CVE-2024-38286

Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M20, from 10.1.0-M1 through 10.1.24, from 9.0.13 through 9.0.89. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.35 through 8.5.100 and 7.0.92 through 7.0.109. Users are recommended to upgrade to version 11.0.0-M21, 10.1.25, or 9.0.90, which fixes the issue. Apache Tomcat, under certain configurations on any platform, allows an attacker to cause an OutOfMemoryError by abusing the TLS handshake process.

CVSS v3.0 7.5 HIGH

7.5^/10

CVSS v3.0 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
http://www.openwall.com/lists/oss-security/2024/09/23/2	Mailing List
https://lists.apache.org/thread/wms60cvbsz3fpbz9psxtfx8r41jl6d4s	Mailing List
https://security.netapp.com/advisory/ntap-20241101-0010/	Third Party Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:apache:tomcat:10.1.0:milestone3::::::
	cpe:2.3:a:apache:tomcat:10.1.0:milestone4::::::
	cpe:2.3:a:apache:tomcat:10.1.0:milestone5::::::
	cpe:2.3:a:apache:tomcat:10.1.0:milestone1::::::
	cpe:2.3:a:apache:tomcat:10.1.0:milestone2::::::
	cpe:2.3:a:apache:tomcat:10.1.0:milestone7::::::
	cpe:2.3:a:apache:tomcat:10.1.0:milestone8::::::
	cpe:2.3:a:apache:tomcat:10.1.0:milestone9::::::
	cpe:2.3:a:apache:tomcat:10.1.0:milestone6::::::
	cpe:2.3:a:apache:tomcat:10.1.0:milestone10::::::
	cpe:2.3:a:apache:tomcat:10.1.0:milestone11::::::
	cpe:2.3:a:apache:tomcat:10.1.0:milestone12::::::
	cpe:2.3:a:apache:tomcat:10.1.0:milestone13::::::
	cpe:2.3:a:apache:tomcat:10.1.0:milestone14::::::
	cpe:2.3:a:apache:tomcat:10.1.0:milestone15::::::
	cpe:2.3:a:apache:tomcat:10.1.0:milestone16::::::
	cpe:2.3:a:apache:tomcat:10.1.0:milestone17::::::
	cpe:2.3:a:apache:tomcat:11.0.0:milestone1::::::
	cpe:2.3:a:apache:tomcat::::::::
	cpe:2.3:a:apache:tomcat::::::::
	cpe:2.3:a:apache:tomcat:10.1.0:milestone18::::::
	cpe:2.3:a:apache:tomcat:10.1.0:milestone19::::::
	cpe:2.3:a:apache:tomcat:10.1.0:milestone20::::::
	cpe:2.3:a:apache:tomcat:11.0.0:milestone2::::::
	cpe:2.3:a:apache:tomcat:11.0.0:milestone3::::::
	cpe:2.3:a:apache:tomcat:11.0.0:milestone4::::::
	cpe:2.3:a:apache:tomcat:11.0.0:milestone5::::::
	cpe:2.3:a:apache:tomcat:11.0.0:milestone6::::::
	cpe:2.3:a:apache:tomcat:11.0.0:milestone7::::::
	cpe:2.3:a:apache:tomcat:11.0.0:milestone8::::::
	cpe:2.3:a:apache:tomcat:11.0.0:milestone9::::::
	cpe:2.3:a:apache:tomcat:11.0.0:milestone10::::::
	cpe:2.3:a:apache:tomcat:11.0.0:milestone11::::::
	cpe:2.3:a:apache:tomcat:11.0.0:milestone12::::::
	cpe:2.3:a:apache:tomcat:11.0.0:milestone13::::::
	cpe:2.3:a:apache:tomcat:11.0.0:milestone14::::::
	cpe:2.3:a:apache:tomcat:11.0.0:milestone15::::::
	cpe:2.3:a:apache:tomcat:11.0.0:milestone16::::::
	cpe:2.3:a:apache:tomcat:11.0.0:milestone17::::::
	cpe:2.3:a:apache:tomcat:11.0.0:milestone18::::::
	cpe:2.3:a:apache:tomcat:11.0.0:milestone19::::::
	cpe:2.3:a:apache:tomcat:11.0.0:milestone20::::::

Configuration 2 (hide)

OR	cpe:2.3:a:netapp:ontap_tools:9:::::vmware_vsphere::
	cpe:2.3:a:netapp:ontap_tools:10:::::vmware_vsphere::

History

08 Aug 2025, 11:15

Type	Values Removed	Values Added
Summary	Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M20, from 10.1.0-M1 through 10.1.24, from 9.0.13 through 9.0.89. Older, EOL versions may also be affected. Users are recommended to upgrade to version 11.0.0-M21, 10.1.25, or 9.0.90, which fixes the issue. Apache Tomcat, under certain configurations on any platform, allows an attacker to cause an OutOfMemoryError by abusing the TLS handshake process.	Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M20, from 10.1.0-M1 through 10.1.24, from 9.0.13 through 9.0.89. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.35 through 8.5.100 and 7.0.92 through 7.0.109. Users are recommended to upgrade to version 11.0.0-M21, 10.1.25, or 9.0.90, which fixes the issue. Apache Tomcat, under certain configurations on any platform, allows an attacker to cause an OutOfMemoryError by abusing the TLS handshake process.

07 Aug 2025, 12:15

Type	Values Removed	Values Added
Summary	Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M20, from 10.1.0-M1 through 10.1.24, from 9.0.13 through 9.0.89. Older, unsupported versions may also be affected. Users are recommended to upgrade to version 11.0.0-M21, 10.1.25, or 9.0.90, which fixes the issue. Apache Tomcat, under certain configurations on any platform, allows an attacker to cause an OutOfMemoryError by abusing the TLS handshake process.	Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M20, from 10.1.0-M1 through 10.1.24, from 9.0.13 through 9.0.89. Older, EOL versions may also be affected. Users are recommended to upgrade to version 11.0.0-M21, 10.1.25, or 9.0.90, which fixes the issue. Apache Tomcat, under certain configurations on any platform, allows an attacker to cause an OutOfMemoryError by abusing the TLS handshake process.

11 Feb 2025, 16:15

Type	Values Removed	Values Added
CWE	~~CWE-770~~
First Time		Netapp Apache tomcat Apache Netapp ontap Tools
References		() http://www.openwall.com/lists/oss-security/2024/09/23/2 - Mailing List () https://security.netapp.com/advisory/ntap-20241101-0010/ - Third Party Advisory
References	~~() https://lists.apache.org/thread/wms60cvbsz3fpbz9psxtfx8r41jl6d4s -~~	() https://lists.apache.org/thread/wms60cvbsz3fpbz9psxtfx8r41jl6d4s - Mailing List
CPE		cpe:2.3:a:apache:tomcat:11.0.0:milestone16:::::: cpe:2.3:a:apache:tomcat:10.1.0:milestone7:::::: cpe:2.3:a:apache:tomcat:11.0.0:milestone7:::::: cpe:2.3:a:apache:tomcat:11.0.0:milestone11:::::: cpe:2.3:a:apache:tomcat:10.1.0:milestone10:::::: cpe:2.3:a:apache:tomcat:10.1.0:milestone14:::::: cpe:2.3:a:apache:tomcat:10.1.0:milestone15:::::: cpe:2.3:a:apache:tomcat:10.1.0:milestone12:::::: cpe:2.3:a:apache:tomcat:10.1.0:milestone3:::::: cpe:2.3:a:apache:tomcat:10.1.0:milestone19:::::: cpe:2.3:a:apache:tomcat:11.0.0:milestone18:::::: cpe:2.3:a:apache:tomcat:10.1.0:milestone16:::::: cpe:2.3:a:apache:tomcat:11.0.0:milestone14:::::: cpe:2.3:a:apache:tomcat:10.1.0:milestone6:::::: cpe:2.3:a:netapp:ontap_tools:9:::::vmware_vsphere:: cpe:2.3:a:apache:tomcat:10.1.0:milestone1:::::: cpe:2.3:a:apache:tomcat:11.0.0:milestone6:::::: cpe:2.3:a:apache:tomcat:10.1.0:milestone2:::::: cpe:2.3:a:apache:tomcat:11.0.0:milestone17:::::: cpe:2.3:a:apache:tomcat:10.1.0:milestone18:::::: cpe:2.3:a:apache:tomcat:11.0.0:milestone2:::::: cpe:2.3:a:apache:tomcat:10.1.0:milestone13:::::: cpe:2.3:a:apache:tomcat:11.0.0:milestone19:::::: cpe:2.3:a:apache:tomcat:10.1.0:milestone8:::::: cpe:2.3:a:apache:tomcat:10.1.0:milestone4:::::: cpe:2.3:a:apache:tomcat:11.0.0:milestone4:::::: cpe:2.3:a:apache:tomcat:11.0.0:milestone3:::::: cpe:2.3:a:apache:tomcat:11.0.0:milestone5:::::: cpe:2.3:a:apache:tomcat:::::::: cpe:2.3:a:apache:tomcat:10.1.0:milestone11:::::: cpe:2.3:a:apache:tomcat:11.0.0:milestone10:::::: cpe:2.3:a:apache:tomcat:10.1.0:milestone9:::::: cpe:2.3:a:apache:tomcat:11.0.0:milestone9:::::: cpe:2.3:a:apache:tomcat:10.1.0:milestone5:::::: cpe:2.3:a:apache:tomcat:11.0.0:milestone15:::::: cpe:2.3:a:apache:tomcat:11.0.0:milestone12:::::: cpe:2.3:a:apache:tomcat:11.0.0:milestone8:::::: cpe:2.3:a:netapp:ontap_tools:10:::::vmware_vsphere:: cpe:2.3:a:apache:tomcat:11.0.0:milestone1:::::: cpe:2.3:a:apache:tomcat:11.0.0:milestone13:::::: cpe:2.3:a:apache:tomcat:10.1.0:milestone20:::::: cpe:2.3:a:apache:tomcat:10.1.0:milestone17:::::: cpe:2.3:a:apache:tomcat:11.0.0:milestone20::::::
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 7.5

07 Nov 2024, 08:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-11-07 08:15

Updated : 2025-08-08 11:15

NVD link : CVE-2024-38286

Mitre link : CVE-2024-38286

JSON object : View

Products Affected

apache

tomcat

netapp

ontap_tools

CWE

No CWE.

7.5 /10