Low severityNVD Advisory· Published Dec 17, 2024· Updated Nov 3, 2025
Apache Tomcat: DoS in examples web application
CVE-2024-54677
Description
Uncontrolled Resource Consumption vulnerability in the examples web application provided with Apache Tomcat leads to denial of service.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.1, from 10.1.0-M1 through 10.1.33, from 9.0.0.M1 through 9.9.97. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 though 8.5.100. Other, older, EOL versions may also be affected.
Users are recommended to upgrade to version 11.0.2, 10.1.34 or 9.0.98, which fixes the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.tomcat:tomcatMaven | >= 11.0.0-M1, < 11.0.2 | 11.0.2 |
org.apache.tomcat:tomcatMaven | >= 10.1.0-M1, < 10.1.34 | 10.1.34 |
org.apache.tomcat:tomcatMaven | >= 9.0.0.M1, < 9.0.98 | 9.0.98 |
org.apache.tomcat:tomcat-catalinaMaven | >= 8.5.0, <= 8.5.100 | — |
Affected products
36- osv-coords34 versionspkg:bitnami/tomcatpkg:rpm/almalinux/tomcatpkg:rpm/almalinux/tomcat-admin-webappspkg:rpm/almalinux/tomcat-docs-webapppkg:rpm/almalinux/tomcat-el-5.0-apipkg:rpm/almalinux/tomcat-jsp-3.1-apipkg:rpm/almalinux/tomcat-libpkg:rpm/almalinux/tomcat-servlet-6.0-apipkg:rpm/almalinux/tomcat-webappspkg:rpm/opensuse/tomcat10&distro=openSUSE%20Leap%2015.6pkg:rpm/opensuse/tomcat10&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/tomcat&distro=openSUSE%20Leap%2015.6pkg:rpm/opensuse/tomcat&distro=openSUSE%20Tumbleweedpkg:rpm/suse/tomcat10&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP5-ESPOSpkg:rpm/suse/tomcat10&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP5-LTSSpkg:rpm/suse/tomcat10&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Web%20and%20Scripting%2015%20SP6pkg:rpm/suse/tomcat10&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP5-LTSSpkg:rpm/suse/tomcat10&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP5pkg:rpm/suse/tomcat&distro=SUSE%20Enterprise%20Storage%207.1pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP3-LTSSpkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-ESPOSpkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-LTSSpkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP5-ESPOSpkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP5-LTSSpkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Web%20and%20Scripting%2015%20SP6pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5-LTSSpkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP3-LTSSpkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP4-LTSSpkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP5-LTSSpkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP3pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP4pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP5pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%20LTSS%20Extended%20Security%2012%20SP5pkg:rpm/suse/tomcat&distro=SUSE%20Manager%20Server%204.3
>= 9.0.0, < 9.0.98+ 33 more
- (no CPE)range: >= 9.0.0, < 9.0.98
- (no CPE)range: < 1:10.1.36-1.el10_0
- (no CPE)range: < 1:10.1.36-1.el10_0
- (no CPE)range: < 1:10.1.36-1.el10_0
- (no CPE)range: < 1:10.1.36-1.el10_0
- (no CPE)range: < 1:10.1.36-1.el10_0
- (no CPE)range: < 1:10.1.36-1.el10_0
- (no CPE)range: < 1:10.1.36-1.el10_0
- (no CPE)range: < 1:10.1.36-1.el10_0
- (no CPE)range: < 10.1.34-150200.5.31.1
- (no CPE)range: < 10.1.34-1.1
- (no CPE)range: < 9.0.98-150200.74.1
- (no CPE)range: < 9.0.98-1.1
- (no CPE)range: < 10.1.34-150200.5.31.1
- (no CPE)range: < 10.1.34-150200.5.31.1
- (no CPE)range: < 10.1.34-150200.5.31.1
- (no CPE)range: < 10.1.34-150200.5.31.1
- (no CPE)range: < 10.1.34-150200.5.31.1
- (no CPE)range: < 9.0.98-150200.74.1
- (no CPE)range: < 9.0.98-150200.74.1
- (no CPE)range: < 9.0.98-150200.74.1
- (no CPE)range: < 9.0.98-150200.74.1
- (no CPE)range: < 9.0.98-150200.74.1
- (no CPE)range: < 9.0.98-150200.74.1
- (no CPE)range: < 9.0.98-150200.74.1
- (no CPE)range: < 9.0.36-3.136.1
- (no CPE)range: < 9.0.98-150200.74.1
- (no CPE)range: < 9.0.98-150200.74.1
- (no CPE)range: < 9.0.98-150200.74.1
- (no CPE)range: < 9.0.98-150200.74.1
- (no CPE)range: < 9.0.98-150200.74.1
- (no CPE)range: < 9.0.98-150200.74.1
- (no CPE)range: < 9.0.36-3.136.1
- (no CPE)range: < 9.0.98-150200.74.1
- Apache Software Foundation/Apache Tomcatv5Range: 11.0.0-M1
Patches
Vulnerability mechanics
References
33- github.com/advisories/GHSA-653p-vg55-5652ghsaADVISORY
- lists.apache.org/thread/tdtbbxpg5trdwc2wnopcth9ccvdftq2nghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2024-54677ghsaADVISORY
- www.openwall.com/lists/oss-security/2024/12/17/5ghsaWEB
- www.openwall.com/lists/oss-security/2024/12/17/6ghsaWEB
- www.openwall.com/lists/oss-security/2024/12/18/1ghsaWEB
- github.com/apache/tomcat/commit/1d88dd3ffaed76188dd4ee32ce77709ce6e153cdghsaWEB
- github.com/apache/tomcat/commit/3315a9027a7eaab18f42625b97b569940ff1365dghsaWEB
- github.com/apache/tomcat/commit/4a335c6dcba8d6f8a54629eda392a50da267bdf4ghsaWEB
- github.com/apache/tomcat/commit/4d5cc6538d91386f950373ac8120e98c2c78ed3aghsaWEB
- github.com/apache/tomcat/commit/4f0236606961176257b883213e1621b1859ed746ghsaWEB
- github.com/apache/tomcat/commit/54e56495e9a106218efe9fc9c79d976c0032bbfdghsaWEB
- github.com/apache/tomcat/commit/721544ea28e92549824b106be954a9f411867a1cghsaWEB
- github.com/apache/tomcat/commit/722814668708c42a61b0c1e340b15bc2b785c0d1ghsaWEB
- github.com/apache/tomcat/commit/75ff7e8622edcc024b268677aa789ee8f0880eccghsaWEB
- github.com/apache/tomcat/commit/84065e26ca4555e63a922bb29b13b0a1c86b7654ghsaWEB
- github.com/apache/tomcat/commit/84c4af76e7a10fc7f8630ce62e6a46632ea4a90eghsaWEB
- github.com/apache/tomcat/commit/9ffd23fc27f5d1fc95bf97e5cea175c8968f4533ghsaWEB
- github.com/apache/tomcat/commit/a95bf2b0303442a2c9a1ac364b0e63b56049e33aghsaWEB
- github.com/apache/tomcat/commit/aa5b4d0043289cf054f531ec55126c980d3572e1ghsaWEB
- github.com/apache/tomcat/commit/bbd82e9593314ade4cfd57248f9285fbad686f66ghsaWEB
- github.com/apache/tomcat/commit/c0a23927ea5e061ca3fdff695138464179fe674aghsaWEB
- github.com/apache/tomcat/commit/c2f7ce21c3fb12caefee87c517a8bb4f80700044ghsaWEB
- github.com/apache/tomcat/commit/cb1707685472994e9d924746f8c91cb116fa5213ghsaWEB
- github.com/apache/tomcat/commit/d63a10afc142b12f462a15f7d10f79fd80ff94ebghsaWEB
- github.com/apache/tomcat/commit/dbec927859d9484cb8bd680a7c67b1a560f48444ghsaWEB
- github.com/apache/tomcat/commit/e8c16cdba833884e1bd49fff1f1cb699da177585ghsaWEB
- github.com/apache/tomcat/commit/f57a9d9847c1038be61f5818d73b8be907c460d4ghsaWEB
- lists.debian.org/debian-lts-announce/2025/07/msg00009.htmlghsaWEB
- security.netapp.com/advisory/ntap-20250131-0006ghsaWEB
- tomcat.apache.org/security-10.htmlghsaWEB
- tomcat.apache.org/security-11.htmlghsaWEB
- tomcat.apache.org/security-9.htmlghsaWEB
News mentions
0No linked articles in our index yet.