Skip to:

  1. Skip to Jira Navigation
  2. Skip to Side Navigation
  3. Skip to Main Content

CVE-2024-52317 - tomcat-embed-core - Analysis of vulnerability - Eureka - Quesnelia SP4

Description

Severity: medium
Link: https://nvd.nist.gov/vuln/detail/CVE-2024-52317
Package Name: tomcat-embed-core

Current version: 10.1.30 / fixed in 11.0.0, 10.1.31, 9.0.96

Incorrect object re-cycling and re-use vulnerability in Apache Tomcat.

Incorrect recycling of the request and response used by HTTP/2 requests could lead to request and/or response mix-up between users. This issue affects Apache Tomcat: from 11.0.0-M23 through 11.0.0-M26, from 10.1.27 through 10.1.30, from 9.0.92 through 9.0.95. Users are recommended to upgrade to version 11.0.0, 10.1.31 or 9.0.96, which fixes the issue.

Modules impacted:

mod-consortia-keycloak

Eureka

1.4.5 - vulnerable
1.5.0, 1.5.1 - vulnerable; 1.5.2 – fixed
1.6.0, 1.6.1 - fixed

Checklist

hide

Activity

Show:

Julian Ladisch February 4, 2025 at 9:26 PM

Julian Ladisch January 17, 2025 at 3:56 PM

A Quesnelia CSP should be provided because two other fixes are also needed.

For details see

Craig McNally January 10, 2025 at 2:11 PM

It’s medium severity, so I don’t think so. At this point I think we’d only backport Critical, or possibly High severity issues to Quesnelia.

Julian Ladisch December 19, 2024 at 4:31 PM

Do we need to backport the fix to Quesnelia?

Julian Ladisch December 12, 2024 at 4:20 PM

Need to back-port the fix to Quesnelia?

Done

Details

Assignee

Reporter

Priority

RCA Group

TBD

Labels

TestRail: Cases

Open TestRail: Cases

TestRail: Runs

Open TestRail: Runs
Created December 3, 2024 at 9:13 PM
Updated February 13, 2025 at 3:59 PM
Resolved February 6, 2025 at 4:11 PM
TestRail: Cases
TestRail: Runs