérieures à 8.0.38, versions 8.4.x antérieures à 8.4.1 et versions 8.1.0 et 8.3.0 sans les derniers correctifs de sécurité | ||
| Oracle | MySQL | MySQL Server versions 8.0.x antérieures à 8.0.38, versions 8.2.x et 8.3.x sans les derniers correctifs de sécurité et versions 8.4.x antérieures à 8.4.1 |
References
| Title | Publication Time | Tags | ||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "MySQL Server versions 8.0.38, 8.4.1 et 9.0.0 sans les derniers correctifs de s\u00e9curit\u00e9 pour la vuln\u00e9rabilit\u00e9 CVE-2024-21185",
"product": {
"name": "MySQL",
"vendor": {
"name": "Oracle",
"scada": false
}
}
},
{
"description": "MySQL Enterprise Monitor versions 8.x sans les derniers correctifs de s\u00e9curit\u00e9",
"product": {
"name": "MySQL",
"vendor": {
"name": "Oracle",
"scada": false
}
}
},
{
"description": "MySQL Connectors versions 8.x sans les derniers correctifs de s\u00e9curit\u00e9",
"product": {
"name": "MySQL",
"vendor": {
"name": "Oracle",
"scada": false
}
}
},
{
"description": "MySQL Workbench versions ant\u00e9rieures \u00e0 8.0.38",
"product": {
"name": "MySQL",
"vendor": {
"name": "Oracle",
"scada": false
}
}
},
{
"description": "MySQL Cluster versions 7.5.x ant\u00e9rieures \u00e0 7.5.35, versions 7.6.x ant\u00e9rieures \u00e0 7.6.31, versions 8.0.x ant\u00e9rieures \u00e0 8.0.38, versions 8.4.x ant\u00e9rieures \u00e0 8.4.1 et versions 8.1.0 et 8.3.0 sans les derniers correctifs de s\u00e9curit\u00e9 ",
"product": {
"name": "MySQL",
"vendor": {
"name": "Oracle",
"scada": false
}
}
},
{
"description": "MySQL Server versions 8.0.x ant\u00e9rieures \u00e0 8.0.38, versions 8.2.x et 8.3.x sans les derniers correctifs de s\u00e9curit\u00e9 et versions 8.4.x ant\u00e9rieures \u00e0 8.4.1",
"product": {
"name": "MySQL",
"vendor": {
"name": "Oracle",
"scada": false
}
}
}
],
"affected_systems_content": "",
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [
{
"name": "CVE-2024-21171",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-21171"
},
{
"name": "CVE-2024-21160",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-21160"
},
{
"name": "CVE-2023-52425",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-52425"
},
{
"name": "CVE-2024-21142",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-21142"
},
{
"name": "CVE-2023-37920",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-37920"
},
{
"name": "CVE-2024-21157",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-21157"
},
{
"name": "CVE-2024-21166",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-21166"
},
{
"name": "CVE-2024-21177",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-21177"
},
{
"name": "CVE-2024-22262",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-22262"
},
{
"name": "CVE-2024-21159",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-21159"
},
{
"name": "CVE-2023-48795",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-48795"
},
{
"name": "CVE-2024-21176",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-21176"
},
{
"name": "CVE-2024-21179",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-21179"
},
{
"name": "CVE-2024-20996",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-20996"
},
{
"name": "CVE-2024-0450",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-0450"
},
{
"name": "CVE-2024-21127",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-21127"
},
{
"name": "CVE-2024-21134",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-21134"
},
{
"name": "CVE-2024-21130",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-21130"
},
{
"name": "CVE-2024-21135",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-21135"
},
{
"name": "CVE-2024-25062",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-25062"
},
{
"name": "CVE-2024-21137",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-21137"
},
{
"name": "CVE-2024-21165",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-21165"
},
{
"name": "CVE-2023-6129",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-6129"
},
{
"name": "CVE-2024-21185",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-21185"
},
{
"name": "CVE-2024-24549",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-24549"
},
{
"name": "CVE-2021-24112",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-24112"
},
{
"name": "CVE-2024-21162",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-21162"
},
{
"name": "CVE-2024-21170",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-21170"
},
{
"name": "CVE-2024-21125",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-21125"
},
{
"name": "CVE-2024-21129",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-21129"
},
{
"name": "CVE-2024-22257",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-22257"
},
{
"name": "CVE-2024-21163",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-21163"
},
{
"name": "CVE-2024-21173",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-21173"
}
],
"initial_release_date": "2024-07-17T00:00:00",
"last_revision_date": "2024-07-17T00:00:00",
"links": [],
"reference": "CERTFR-2024-AVI-0595",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2024-07-17T00:00:00.000000"
}
],
"risks": [
{
"description": "D\u00e9ni de service \u00e0 distance"
},
{
"description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
},
{
"description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans Oracle MYSQL. Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer une ex\u00e9cution de code arbitraire \u00e0 distance, un d\u00e9ni de service \u00e0 distance et une atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es.",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans Oracle MySQL",
"vendor_advisories": [
{
"published_at": "2024-07-16",
"title": "Bulletin de s\u00e9curit\u00e9 Oracle cpujul2024",
"url": "https://www.oracle.com/security-alerts/cpujul2024.html#AppendixMSQL"
},
{
"published_at": "2024-07-16",
"title": "Bulletin de s\u00e9curit\u00e9 Oracle cpujul2024verbose",
"url": "https://www.oracle.com/security-alerts/cpujul2024verbose.html#MSQL"
}
]
}
CERTFR-2024-AVI-0459
Vulnerability from certfr_avis - Published: 2024-05-31 - Updated: 2024-05-31
De multiples vulnérabilités ont été découvertes dans les produits IBM. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, un déni de service à distance et une atteinte à la confidentialité des données.
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
Impacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| IBM | N/A | IBM Db2 on Cloud Pak for Data et Db2 Warehouse on Cloud Pak for Data versions postérieures à 3.5 et antérieures à 4.8.5 | ||
| IBM | N/A | DevOps Code ClearCase versions 11.0.x sans le dernier correctif de sécurité | ||
| IBM | N/A | Rational ClearCase versions 9.1.x et 10.0.0.x sans le dernier correctif de sécurité |
References
| Title | Publication Time | Tags | ||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "IBM Db2 on Cloud Pak for Data et Db2 Warehouse on Cloud Pak for Data versions post\u00e9rieures \u00e0 3.5 et ant\u00e9rieures \u00e0 4.8.5",
"product": {
"name": "N/A",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "DevOps Code ClearCase versions 11.0.x sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "N/A",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "Rational ClearCase versions 9.1.x et 10.0.0.x sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "N/A",
"vendor": {
"name": "IBM",
"scada": false
}
}
}
],
"affected_systems_content": "",
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [
{
"name": "CVE-2024-1597",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-1597"
},
{
"name": "CVE-2023-49568",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-49568"
},
{
"name": "CVE-2024-25030",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-25030"
},
{
"name": "CVE-2023-45857",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-45857"
},
{
"name": "CVE-2024-23944",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-23944"
},
{
"name": "CVE-2020-9546",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-9546"
},
{
"name": "CVE-2020-13956",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-13956"
},
{
"name": "CVE-2020-10673",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-10673"
},
{
"name": "CVE-2020-35728",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-35728"
},
{
"name": "CVE-2020-36181",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-36181"
},
{
"name": "CVE-2020-9548",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-9548"
},
{
"name": "CVE-2020-36182",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-36182"
},
{
"name": "CVE-2020-24616",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-24616"
},
{
"name": "CVE-2023-52296",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-52296"
},
{
"name": "CVE-2020-36185",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-36185"
},
{
"name": "CVE-2024-25046",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-25046"
},
{
"name": "CVE-2023-50782",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-50782"
},
{
"name": "CVE-2022-36364",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-36364"
},
{
"name": "CVE-2022-1996",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-1996"
},
{
"name": "CVE-2019-16942",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-16942"
},
{
"name": "CVE-2019-11358",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-11358"
},
{
"name": "CVE-2020-9547",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-9547"
},
{
"name": "CVE-2020-36179",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-36179"
},
{
"name": "CVE-2020-10650",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-10650"
},
{
"name": "CVE-2023-44270",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-44270"
},
{
"name": "CVE-2020-36186",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-36186"
},
{
"name": "CVE-2020-36189",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-36189"
},
{
"name": "CVE-2020-35490",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-35490"
},
{
"name": "CVE-2023-34462",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-34462"
},
{
"name": "CVE-2018-1313",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-1313"
},
{
"name": "CVE-2022-46337",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-46337"
},
{
"name": "CVE-2021-20190",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-20190"
},
{
"name": "CVE-2019-13224",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-13224"
},
{
"name": "CVE-2019-19204",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-19204"
},
{
"name": "CVE-2020-11113",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-11113"
},
{
"name": "CVE-2024-27254",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-27254"
},
{
"name": "CVE-2020-10672",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-10672"
},
{
"name": "CVE-2023-51074",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-51074"
},
{
"name": "CVE-2020-10969",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-10969"
},
{
"name": "CVE-2020-23064",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-23064"
},
{
"name": "CVE-2024-22195",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-22195"
},
{
"name": "CVE-2020-36187",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-36187"
},
{
"name": "CVE-2020-11620",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-11620"
},
{
"name": "CVE-2023-36478",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-36478"
},
{
"name": "CVE-2015-1832",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-1832"
},
{
"name": "CVE-2021-21295",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-21295"
},
{
"name": "CVE-2020-24750",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-24750"
},
{
"name": "CVE-2024-22190",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-22190"
},
{
"name": "CVE-2019-16163",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-16163"
},
{
"name": "CVE-2019-16943",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-16943"
},
{
"name": "CVE-2023-51775",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-51775"
},
{
"name": "CVE-2024-22360",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-22360"
},
{
"name": "CVE-2024-26130",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26130"
},
{
"name": "CVE-2019-20330",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-20330"
},
{
"name": "CVE-2020-14195",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-14195"
},
{
"name": "CVE-2023-44981",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-44981"
},
{
"name": "CVE-2018-10237",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-10237"
},
{
"name": "CVE-2020-35491",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-35491"
},
{
"name": "CVE-2019-17531",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-17531"
},
{
"name": "CVE-2023-38729",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-38729"
},
{
"name": "CVE-2024-21626",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-21626"
},
{
"name": "CVE-2019-19203",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-19203"
},
{
"name": "CVE-2020-14061",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-14061"
},
{
"name": "CVE-2023-40167",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-40167"
},
{
"name": "CVE-2023-41900",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-41900"
},
{
"name": "CVE-2022-42004",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-42004"
},
{
"name": "CVE-2020-11619",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-11619"
},
{
"name": "CVE-2020-36183",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-36183"
},
{
"name": "CVE-2020-8840",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-8840"
},
{
"name": "CVE-2023-36479",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-36479"
},
{
"name": "CVE-2024-24549",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-24549"
},
{
"name": "CVE-2020-36184",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-36184"
},
{
"name": "CVE-2020-36180",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-36180"
},
{
"name": "CVE-2020-11022",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-11022"
},
{
"name": "CVE-2021-31684",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-31684"
},
{
"name": "CVE-2020-36518",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-36518"
},
{
"name": "CVE-2023-261257",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-261257"
},
{
"name": "CVE-2023-49083",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-49083"
},
{
"name": "CVE-2023-49569",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-49569"
},
{
"name": "CVE-2020-10968",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-10968"
},
{
"name": "CVE-2022-42003",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-42003"
},
{
"name": "CVE-2020-25649",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-25649"
},
{
"name": "CVE-2024-0690",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-0690"
},
{
"name": "CVE-2024-22354",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-22354"
},
{
"name": "CVE-2020-11112",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-11112"
},
{
"name": "CVE-2019-19012",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-19012"
},
{
"name": "CVE-2020-11111",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-11111"
},
{
"name": "CVE-2012-2677",
"url": "https://www.cve.org/CVERecord?id=CVE-2012-2677"
},
{
"name": "CVE-2020-14060",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-14060"
},
{
"name": "CVE-2020-36188",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-36188"
},
{
"name": "CVE-2020-11023",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-11023"
},
{
"name": "CVE-2020-14062",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-14062"
}
],
"initial_release_date": "2024-05-31T00:00:00",
"last_revision_date": "2024-05-31T00:00:00",
"links": [],
"reference": "CERTFR-2024-AVI-0459",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2024-05-31T00:00:00.000000"
}
],
"risks": [
{
"description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
},
{
"description": "D\u00e9ni de service \u00e0 distance"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
},
{
"description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
},
{
"description": "Injection de requ\u00eates ill\u00e9gitimes par rebond (CSRF)"
},
{
"description": "Injection de code indirecte \u00e0 distance (XSS)"
},
{
"description": "Non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits IBM. Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer une ex\u00e9cution de code arbitraire \u00e0 distance, un d\u00e9ni de service \u00e0 distance et une atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es.",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits IBM",
"vendor_advisories": [
{
"published_at": "2024-05-29",
"title": "Bulletin de s\u00e9curit\u00e9 IBM 7155114",
"url": "https://www.ibm.com/support/pages/node/7155114"
},
{
"published_at": "2024-05-28",
"title": "Bulletin de s\u00e9curit\u00e9 IBM 7155078",
"url": "https://www.ibm.com/support/pages/node/7155078"
}
]
}
CERTFR-2025-AVI-0215
Vulnerability from certfr_avis - Published: 2025-03-17 - Updated: 2025-03-17
De multiples vulnérabilités ont été découvertes dans les produits VMware. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, un déni de service à distance et un contournement de la politique de sécurité.
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
Impacted products
References
| Title | Publication Time | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Tanzu Gemfire Management Console versions ant\u00e9rieures \u00e0 1.3.1",
"product": {
"name": "Tanzu",
"vendor": {
"name": "VMware",
"scada": false
}
}
}
],
"affected_systems_content": "",
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [
{
"name": "CVE-2024-24790",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-24790"
},
{
"name": "CVE-2024-38286",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-38286"
},
{
"name": "CVE-2024-45772",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-45772"
},
{
"name": "CVE-2025-24970",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-24970"
},
{
"name": "CVE-2024-24791",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-24791"
},
{
"name": "CVE-2024-22243",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-22243"
},
{
"name": "CVE-2024-29857",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-29857"
},
{
"name": "CVE-2024-34447",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-34447"
},
{
"name": "CVE-2024-29025",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-29025"
},
{
"name": "CVE-2024-34158",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-34158"
},
{
"name": "CVE-2024-22262",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-22262"
},
{
"name": "CVE-2024-38809",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-38809"
},
{
"name": "CVE-2024-30172",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-30172"
},
{
"name": "CVE-2024-36124",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-36124"
},
{
"name": "CVE-2024-23672",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-23672"
},
{
"name": "CVE-2024-8184",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-8184"
},
{
"name": "CVE-2024-56337",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-56337"
},
{
"name": "CVE-2024-6763",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-6763"
},
{
"name": "CVE-2024-38827",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-38827"
},
{
"name": "CVE-2024-34156",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-34156"
},
{
"name": "CVE-2024-47535",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-47535"
},
{
"name": "CVE-2023-52428",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-52428"
},
{
"name": "CVE-2024-38821",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-38821"
},
{
"name": "CVE-2024-34750",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-34750"
},
{
"name": "CVE-2024-38828",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-38828"
},
{
"name": "CVE-2024-24549",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-24549"
},
{
"name": "CVE-2024-38808",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-38808"
},
{
"name": "CVE-2025-25193",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-25193"
},
{
"name": "CVE-2024-30171",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-30171"
},
{
"name": "CVE-2024-22259",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-22259"
},
{
"name": "CVE-2024-22257",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-22257"
},
{
"name": "CVE-2024-50379",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-50379"
},
{
"name": "CVE-2024-38816",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-38816"
},
{
"name": "CVE-2024-52317",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-52317"
},
{
"name": "CVE-2024-34155",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-34155"
},
{
"name": "CVE-2024-32473",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-32473"
},
{
"name": "CVE-2024-24789",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-24789"
}
],
"initial_release_date": "2025-03-17T00:00:00",
"last_revision_date": "2025-03-17T00:00:00",
"links": [],
"reference": "CERTFR-2025-AVI-0215",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2025-03-17T00:00:00.000000"
}
],
"risks": [
{
"description": "D\u00e9ni de service \u00e0 distance"
},
{
"description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
},
{
"description": "Non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits VMware. Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer une ex\u00e9cution de code arbitraire \u00e0 distance, un d\u00e9ni de service \u00e0 distance et un contournement de la politique de s\u00e9curit\u00e9.",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans VMware Tanzu Gemfire",
"vendor_advisories": [
{
"published_at": "2025-03-14",
"title": "Bulletin de s\u00e9curit\u00e9 VMware 25509",
"url": "https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/25509"
}
]
}
CVE-2024-24549
Vulnerability from fstec - Published: 13.03.2024
VLAI Severity ?
Title
Уязвимость сервера приложений Apache Tomcat, связанная с недостаточной проверкой вводимых данных, позволяющая нарушителю вызвать отказ в обслуживании
Description
Уязвимость сервера приложений Apache Tomcat связана с недостаточной проверкой вводимых данных. Эксплуатация уязвимости может позволить нарушителю, действующему удаленно, вызвать отказ в обслуживании с помощью специально созданных HTTP/2-запросов
Severity ?
Vendor
Red Hat Inc., Novell Inc., Сообщество свободного программного обеспечения, ООО «Ред Софт», АО «ИВК», АО «НТЦ ИТ РОСА», Apache Software Foundation, АО "НППКТ", Axiom JDK
Software Name
Red Hat Enterprise Linux, SUSE Linux Enterprise Server for SAP Applications, Suse Linux Enterprise Server, Debian GNU/Linux, РЕД ОС (запись в едином реестре российских программ №3751), Альт 8 СП (запись в едином реестре российских программ №4305), РОСА ХРОМ (запись в едином реестре российских программ №1607), АЛЬТ СП 10, Red Hat JBoss Web Server, Tomcat, Jboss Web Server, ОСОН ОСнова Оnyx (запись в едином реестре российских программ №5913), Libercat Certified (запись в едином реестре российских программ №22725; 9208)
Software Version
7 (Red Hat Enterprise Linux), 12 SP2 (SUSE Linux Enterprise Server for SAP Applications), 12 SP3 (SUSE Linux Enterprise Server for SAP Applications), 12 SP4 (SUSE Linux Enterprise Server for SAP Applications), 12 SP3 (Suse Linux Enterprise Server), 12 SP4 (Suse Linux Enterprise Server), 8 (Red Hat Enterprise Linux), 12 SP2-BCL (Suse Linux Enterprise Server), 12 SP2-ESPOS (Suse Linux Enterprise Server), 15 (SUSE Linux Enterprise Server for SAP Applications), 15 SP1 (SUSE Linux Enterprise Server for SAP Applications), 12 SP2-LTSS (Suse Linux Enterprise Server), 12 SP3-LTSS (Suse Linux Enterprise Server), 12 SP3-BCL (Suse Linux Enterprise Server), 12 SP5 (Suse Linux Enterprise Server), 12 SP5 (SUSE Linux Enterprise Server for SAP Applications), 10 (Debian GNU/Linux), 12 SP3-ESPOS (Suse Linux Enterprise Server), 12 SP2 (Suse Linux Enterprise Server), 15-LTSS (Suse Linux Enterprise Server), 12 SP4-ESPOS (Suse Linux Enterprise Server), 12 SP4-LTSS (Suse Linux Enterprise Server), 15 SP1-BCL (Suse Linux Enterprise Server), 15 SP1-LTSS (Suse Linux Enterprise Server), 15 SP1 (Suse Linux Enterprise Server), 11 (Debian GNU/Linux), 12 (Debian GNU/Linux), 7.3 (РЕД ОС), 15 SP3 (Suse Linux Enterprise Server), 15 SP3 (SUSE Linux Enterprise Server for SAP Applications), 15 SP2 (Suse Linux Enterprise Server), 15 SP2 (SUSE Linux Enterprise Server for SAP Applications), - (Альт 8 СП), 15 SP4 (Suse Linux Enterprise Server), 15 (Suse Linux Enterprise Server), 15 SP2-BCL (Suse Linux Enterprise Server), 15 SP4 (SUSE Linux Enterprise Server for SAP Applications), 9 (Red Hat Enterprise Linux), 15 SP2-LTSS (Suse Linux Enterprise Server), 15 SP3-LTSS (Suse Linux Enterprise Server), 15 SP3-BCL (Suse Linux Enterprise Server), 15 SP5 (SUSE Linux Enterprise Server for SAP Applications), 15 SP5 (Suse Linux Enterprise Server), 12.4 (РОСА ХРОМ), - (АЛЬТ СП 10), 5.7 on RHEL7 (Red Hat JBoss Web Server), 5.7 on RHEL 8 (Red Hat JBoss Web Server), 5.7 on RHEL 9 (Red Hat JBoss Web Server), 15 SP4-LTSS (Suse Linux Enterprise Server), от 11.0.0-M1 до 11.0.0-M17 (Tomcat), от 10.1.0-M1 до 10.1.19 (Tomcat), от 9.0.0-M1 до 9.0.86 (Tomcat), от 8.5.0 до 8.5.99 (Tomcat), 5.7.8 (Jboss Web Server), 6.0.1 (Jboss Web Server), 6.0 on RHEL 8 (Red Hat JBoss Web Server), 6.0 on RHEL 9 (Red Hat JBoss Web Server), до 2.11 (ОСОН ОСнова Оnyx), до 9.0.88-2 (Libercat Certified), до 10.1.20-2 (Libercat Certified)
Possible Mitigations
Использование рекомендаций:
Для Apache Tomcat:
https://lists.apache.org/thread/4c50rmomhbbsdgfjsgwlb51xdwfjdcvg
Для программных продуктов Novell Inc.:
https://www.suse.com/security/cve/CVE-2024-24549.html
Для Debian GNU/Linux:
https://security-tracker.debian.org/tracker/CVE-2024-24549
Для программных продуктов Red Hat Inc.:
https://access.redhat.com/security/cve/CVE-2024-24549
Компенсирующие меры:
- использование систем обнаружения и предотвращения вторжений, позволяющих предотвратить реализацию атаки CONTINUATION Floud;
- ограничить использование протокола HTTP/2 (перейти на HTTP /1.1).
Для ОСОН ОСнова Оnyx (2.11):
Обновление программного обеспечения tomcat9 до версии 9.0.43+repack-2~deb11u10.osnova1
Для ОС АЛЬТ СП 10: установка обновления из публичного репозитория программного средства: https://altsp.su/obnovleniya-bezopasnosti/
Для ОС Альт 8 СП: установка обновления из публичного репозитория программного средства: https://altsp.su/obnovleniya-bezopasnosti/
Для операционной системы РОСА ХРОМ: https://abf.rosa.ru/advisories/ROSA-SA-2025-2944
Для Libercat Certified:
Обновление ПО до актуальной версии
Для операционной системы РОСА ХРОМ: https://abf.rosa.ru/advisories/ROSA-SA-2025-2944
Для РедОС:
http://repo.red-soft.ru/redos/7.3c/x86_64/updates/
Reference
https://lists.apache.org/thread/4c50rmomhbbsdgfjsgwlb51xdwfjdcvg
https://www.suse.com/security/cve/CVE-2024-24549.html
https://security-tracker.debian.org/tracker/CVE-2024-24549
https://access.redhat.com/security/cve/CVE-2024-24549
https://www.cybersecurity-help.cz/vdb/SB2024031386
https://поддержка.нппкт.рф/bin/view/ОСнова/Обновления/2.11/
https://altsp.su/obnovleniya-bezopasnosti/
https://altsp.su/obnovleniya-bezopasnosti/
https://abf.rosa.ru/advisories/ROSA-SA-2025-2944
https://abf.rosa.ru/advisories/ROSA-SA-2025-2944
http://repo.red-soft.ru/redos/7.3c/x86_64/updates/
CWE
CWE-20
{
"CVSS 2.0": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"CVSS 3.0": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"CVSS 4.0": null,
"remediation_\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": "TO1830, TO1832",
"remediation_\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435": "TO1830 \u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 Apache Tomcat, TO1832 \u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 Apache Tomcat",
"\u0412\u0435\u043d\u0434\u043e\u0440 \u041f\u041e": "Red Hat Inc., Novell Inc., \u0421\u043e\u043e\u0431\u0449\u0435\u0441\u0442\u0432\u043e \u0441\u0432\u043e\u0431\u043e\u0434\u043d\u043e\u0433\u043e \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f, \u041e\u041e\u041e \u00ab\u0420\u0435\u0434 \u0421\u043e\u0444\u0442\u00bb, \u0410\u041e \u00ab\u0418\u0412\u041a\u00bb, \u0410\u041e \u00ab\u041d\u0422\u0426 \u0418\u0422 \u0420\u041e\u0421\u0410\u00bb, Apache Software Foundation, \u0410\u041e \"\u041d\u041f\u041f\u041a\u0422\", Axiom JDK",
"\u0412\u0435\u0440\u0441\u0438\u044f \u041f\u041e": "7 (Red Hat Enterprise Linux), 12 SP2 (SUSE Linux Enterprise Server for SAP Applications), 12 SP3 (SUSE Linux Enterprise Server for SAP Applications), 12 SP4 (SUSE Linux Enterprise Server for SAP Applications), 12 SP3 (Suse Linux Enterprise Server), 12 SP4 (Suse Linux Enterprise Server), 8 (Red Hat Enterprise Linux), 12 SP2-BCL (Suse Linux Enterprise Server), 12 SP2-ESPOS (Suse Linux Enterprise Server), 15 (SUSE Linux Enterprise Server for SAP Applications), 15 SP1 (SUSE Linux Enterprise Server for SAP Applications), 12 SP2-LTSS (Suse Linux Enterprise Server), 12 SP3-LTSS (Suse Linux Enterprise Server), 12 SP3-BCL (Suse Linux Enterprise Server), 12 SP5 (Suse Linux Enterprise Server), 12 SP5 (SUSE Linux Enterprise Server for SAP Applications), 10 (Debian GNU/Linux), 12 SP3-ESPOS (Suse Linux Enterprise Server), 12 SP2 (Suse Linux Enterprise Server), 15-LTSS (Suse Linux Enterprise Server), 12 SP4-ESPOS (Suse Linux Enterprise Server), 12 SP4-LTSS (Suse Linux Enterprise Server), 15 SP1-BCL (Suse Linux Enterprise Server), 15 SP1-LTSS (Suse Linux Enterprise Server), 15 SP1 (Suse Linux Enterprise Server), 11 (Debian GNU/Linux), 12 (Debian GNU/Linux), 7.3 (\u0420\u0415\u0414 \u041e\u0421), 15 SP3 (Suse Linux Enterprise Server), 15 SP3 (SUSE Linux Enterprise Server for SAP Applications), 15 SP2 (Suse Linux Enterprise Server), 15 SP2 (SUSE Linux Enterprise Server for SAP Applications), - (\u0410\u043b\u044c\u0442 8 \u0421\u041f), 15 SP4 (Suse Linux Enterprise Server), 15 (Suse Linux Enterprise Server), 15 SP2-BCL (Suse Linux Enterprise Server), 15 SP4 (SUSE Linux Enterprise Server for SAP Applications), 9 (Red Hat Enterprise Linux), 15 SP2-LTSS (Suse Linux Enterprise Server), 15 SP3-LTSS (Suse Linux Enterprise Server), 15 SP3-BCL (Suse Linux Enterprise Server), 15 SP5 (SUSE Linux Enterprise Server for SAP Applications), 15 SP5 (Suse Linux Enterprise Server), 12.4 (\u0420\u041e\u0421\u0410 \u0425\u0420\u041e\u041c), - (\u0410\u041b\u042c\u0422 \u0421\u041f 10), 5.7 on RHEL7 (Red Hat JBoss Web Server), 5.7 on RHEL 8 (Red Hat JBoss Web Server), 5.7 on RHEL 9 (Red Hat JBoss Web Server), 15 SP4-LTSS (Suse Linux Enterprise Server), \u043e\u0442 11.0.0-M1 \u0434\u043e 11.0.0-M17 (Tomcat), \u043e\u0442 10.1.0-M1 \u0434\u043e 10.1.19 (Tomcat), \u043e\u0442 9.0.0-M1 \u0434\u043e 9.0.86 (Tomcat), \u043e\u0442 8.5.0 \u0434\u043e 8.5.99 (Tomcat), 5.7.8 (Jboss Web Server), 6.0.1 (Jboss Web Server), 6.0 on RHEL 8 (Red Hat JBoss Web Server), 6.0 on RHEL 9 (Red Hat JBoss Web Server), \u0434\u043e 2.11 (\u041e\u0421\u041e\u041d \u041e\u0421\u043d\u043e\u0432\u0430 \u041enyx), \u0434\u043e 9.0.88-2 (Libercat Certified), \u0434\u043e 10.1.20-2 (Libercat Certified)",
"\u0412\u043e\u0437\u043c\u043e\u0436\u043d\u044b\u0435 \u043c\u0435\u0440\u044b \u043f\u043e \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044e": "\u0418\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435 \u0440\u0435\u043a\u043e\u043c\u0435\u043d\u0434\u0430\u0446\u0438\u0439:\n\n\u0414\u043b\u044f Apache Tomcat:\nhttps://lists.apache.org/thread/4c50rmomhbbsdgfjsgwlb51xdwfjdcvg\n\n\u0414\u043b\u044f \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u044b\u0445 \u043f\u0440\u043e\u0434\u0443\u043a\u0442\u043e\u0432 Novell Inc.:\nhttps://www.suse.com/security/cve/CVE-2024-24549.html\n\n\u0414\u043b\u044f Debian GNU/Linux:\nhttps://security-tracker.debian.org/tracker/CVE-2024-24549\n\n\u0414\u043b\u044f \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u044b\u0445 \u043f\u0440\u043e\u0434\u0443\u043a\u0442\u043e\u0432 Red Hat Inc.:\nhttps://access.redhat.com/security/cve/CVE-2024-24549\n\n\u041a\u043e\u043c\u043f\u0435\u043d\u0441\u0438\u0440\u0443\u044e\u0449\u0438\u0435 \u043c\u0435\u0440\u044b:\n- \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435 \u0441\u0438\u0441\u0442\u0435\u043c \u043e\u0431\u043d\u0430\u0440\u0443\u0436\u0435\u043d\u0438\u044f \u0438 \u043f\u0440\u0435\u0434\u043e\u0442\u0432\u0440\u0430\u0449\u0435\u043d\u0438\u044f \u0432\u0442\u043e\u0440\u0436\u0435\u043d\u0438\u0439, \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u044e\u0449\u0438\u0445 \u043f\u0440\u0435\u0434\u043e\u0442\u0432\u0440\u0430\u0442\u0438\u0442\u044c \u0440\u0435\u0430\u043b\u0438\u0437\u0430\u0446\u0438\u044e \u0430\u0442\u0430\u043a\u0438 CONTINUATION Floud;\n- \u043e\u0433\u0440\u0430\u043d\u0438\u0447\u0438\u0442\u044c \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435 \u043f\u0440\u043e\u0442\u043e\u043a\u043e\u043b\u0430 HTTP/2 (\u043f\u0435\u0440\u0435\u0439\u0442\u0438 \u043d\u0430 HTTP /1.1).\n\n\u0414\u043b\u044f \u041e\u0421\u041e\u041d \u041e\u0421\u043d\u043e\u0432\u0430 \u041enyx (2.11):\n\u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f tomcat9 \u0434\u043e \u0432\u0435\u0440\u0441\u0438\u0438 9.0.43+repack-2~deb11u10.osnova1\n\n\u0414\u043b\u044f \u041e\u0421 \u0410\u041b\u042c\u0422 \u0421\u041f 10: \u0443\u0441\u0442\u0430\u043d\u043e\u0432\u043a\u0430 \u043e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u044f \u0438\u0437 \u043f\u0443\u0431\u043b\u0438\u0447\u043d\u043e\u0433\u043e \u0440\u0435\u043f\u043e\u0437\u0438\u0442\u043e\u0440\u0438\u044f \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u0441\u0440\u0435\u0434\u0441\u0442\u0432\u0430: https://altsp.su/obnovleniya-bezopasnosti/\n\n\u0414\u043b\u044f \u041e\u0421 \u0410\u043b\u044c\u0442 8 \u0421\u041f: \u0443\u0441\u0442\u0430\u043d\u043e\u0432\u043a\u0430 \u043e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u044f \u0438\u0437 \u043f\u0443\u0431\u043b\u0438\u0447\u043d\u043e\u0433\u043e \u0440\u0435\u043f\u043e\u0437\u0438\u0442\u043e\u0440\u0438\u044f \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u0441\u0440\u0435\u0434\u0441\u0442\u0432\u0430: https://altsp.su/obnovleniya-bezopasnosti/\n\n\u0414\u043b\u044f \u043e\u043f\u0435\u0440\u0430\u0446\u0438\u043e\u043d\u043d\u043e\u0439 \u0441\u0438\u0441\u0442\u0435\u043c\u044b \u0420\u041e\u0421\u0410 \u0425\u0420\u041e\u041c: https://abf.rosa.ru/advisories/ROSA-SA-2025-2944\n\n\u0414\u043b\u044f Libercat Certified:\n\u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 \u041f\u041e \u0434\u043e \u0430\u043a\u0442\u0443\u0430\u043b\u044c\u043d\u043e\u0439 \u0432\u0435\u0440\u0441\u0438\u0438\n\n\u0414\u043b\u044f \u043e\u043f\u0435\u0440\u0430\u0446\u0438\u043e\u043d\u043d\u043e\u0439 \u0441\u0438\u0441\u0442\u0435\u043c\u044b \u0420\u041e\u0421\u0410 \u0425\u0420\u041e\u041c: https://abf.rosa.ru/advisories/ROSA-SA-2025-2944\n\n\u0414\u043b\u044f \u0420\u0435\u0434\u041e\u0421: \nhttp://repo.red-soft.ru/redos/7.3c/x86_64/updates/",
"\u0414\u0430\u0442\u0430 \u0432\u044b\u044f\u0432\u043b\u0435\u043d\u0438\u044f": "13.03.2024",
"\u0414\u0430\u0442\u0430 \u043f\u043e\u0441\u043b\u0435\u0434\u043d\u0435\u0433\u043e \u043e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u044f": "30.09.2025",
"\u0414\u0430\u0442\u0430 \u043f\u0443\u0431\u043b\u0438\u043a\u0430\u0446\u0438\u0438": "04.04.2024",
"\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": "BDU:2024-02608",
"\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440\u044b \u0434\u0440\u0443\u0433\u0438\u0445 \u0441\u0438\u0441\u0442\u0435\u043c \u043e\u043f\u0438\u0441\u0430\u043d\u0438\u0439 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "CVE-2024-24549",
"\u0418\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f \u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0430",
"\u041a\u043b\u0430\u0441\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043a\u043e\u0434\u0430",
"\u041d\u0430\u0437\u0432\u0430\u043d\u0438\u0435 \u041f\u041e": "Red Hat Enterprise Linux, SUSE Linux Enterprise Server for SAP Applications, Suse Linux Enterprise Server, Debian GNU/Linux, \u0420\u0415\u0414 \u041e\u0421 (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u21163751), \u0410\u043b\u044c\u0442 8 \u0421\u041f (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u21164305), \u0420\u041e\u0421\u0410 \u0425\u0420\u041e\u041c (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u21161607), \u0410\u041b\u042c\u0422 \u0421\u041f 10, Red Hat JBoss Web Server, Tomcat, Jboss Web Server, \u041e\u0421\u041e\u041d \u041e\u0421\u043d\u043e\u0432\u0430 \u041enyx (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u21165913), Libercat Certified (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u211622725; 9208)",
"\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u041e\u0421 \u0438 \u0442\u0438\u043f \u0430\u043f\u043f\u0430\u0440\u0430\u0442\u043d\u043e\u0439 \u043f\u043b\u0430\u0442\u0444\u043e\u0440\u043c\u044b": "Red Hat Inc. Red Hat Enterprise Linux 7 , Novell Inc. SUSE Linux Enterprise Server for SAP Applications 12 SP2 , Novell Inc. SUSE Linux Enterprise Server for SAP Applications 12 SP3 , Novell Inc. SUSE Linux Enterprise Server for SAP Applications 12 SP4 , Novell Inc. Suse Linux Enterprise Server 12 SP3 , Novell Inc. Suse Linux Enterprise Server 12 SP4 , Red Hat Inc. Red Hat Enterprise Linux 8 , Novell Inc. Suse Linux Enterprise Server 12 SP2-BCL , Novell Inc. Suse Linux Enterprise Server 12 SP2-ESPOS , Novell Inc. SUSE Linux Enterprise Server for SAP Applications 15 , Novell Inc. SUSE Linux Enterprise Server for SAP Applications 15 SP1 , Novell Inc. Suse Linux Enterprise Server 12 SP2-LTSS , Novell Inc. Suse Linux Enterprise Server 12 SP3-LTSS , Novell Inc. Suse Linux Enterprise Server 12 SP3-BCL , Novell Inc. Suse Linux Enterprise Server 12 SP5 , Novell Inc. SUSE Linux Enterprise Server for SAP Applications 12 SP5 , \u0421\u043e\u043e\u0431\u0449\u0435\u0441\u0442\u0432\u043e \u0441\u0432\u043e\u0431\u043e\u0434\u043d\u043e\u0433\u043e \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f Debian GNU/Linux 10 , Novell Inc. Suse Linux Enterprise Server 12 SP3-ESPOS , Novell Inc. Suse Linux Enterprise Server 12 SP2 , Novell Inc. Suse Linux Enterprise Server 15-LTSS , Novell Inc. Suse Linux Enterprise Server 12 SP4-ESPOS , Novell Inc. Suse Linux Enterprise Server 12 SP4-LTSS , Novell Inc. Suse Linux Enterprise Server 15 SP1-BCL , Novell Inc. Suse Linux Enterprise Server 15 SP1-LTSS , Novell Inc. Suse Linux Enterprise Server 15 SP1 , \u0421\u043e\u043e\u0431\u0449\u0435\u0441\u0442\u0432\u043e \u0441\u0432\u043e\u0431\u043e\u0434\u043d\u043e\u0433\u043e \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f Debian GNU/Linux 11 , \u0421\u043e\u043e\u0431\u0449\u0435\u0441\u0442\u0432\u043e \u0441\u0432\u043e\u0431\u043e\u0434\u043d\u043e\u0433\u043e \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f Debian GNU/Linux 12 , \u041e\u041e\u041e \u00ab\u0420\u0435\u0434 \u0421\u043e\u0444\u0442\u00bb \u0420\u0415\u0414 \u041e\u0421 7.3 (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u21163751), Novell Inc. Suse Linux Enterprise Server 15 SP3 , Novell Inc. SUSE Linux Enterprise Server for SAP Applications 15 SP3 , Novell Inc. Suse Linux Enterprise Server 15 SP2 , Novell Inc. SUSE Linux Enterprise Server for SAP Applications 15 SP2 , \u0410\u041e \u00ab\u0418\u0412\u041a\u00bb \u0410\u043b\u044c\u0442 8 \u0421\u041f - (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u21164305), Novell Inc. Suse Linux Enterprise Server 15 SP4 , Novell Inc. Suse Linux Enterprise Server 15 , Novell Inc. Suse Linux Enterprise Server 15 SP2-BCL , Novell Inc. SUSE Linux Enterprise Server for SAP Applications 15 SP4 , Red Hat Inc. Red Hat Enterprise Linux 9 , Novell Inc. Suse Linux Enterprise Server 15 SP2-LTSS , Novell Inc. Suse Linux Enterprise Server 15 SP3-LTSS , Novell Inc. Suse Linux Enterprise Server 15 SP3-BCL , Novell Inc. SUSE Linux Enterprise Server for SAP Applications 15 SP5 , Novell Inc. Suse Linux Enterprise Server 15 SP5 , \u0410\u041e \u00ab\u041d\u0422\u0426 \u0418\u0422 \u0420\u041e\u0421\u0410\u00bb \u0420\u041e\u0421\u0410 \u0425\u0420\u041e\u041c 12.4 (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u21161607), \u0410\u041e \u00ab\u0418\u0412\u041a\u00bb \u0410\u041b\u042c\u0422 \u0421\u041f 10 - , Novell Inc. Suse Linux Enterprise Server 15 SP4-LTSS , \u0410\u041e \"\u041d\u041f\u041f\u041a\u0422\" \u041e\u0421\u041e\u041d \u041e\u0421\u043d\u043e\u0432\u0430 \u041enyx \u0434\u043e 2.11 (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u21165913)",
"\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0441\u0435\u0440\u0432\u0435\u0440\u0430 \u043f\u0440\u0438\u043b\u043e\u0436\u0435\u043d\u0438\u0439 Apache Tomcat, \u0441\u0432\u044f\u0437\u0430\u043d\u043d\u0430\u044f \u0441 \u043d\u0435\u0434\u043e\u0441\u0442\u0430\u0442\u043e\u0447\u043d\u043e\u0439 \u043f\u0440\u043e\u0432\u0435\u0440\u043a\u043e\u0439 \u0432\u0432\u043e\u0434\u0438\u043c\u044b\u0445 \u0434\u0430\u043d\u043d\u044b\u0445, \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u044e\u0449\u0430\u044f \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e \u0432\u044b\u0437\u0432\u0430\u0442\u044c \u043e\u0442\u043a\u0430\u0437 \u0432 \u043e\u0431\u0441\u043b\u0443\u0436\u0438\u0432\u0430\u043d\u0438\u0438",
"\u041d\u0430\u043b\u0438\u0447\u0438\u0435 \u044d\u043a\u0441\u043f\u043b\u043e\u0439\u0442\u0430": "\u0414\u0430\u043d\u043d\u044b\u0435 \u0443\u0442\u043e\u0447\u043d\u044f\u044e\u0442\u0441\u044f",
"\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "\u041d\u0435\u0434\u043e\u0441\u0442\u0430\u0442\u043e\u0447\u043d\u0430\u044f \u043f\u0440\u043e\u0432\u0435\u0440\u043a\u0430 \u0432\u0432\u043e\u0434\u0438\u043c\u044b\u0445 \u0434\u0430\u043d\u043d\u044b\u0445 (CWE-20)",
"\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0441\u0435\u0440\u0432\u0435\u0440\u0430 \u043f\u0440\u0438\u043b\u043e\u0436\u0435\u043d\u0438\u0439 Apache Tomcat \u0441\u0432\u044f\u0437\u0430\u043d\u0430 \u0441 \u043d\u0435\u0434\u043e\u0441\u0442\u0430\u0442\u043e\u0447\u043d\u043e\u0439 \u043f\u0440\u043e\u0432\u0435\u0440\u043a\u043e\u0439 \u0432\u0432\u043e\u0434\u0438\u043c\u044b\u0445 \u0434\u0430\u043d\u043d\u044b\u0445. \u042d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u044f \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438 \u043c\u043e\u0436\u0435\u0442 \u043f\u043e\u0437\u0432\u043e\u043b\u0438\u0442\u044c \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e, \u0434\u0435\u0439\u0441\u0442\u0432\u0443\u044e\u0449\u0435\u043c\u0443 \u0443\u0434\u0430\u043b\u0435\u043d\u043d\u043e, \u0432\u044b\u0437\u0432\u0430\u0442\u044c \u043e\u0442\u043a\u0430\u0437 \u0432 \u043e\u0431\u0441\u043b\u0443\u0436\u0438\u0432\u0430\u043d\u0438\u0438 \u0441 \u043f\u043e\u043c\u043e\u0449\u044c\u044e \u0441\u043f\u0435\u0446\u0438\u0430\u043b\u044c\u043d\u043e \u0441\u043e\u0437\u0434\u0430\u043d\u043d\u044b\u0445 HTTP/2-\u0437\u0430\u043f\u0440\u043e\u0441\u043e\u0432",
"\u041f\u043e\u0441\u043b\u0435\u0434\u0441\u0442\u0432\u0438\u044f \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": null,
"\u041f\u0440\u043e\u0447\u0430\u044f \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f": null,
"\u0421\u0432\u044f\u0437\u044c \u0441 \u0438\u043d\u0446\u0438\u0434\u0435\u043d\u0442\u0430\u043c\u0438 \u0418\u0411": "\u0414\u0430\u043d\u043d\u044b\u0435 \u0443\u0442\u043e\u0447\u043d\u044f\u044e\u0442\u0441\u044f",
"\u0421\u043e\u0441\u0442\u043e\u044f\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041e\u043f\u0443\u0431\u043b\u0438\u043a\u043e\u0432\u0430\u043d\u0430",
"\u0421\u043f\u043e\u0441\u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044f": "\u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f",
"\u0421\u043f\u043e\u0441\u043e\u0431 \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438": "\u041c\u0430\u043d\u0438\u043f\u0443\u043b\u0438\u0440\u043e\u0432\u0430\u043d\u0438\u0435 \u0440\u0435\u0441\u0443\u0440\u0441\u0430\u043c\u0438",
"\u0421\u0441\u044b\u043b\u043a\u0438 \u043d\u0430 \u0438\u0441\u0442\u043e\u0447\u043d\u0438\u043a\u0438": "https://lists.apache.org/thread/4c50rmomhbbsdgfjsgwlb51xdwfjdcvg\nhttps://www.suse.com/security/cve/CVE-2024-24549.html\nhttps://security-tracker.debian.org/tracker/CVE-2024-24549\nhttps://access.redhat.com/security/cve/CVE-2024-24549\nhttps://www.cybersecurity-help.cz/vdb/SB2024031386\nhttps://\u043f\u043e\u0434\u0434\u0435\u0440\u0436\u043a\u0430.\u043d\u043f\u043f\u043a\u0442.\u0440\u0444/bin/view/\u041e\u0421\u043d\u043e\u0432\u0430/\u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u044f/2.11/\nhttps://altsp.su/obnovleniya-bezopasnosti/\nhttps://altsp.su/obnovleniya-bezopasnosti/\nhttps://abf.rosa.ru/advisories/ROSA-SA-2025-2944\nhttps://abf.rosa.ru/advisories/ROSA-SA-2025-2944\nhttp://repo.red-soft.ru/redos/7.3c/x86_64/updates/",
"\u0421\u0442\u0430\u0442\u0443\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041f\u043e\u0434\u0442\u0432\u0435\u0440\u0436\u0434\u0435\u043d\u0430 \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u0434\u0438\u0442\u0435\u043b\u0435\u043c",
"\u0422\u0438\u043f \u041f\u041e": "\u041e\u043f\u0435\u0440\u0430\u0446\u0438\u043e\u043d\u043d\u0430\u044f \u0441\u0438\u0441\u0442\u0435\u043c\u0430, \u0421\u0435\u0442\u0435\u0432\u043e\u0435 \u0441\u0440\u0435\u0434\u0441\u0442\u0432\u043e, \u0421\u0435\u0442\u0435\u0432\u043e\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0435 \u0441\u0440\u0435\u0434\u0441\u0442\u0432\u043e, \u041f\u0440\u0438\u043a\u043b\u0430\u0434\u043d\u043e\u0435 \u041f\u041e \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u043e\u043d\u043d\u044b\u0445 \u0441\u0438\u0441\u0442\u0435\u043c, \u041f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0435 \u0441\u0440\u0435\u0434\u0441\u0442\u0432\u043e \u0437\u0430\u0449\u0438\u0442\u044b",
"\u0422\u0438\u043f \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "CWE-20",
"\u0423\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0412\u044b\u0441\u043e\u043a\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 2.0 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 7,8)\n\u0412\u044b\u0441\u043e\u043a\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 3.1 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 7,5)"
}
GSD-2024-24549
Vulnerability from gsd - Updated: 2024-01-26 06:02Details
Denial of Service due to improper input validation vulnerability for HTTP/2 requests in Apache Tomcat. When processing an HTTP/2 request, if the request exceeded any of the configured limits for headers, the associated HTTP/2 stream was not reset until after all of the headers had been processed.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M16, from 10.1.0-M1 through 10.1.18, from 9.0.0-M1 through 9.0.85, from 8.5.0 through 8.5.98.
Users are recommended to upgrade to version 11.0.0-M17, 10.1.19, 9.0.86 or 8.5.99 which fix the issue.
Aliases
{
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2024-24549"
],
"details": "Denial of Service due to improper input validation vulnerability for HTTP/2 requests in Apache Tomcat. When processing an HTTP/2 request, if the request exceeded any of the configured limits for headers, the associated HTTP/2 stream was not reset until after all of the headers had been processed.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M16, from 10.1.0-M1 through 10.1.18, from 9.0.0-M1 through 9.0.85, from 8.5.0 through 8.5.98.\n\nUsers are recommended to upgrade to version 11.0.0-M17, 10.1.19, 9.0.86 or 8.5.99 which fix the issue.\n\n",
"id": "GSD-2024-24549",
"modified": "2024-01-26T06:02:25.986887Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2024-24549",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache Tomcat",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "11.0.0-M1",
"version_value": "11.0.0-M16"
},
{
"version_affected": "\u003c=",
"version_name": "10.1.0-M1",
"version_value": "10.1.18"
},
{
"version_affected": "\u003c=",
"version_name": "9.0.0-M1",
"version_value": "9.0.85"
},
{
"version_affected": "\u003c=",
"version_name": "8.5.0",
"version_value": "8.5.98"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"credits": [
{
"lang": "en",
"value": "Bartek Nowotarski"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Denial of Service due to improper input validation vulnerability for HTTP/2 requests in Apache Tomcat. When processing an HTTP/2 request, if the request exceeded any of the configured limits for headers, the associated HTTP/2 stream was not reset until after all of the headers had been processed.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M16, from 10.1.0-M1 through 10.1.18, from 9.0.0-M1 through 9.0.85, from 8.5.0 through 8.5.98.\n\nUsers are recommended to upgrade to version 11.0.0-M17, 10.1.19, 9.0.86 or 8.5.99 which fix the issue.\n\n"
}
]
},
"generator": {
"engine": "Vulnogram 0.1.0-dev"
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"cweId": "CWE-20",
"lang": "eng",
"value": "CWE-20 Improper Input Validation"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://lists.apache.org/thread/4c50rmomhbbsdgfjsgwlb51xdwfjdcvg",
"refsource": "MISC",
"url": "https://lists.apache.org/thread/4c50rmomhbbsdgfjsgwlb51xdwfjdcvg"
},
{
"name": "https://security.netapp.com/advisory/ntap-20240402-0002/",
"refsource": "MISC",
"url": "https://security.netapp.com/advisory/ntap-20240402-0002/"
},
{
"name": "https://lists.debian.org/debian-lts-announce/2024/04/msg00001.html",
"refsource": "MISC",
"url": "https://lists.debian.org/debian-lts-announce/2024/04/msg00001.html"
}
]
},
"source": {
"discovery": "EXTERNAL"
}
},
"nvd.nist.gov": {
"cve": {
"descriptions": [
{
"lang": "en",
"value": "Denial of Service due to improper input validation vulnerability for HTTP/2 requests in Apache Tomcat. When processing an HTTP/2 request, if the request exceeded any of the configured limits for headers, the associated HTTP/2 stream was not reset until after all of the headers had been processed.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M16, from 10.1.0-M1 through 10.1.18, from 9.0.0-M1 through 9.0.85, from 8.5.0 through 8.5.98.\n\nUsers are recommended to upgrade to version 11.0.0-M17, 10.1.19, 9.0.86 or 8.5.99 which fix the issue.\n\n"
},
{
"lang": "es",
"value": "Denegaci\u00f3n de servicio debido a una vulnerabilidad de validaci\u00f3n de entrada incorrecta para solicitudes HTTP/2 en Apache Tomcat. Al procesar una solicitud HTTP/2, si la solicitud exced\u00eda cualquiera de los l\u00edmites configurados para los encabezados, la secuencia HTTP/2 asociada no se restablec\u00eda hasta que se hubieran procesado todos los encabezados. Este problema afecta a Apache Tomcat: desde 11.0.0- M1 hasta 11.0.0-M16, desde 10.1.0-M1 hasta 10.1.18, desde 9.0.0-M1 hasta 9.0.85, desde 8.5.0 hasta 8.5.98. Se recomienda a los usuarios actualizar a la versi\u00f3n 11.0.0-M17, 10.1.19, 9.0.86 u 8.5.99, que solucionan el problema."
}
],
"id": "CVE-2024-24549",
"lastModified": "2024-04-06T06:15:08.030",
"metrics": {},
"published": "2024-03-13T16:15:29.373",
"references": [
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread/4c50rmomhbbsdgfjsgwlb51xdwfjdcvg"
},
{
"source": "security@apache.org",
"url": "https://lists.debian.org/debian-lts-announce/2024/04/msg00001.html"
},
{
"source": "security@apache.org",
"url": "https://security.netapp.com/advisory/ntap-20240402-0002/"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Awaiting Analysis",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
],
"source": "security@apache.org",
"type": "Primary"
}
]
}
}
}
}
bit-tomcat-2024-24549
Vulnerability from bitnami_vulndb
Published
2025-07-17 08:09
Modified
2025-11-06 13:25
Summary
Apache Tomcat: HTTP/2 header handling DoS
Details
Denial of Service due to improper input validation vulnerability for HTTP/2 requests in Apache Tomcat. When processing an HTTP/2 request, if the request exceeded any of the configured limits for headers, the associated HTTP/2 stream was not reset until after all of the headers had been processed.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M16, from 10.1.0-M1 through 10.1.18, from 9.0.0-M1 through 9.0.85, from 8.5.0 through 8.5.98. Other, older, EOL versions may also be affected.
Users are recommended to upgrade to version 11.0.0-M17, 10.1.19, 9.0.86 or 8.5.99 which fix the issue.
{
"affected": [
{
"package": {
"ecosystem": "Bitnami",
"name": "tomcat",
"purl": "pkg:bitnami/tomcat"
},
"ranges": [
{
"events": [
{
"introduced": "8.5.0"
},
{
"fixed": "8.5.99"
},
{
"introduced": "9.0.0"
},
{
"fixed": "9.0.86"
},
{
"introduced": "10.0.0"
},
{
"fixed": "10.1.19"
}
],
"type": "SEMVER"
}
],
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
],
"aliases": [
"CVE-2024-24549"
],
"database_specific": {
"cpes": [
"cpe:2.3:a:apache:tomcat:*:*:*:*:*:maven:*:*"
],
"severity": "High"
},
"details": "Denial of Service due to improper input validation vulnerability for HTTP/2 requests in Apache Tomcat. When processing an HTTP/2 request, if the request exceeded any of the configured limits for headers, the associated HTTP/2 stream was not reset until after all of the headers had been processed.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M16, from 10.1.0-M1 through 10.1.18, from 9.0.0-M1 through 9.0.85, from 8.5.0 through 8.5.98.\u00a0Other, older, EOL versions may also be affected.\n\nUsers are recommended to upgrade to version 11.0.0-M17, 10.1.19, 9.0.86 or 8.5.99 which fix the issue.",
"id": "BIT-tomcat-2024-24549",
"modified": "2025-11-06T13:25:46.476Z",
"published": "2025-07-17T08:09:49.355Z",
"references": [
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2024/03/13/3"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread/4c50rmomhbbsdgfjsgwlb51xdwfjdcvg"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2024/04/msg00001.html"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3UWIS5MMGYDZBLJYT674ZI5AWFHDZ46B/"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/736G4GPZWS2DSQO5WKXO3G6OMZKFEK55/"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24549"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20240402-0002/"
}
],
"schema_version": "1.6.2",
"summary": "Apache Tomcat: HTTP/2 header handling DoS"
}
CNVD-2024-13568
Vulnerability from cnvd - Published: 2024-03-18
VLAI Severity ?
Title
Apache Tomcat输入验证错误漏洞
Description
Apache Tomcat是美国阿帕奇(Apache)基金会的一款轻量级Web应用服务器。该程序实现了对Servlet和JavaServer Page(JSP)的支持。
Apache Tomcat存在输入验证错误漏洞,攻击者可利用该漏洞导致拒绝服务。
Severity
高
Patch Name
Apache Tomcat输入验证错误漏洞的补丁
Patch Description
Apache Tomcat是美国阿帕奇(Apache)基金会的一款轻量级Web应用服务器。该程序实现了对Servlet和JavaServer Page(JSP)的支持。
Apache Tomcat存在输入验证错误漏洞,攻击者可利用该漏洞导致拒绝服务。目前,供应商发布了安全公告及相关补丁信息,修复了此漏洞。
Formal description
厂商已发布了漏洞修复程序,请及时关注更新: https://lists.apache.org/thread/4c50rmomhbbsdgfjsgwlb51xdwfjdcvg
Reference
https://cxsecurity.com/cveshow/CVE-2024-24549/
Impacted products
| Name | ['Apache Tomcat >=11.0.0-M1,<=11.0.0-M16', 'Apache Tomcat >=10.1.0-M1,<=10.1.18', 'Apache Tomcat >=9.0.0-M1,<=9.0.85', 'Apache Tomcat >=8.5.0,<=8.5.98'] |
|---|
{
"cves": {
"cve": {
"cveNumber": "CVE-2024-24549"
}
},
"description": "Apache Tomcat\u662f\u7f8e\u56fd\u963f\u5e15\u5947\uff08Apache\uff09\u57fa\u91d1\u4f1a\u7684\u4e00\u6b3e\u8f7b\u91cf\u7ea7Web\u5e94\u7528\u670d\u52a1\u5668\u3002\u8be5\u7a0b\u5e8f\u5b9e\u73b0\u4e86\u5bf9Servlet\u548cJavaServer Page\uff08JSP\uff09\u7684\u652f\u6301\u3002\n\nApache Tomcat\u5b58\u5728\u8f93\u5165\u9a8c\u8bc1\u9519\u8bef\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u5bfc\u81f4\u62d2\u7edd\u670d\u52a1\u3002",
"formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://lists.apache.org/thread/4c50rmomhbbsdgfjsgwlb51xdwfjdcvg",
"isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
"number": "CNVD-2024-13568",
"openTime": "2024-03-18",
"patchDescription": "Apache Tomcat\u662f\u7f8e\u56fd\u963f\u5e15\u5947\uff08Apache\uff09\u57fa\u91d1\u4f1a\u7684\u4e00\u6b3e\u8f7b\u91cf\u7ea7Web\u5e94\u7528\u670d\u52a1\u5668\u3002\u8be5\u7a0b\u5e8f\u5b9e\u73b0\u4e86\u5bf9Servlet\u548cJavaServer Page\uff08JSP\uff09\u7684\u652f\u6301\u3002\r\n\r\nApache Tomcat\u5b58\u5728\u8f93\u5165\u9a8c\u8bc1\u9519\u8bef\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u5bfc\u81f4\u62d2\u7edd\u670d\u52a1\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
"patchName": "Apache Tomcat\u8f93\u5165\u9a8c\u8bc1\u9519\u8bef\u6f0f\u6d1e\u7684\u8865\u4e01",
"products": {
"product": [
"Apache Tomcat \u003e=11.0.0-M1\uff0c\u003c=11.0.0-M16",
"Apache Tomcat \u003e=10.1.0-M1\uff0c\u003c=10.1.18",
"Apache Tomcat \u003e=9.0.0-M1\uff0c\u003c=9.0.85",
"Apache Tomcat \u003e=8.5.0\uff0c\u003c=8.5.98"
]
},
"referenceLink": "https://cxsecurity.com/cveshow/CVE-2024-24549/",
"serverity": "\u9ad8",
"submitTime": "2024-03-15",
"title": "Apache Tomcat\u8f93\u5165\u9a8c\u8bc1\u9519\u8bef\u6f0f\u6d1e"
}
JVNDB-2024-009498
Vulnerability from jvndb - Published: 2024-10-01 16:01 - Updated:2024-10-01 16:01Summary
Vulnerability in Cosminexus
Details
Vulnerability has been found in Cosminexus.
References
| Type | URL | |
|---|---|---|
Impacted products
{
"@rdf:about": "https://jvndb.jvn.jp/en/contents/2024/JVNDB-2024-009498.html",
"dc:date": "2024-10-01T16:01+09:00",
"dcterms:issued": "2024-10-01T16:01+09:00",
"dcterms:modified": "2024-10-01T16:01+09:00",
"description": "Vulnerability has been found in Cosminexus.",
"link": "https://jvndb.jvn.jp/en/contents/2024/JVNDB-2024-009498.html",
"sec:cpe": [
{
"#text": "cpe:/a:hitachi:hitachi_application_server_r",
"@product": "uCosminexus Application Server-R",
"@vendor": "Hitachi, Ltd",
"@version": "2.2"
},
{
"#text": "cpe:/a:hitachi:ucosminexus_application_server",
"@product": "uCosminexus Application Server",
"@vendor": "Hitachi, Ltd",
"@version": "2.2"
},
{
"#text": "cpe:/a:hitachi:ucosminexus_developer",
"@product": "uCosminexus Developer",
"@vendor": "Hitachi, Ltd",
"@version": "2.2"
},
{
"#text": "cpe:/a:hitachi:ucosminexus_primary_server_base",
"@product": "uCosminexus Primary Server Base",
"@vendor": "Hitachi, Ltd",
"@version": "2.2"
},
{
"#text": "cpe:/a:hitachi:ucosminexus_service_architect",
"@product": "uCosminexus Service Architect",
"@vendor": "Hitachi, Ltd",
"@version": "2.2"
},
{
"#text": "cpe:/a:hitachi:ucosminexus_service_platform",
"@product": "uCosminexus Service Platform",
"@vendor": "Hitachi, Ltd",
"@version": "2.2"
}
],
"sec:identifier": "JVNDB-2024-009498",
"sec:references": {
"#text": "https://www.cve.org/CVERecord?id=CVE-2024-24549",
"@id": "CVE-2024-24549",
"@source": "CVE"
},
"title": "Vulnerability in Cosminexus"
}
CVE-2024-24549
Vulnerability from osv_almalinux
Published
2024-05-23 00:00
Modified
2024-05-28 10:01
Summary
Important: tomcat security and bug fix update
Details
Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies.
Security Fix(es):
- Apache Tomcat: HTTP/2 header handling DoS (CVE-2024-24549)
- Apache Tomcat: WebSocket DoS with incomplete closing handshake (CVE-2024-23672)
Bug Fix(es) and Enhancement(s):
- Rebase tomcat to version 9.0.87 (JIRA:AlmaLinux-34815)
- Amend tomcat's changelog so that fixed CVEs are mentioned explicitly (JIRA:AlmaLinux-35328)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
{
"affected": [
{
"package": {
"ecosystem": "AlmaLinux:9",
"name": "tomcat"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1:9.0.87-1.el9_4.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:9",
"name": "tomcat-admin-webapps"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1:9.0.87-1.el9_4.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:9",
"name": "tomcat-docs-webapp"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1:9.0.87-1.el9_4.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:9",
"name": "tomcat-el-3.0-api"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1:9.0.87-1.el9_4.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:9",
"name": "tomcat-jsp-2.3-api"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1:9.0.87-1.el9_4.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:9",
"name": "tomcat-lib"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1:9.0.87-1.el9_4.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:9",
"name": "tomcat-servlet-4.0-api"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1:9.0.87-1.el9_4.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:9",
"name": "tomcat-webapps"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1:9.0.87-1.el9_4.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"details": "Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies.\n\nSecurity Fix(es):\n\n* Apache Tomcat: HTTP/2 header handling DoS (CVE-2024-24549)\n* Apache Tomcat: WebSocket DoS with incomplete closing handshake (CVE-2024-23672)\n\nBug Fix(es) and Enhancement(s):\n\n* Rebase tomcat to version 9.0.87 (JIRA:AlmaLinux-34815)\n* Amend tomcat\u0027s changelog so that fixed CVEs are mentioned explicitly (JIRA:AlmaLinux-35328)\n\nFor more details about the security issue(s), including the impact, a CVSS\nscore, acknowledgments, and other related information, refer to the CVE\npage(s) listed in the References section.",
"id": "ALSA-2024:3307",
"modified": "2024-05-28T10:01:45Z",
"published": "2024-05-23T00:00:00Z",
"references": [
{
"type": "ADVISORY",
"url": "https://access.redhat.com/errata/RHSA-2024:3307"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2024-23672"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2024-24549"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2269607"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2269608"
},
{
"type": "ADVISORY",
"url": "https://errata.almalinux.org/9/ALSA-2024-3307.html"
}
],
"related": [
"CVE-2024-24549",
"CVE-2024-23672"
],
"summary": "Important: tomcat security and bug fix update"
}
CVE-2024-24549
Vulnerability from osv_almalinux
Published
2024-06-06 00:00
Modified
2024-06-06 12:55
Summary
Important: tomcat security and bug fix update
Details
Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies.
Security Fix(es):
- Apache Tomcat: HTTP/2 header handling DoS (CVE-2024-24549)
- Apache Tomcat: WebSocket DoS with incomplete closing handshake (CVE-2024-23672)
Bug Fix(es):
- Rebase tomcat to version 9.0.87 (JIRA:AlmaLinux-35813)
- Amend tomcat package's changelog so that fixed CVEs are mentioned explicitly (JIRA:AlmaLinux-38548)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
{
"affected": [
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "tomcat"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1:9.0.87-1.el8_10.1.alma.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "tomcat-admin-webapps"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1:9.0.87-1.el8_10.1.alma.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "tomcat-docs-webapp"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1:9.0.87-1.el8_10.1.alma.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "tomcat-el-3.0-api"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1:9.0.87-1.el8_10.1.alma.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "tomcat-jsp-2.3-api"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1:9.0.87-1.el8_10.1.alma.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "tomcat-lib"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1:9.0.87-1.el8_10.1.alma.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "tomcat-servlet-4.0-api"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1:9.0.87-1.el8_10.1.alma.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "tomcat-webapps"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1:9.0.87-1.el8_10.1.alma.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"details": "Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies.\n\nSecurity Fix(es):\n\n* Apache Tomcat: HTTP/2 header handling DoS (CVE-2024-24549)\n* Apache Tomcat: WebSocket DoS with incomplete closing handshake (CVE-2024-23672)\n\nBug Fix(es):\n\n* Rebase tomcat to version 9.0.87 (JIRA:AlmaLinux-35813)\n* Amend tomcat package\u0027s changelog so that fixed CVEs are mentioned explicitly (JIRA:AlmaLinux-38548)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"id": "ALSA-2024:3666",
"modified": "2024-06-06T12:55:40Z",
"published": "2024-06-06T00:00:00Z",
"references": [
{
"type": "ADVISORY",
"url": "https://access.redhat.com/errata/RHSA-2024:3666"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2024-23672"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2024-24549"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2269607"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2269608"
},
{
"type": "ADVISORY",
"url": "https://errata.almalinux.org/8/ALSA-2024-3666.html"
}
],
"related": [
"CVE-2024-24549",
"CVE-2024-23672"
],
"summary": "Important: tomcat security and bug fix update"
}
GHSA-7W75-32CG-R6G2
Vulnerability from github – Published: 2024-03-13 18:31 – Updated: 2025-10-29 14:49
VLAI?
Summary
Apache Tomcat Denial of Service due to improper input validation vulnerability for HTTP/2 requests
Details
Denial of Service due to improper input validation vulnerability for HTTP/2 requests in Apache Tomcat. When processing an HTTP/2 request, if the request exceeded any of the configured limits for headers, the associated HTTP/2 stream was not reset until after all of the headers had been processed.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M16, from 10.1.0-M1 through 10.1.18, from 9.0.0-M1 through 9.0.85, from 8.5.0 through 8.5.98.
Users are recommended to upgrade to version 11.0.0-M17, 10.1.19, 9.0.86 or 8.5.99 which fix the issue.
Severity ?
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 11.0.0-M16"
},
"package": {
"ecosystem": "Maven",
"name": "org.apache.tomcat:tomcat-coyote"
},
"ranges": [
{
"events": [
{
"introduced": "11.0.0-M1"
},
{
"fixed": "11.0.0-M17"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 10.1.18"
},
"package": {
"ecosystem": "Maven",
"name": "org.apache.tomcat:tomcat-coyote"
},
"ranges": [
{
"events": [
{
"introduced": "10.1.0-M1"
},
{
"fixed": "10.1.19"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 9.0.85"
},
"package": {
"ecosystem": "Maven",
"name": "org.apache.tomcat:tomcat-coyote"
},
"ranges": [
{
"events": [
{
"introduced": "9.0.0-M1"
},
{
"fixed": "9.0.86"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 8.5.98"
},
"package": {
"ecosystem": "Maven",
"name": "org.apache.tomcat:tomcat-coyote"
},
"ranges": [
{
"events": [
{
"introduced": "8.5.0"
},
{
"fixed": "8.5.99"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 8.5.98"
},
"package": {
"ecosystem": "Maven",
"name": "org.apache.tomcat.embed:tomcat-embed-core"
},
"ranges": [
{
"events": [
{
"introduced": "8.5.0"
},
{
"fixed": "8.5.99"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 9.0.85"
},
"package": {
"ecosystem": "Maven",
"name": "org.apache.tomcat.embed:tomcat-embed-core"
},
"ranges": [
{
"events": [
{
"introduced": "9.0.0-M1"
},
{
"fixed": "9.0.86"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 10.1.18"
},
"package": {
"ecosystem": "Maven",
"name": "org.apache.tomcat.embed:tomcat-embed-core"
},
"ranges": [
{
"events": [
{
"introduced": "10.1.0-M1"
},
{
"fixed": "10.1.19"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 11.0.0-M16"
},
"package": {
"ecosystem": "Maven",
"name": "org.apache.tomcat.embed:tomcat-embed-core"
},
"ranges": [
{
"events": [
{
"introduced": "11.0.0-M1"
},
{
"fixed": "11.0.0-M17"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-24549"
],
"database_specific": {
"cwe_ids": [
"CWE-20"
],
"github_reviewed": true,
"github_reviewed_at": "2024-03-15T16:27:53Z",
"nvd_published_at": "2024-03-13T16:15:29Z",
"severity": "MODERATE"
},
"details": "Denial of Service due to improper input validation vulnerability for HTTP/2 requests in Apache Tomcat. When processing an HTTP/2 request, if the request exceeded any of the configured limits for headers, the associated HTTP/2 stream was not reset until after all of the headers had been processed.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M16, from 10.1.0-M1 through 10.1.18, from 9.0.0-M1 through 9.0.85, from 8.5.0 through 8.5.98.\n\nUsers are recommended to upgrade to version 11.0.0-M17, 10.1.19, 9.0.86 or 8.5.99 which fix the issue.",
"id": "GHSA-7w75-32cg-r6g2",
"modified": "2025-10-29T14:49:23Z",
"published": "2024-03-13T18:31:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24549"
},
{
"type": "WEB",
"url": "https://github.com/apache/tomcat/commit/0cac540a882220231ba7a82330483cbd5f6b1f96"
},
{
"type": "WEB",
"url": "https://github.com/apache/tomcat/commit/810f49d5ff6d64b704af85d5b8d0aab9ec3c83f5"
},
{
"type": "WEB",
"url": "https://github.com/apache/tomcat/commit/8e03be9f2698f2da9027d40b9e9c0c9429b74dc0"
},
{
"type": "WEB",
"url": "https://github.com/apache/tomcat/commit/d07c82194edb69d99b438828fe2cbfadbb207843"
},
{
"type": "PACKAGE",
"url": "https://github.com/apache/tomcat"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread/4c50rmomhbbsdgfjsgwlb51xdwfjdcvg"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2024/04/msg00001.html"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3UWIS5MMGYDZBLJYT674ZI5AWFHDZ46B"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/736G4GPZWS2DSQO5WKXO3G6OMZKFEK55"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20240402-0002"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2024/03/13/3"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U",
"type": "CVSS_V4"
}
],
"summary": "Apache Tomcat Denial of Service due to improper input validation vulnerability for HTTP/2 requests"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…