CVE-2023-44487

Uncontrolled Resource Consumption in maven/org.apache.tomcat.embed/tomcat-embed-core

Identifiers

GHSA-qppj-fm5r-hxr3, GHSA-vx74-f528-fxqg, GHSA-xpw8-rcwv-8f8p, GHSA-2m7v-gc89-fjqf, CVE-2023-44487

Package Slug

maven/org.apache.tomcat.embed/tomcat-embed-core

Vulnerability

Uncontrolled Resource Consumption

Description

The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.

Affected Versions

All versions starting from 8.5.0 up to 8.5.93, all versions starting from 9.0.0 up to 9.0.80, all versions starting from 10.1.0 up to 10.1.13, version 11.0.0

Solution

Upgrade to versions 8.5.94, 9.0.81, 10.1.14 or above.

Last Modified

2023-11-17

source