diff --git a/advisories/github-reviewed/2024/11/GHSA-7jqf-v358-p8g7/GHSA-7jqf-v358-p8g7.json b/advisories/github-reviewed/2024/11/GHSA-7jqf-v358-p8g7/GHSA-7jqf-v358-p8g7.json index 19d4bc330e961..5ab7b5d6c8062 100644 --- a/advisories/github-reviewed/2024/11/GHSA-7jqf-v358-p8g7/GHSA-7jqf-v358-p8g7.json +++ b/advisories/github-reviewed/2024/11/GHSA-7jqf-v358-p8g7/GHSA-7jqf-v358-p8g7.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-7jqf-v358-p8g7", - "modified": "2025-11-03T21:31:32Z", + "modified": "2025-11-03T21:31:33Z", "published": "2024-11-07T09:30:42Z", "aliases": [ "CVE-2024-38286" @@ -9,10 +9,6 @@ "summary": "Apache Tomcat Allocation of Resources Without Limits or Throttling vulnerability", "details": "Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat.\n\nThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M20, from 10.1.0-M1 through 10.1.24, from 9.0.13 through 9.0.89. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.35 through 8.5.100 and 7.0.92 through 7.0.109.\n\nUsers are recommended to upgrade to version 11.0.0-M21, 10.1.25, or 9.0.90, which fixes the issue.\n\nApache Tomcat, under certain configurations on any platform, allows an attacker to cause an OutOfMemoryError by abusing the TLS handshake process.", "severity": [ - { - "type": "CVSS_V3", - "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H" - }, { "type": "CVSS_V4", "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:H" @@ -22,17 +18,17 @@ { "package": { "ecosystem": "Maven", - "name": "org.apache.tomcat:tomcat-util" + "name": "org.apache.tomcat:tomcat" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { - "introduced": "11.0.0-M1" + "introduced": "7.0.92" }, { - "fixed": "11.0.0-M21" + "last_affected": "7.0.109" } ] } @@ -41,17 +37,17 @@ { "package": { "ecosystem": "Maven", - "name": "org.apache.tomcat:tomcat-util" + "name": "org.apache.tomcat:tomcat" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { - "introduced": "10.1.0-M1" + "introduced": "8.5.35" }, { - "fixed": "10.1.25" + "last_affected": "8.5.100" } ] } @@ -60,7 +56,7 @@ { "package": { "ecosystem": "Maven", - "name": "org.apache.tomcat:tomcat-util" + "name": "org.apache.tomcat:tomcat" }, "ranges": [ { @@ -79,17 +75,36 @@ { "package": { "ecosystem": "Maven", - "name": "org.apache.tomcat:tomcat-util" + "name": "org.apache.tomcat:tomcat" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { - "introduced": "8.5.35" + "introduced": "10.1.0-M1" }, { - "last_affected": "8.5.100" + "fixed": "10.1.25" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Maven", + "name": "org.apache.tomcat:tomcat" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "11.0.0-M1" + }, + { + "fixed": "11.0.0-M21" } ] } @@ -98,7 +113,7 @@ { "package": { "ecosystem": "Maven", - "name": "org.apache.tomcat:tomcat-util" + "name": "org.apache.tomcat:tomcat-coyote" }, "ranges": [ { @@ -113,6 +128,82 @@ ] } ] + }, + { + "package": { + "ecosystem": "Maven", + "name": "org.apache.tomcat:tomcat-coyote" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "8.5.35" + }, + { + "last_affected": "8.5.100" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Maven", + "name": "org.apache.tomcat:tomcat-coyote" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "9.0.13" + }, + { + "fixed": "9.0.90" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Maven", + "name": "org.apache.tomcat:tomcat-coyote" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "10.1.0-M1" + }, + { + "fixed": "10.1.25" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Maven", + "name": "org.apache.tomcat:tomcat-coyote" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "11.0.0-M1" + }, + { + "fixed": "11.0.0-M21" + } + ] + } + ] } ], "references": [