5.3
MEDIUM CVSS 3.1
CVE-2024-54677
Apache Tomcat Uncontrolled Resource Consumption Denial of Service
Description

Uncontrolled Resource Consumption vulnerability in the examples web application provided with Apache Tomcat leads to denial of service. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.1, from 10.1.0-M1 through 10.1.33, from 9.0.0.M1 through 9.9.97. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 though 8.5.100. Other, older, EOL versions may also be affected. Users are recommended to upgrade to version 11.0.2, 10.1.34 or 9.0.98, which fixes the issue.

INFO

Published Date :

Dec. 17, 2024, 1:15 p.m.

Last Modified :

Aug. 8, 2025, 12:15 p.m.

Remotely Exploit :

Yes !
Affected Products

The following products are affected by CVE-2024-54677 vulnerability. Even if cvefeed.io is aware of the exact versions of the products that are affected, the information is not represented in the table below.

ID Vendor Product Action
1 Netapp bootstrap_os
2 Netapp hci_compute_node
1 Apache tomcat
CVSS Scores
The Common Vulnerability Scoring System is a standardized framework for assessing the severity of vulnerabilities in software and systems. We collect and displays CVSS scores from various sources for each CVE.
Score Version Severity Vector Exploitability Score Impact Score Source
CVSS 3.1 MEDIUM 134c704f-9b21-4f2e-91b3-4a467353bcc0
Solution
Update Apache Tomcat and associated packages to address the uncontrolled resource consumption vulnerability.
  • Upgrade to Apache Tomcat version 9.0.98, 10.1.34, or 11.0.2.
  • Update the affected Linux packages.
  • Update the affected packages.
References to Advisories, Solutions, and Tools

Here, you will find a curated list of external links that provide in-depth information, practical solutions, and valuable tools related to CVE-2024-54677.

URL Resource
https://lists.apache.org/thread/tdtbbxpg5trdwc2wnopcth9ccvdftq2n Mailing List Vendor Advisory
http://www.openwall.com/lists/oss-security/2024/12/17/5 Mailing List
http://www.openwall.com/lists/oss-security/2024/12/17/6 Mailing List
http://www.openwall.com/lists/oss-security/2024/12/18/1 Mailing List
https://security.netapp.com/advisory/ntap-20250131-0006/ Third Party Advisory
CWE - Common Weakness Enumeration

While CVE identifies specific instances of vulnerabilities, CWE categorizes the common flaws or weaknesses that can lead to vulnerabilities. CVE-2024-54677 is associated with the following CWEs:

Common Attack Pattern Enumeration and Classification (CAPEC)

Common Attack Pattern Enumeration and Classification (CAPEC) stores attack patterns, which are descriptions of the common attributes and approaches employed by adversaries to exploit the CVE-2024-54677 weaknesses.

We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).

Results are limited to the first 15 repositories due to potential performance issues.

The following list is the news that have been mention CVE-2024-54677 vulnerability anywhere in the article.

  • Daily CyberSecurity
Patch Now: Apache Tomcat Fixes Session Fixation and ‘MadeYouReset’ Flaws

The Apache Tomcat Project has issued important updates addressing two significant vulnerabilities affecting multiple supported versions of the popular open-source application server. The flaws — CVE-2 ... Read more

Published Date: Aug 15, 2025 (2 weeks, 6 days ago)
  • TheCyberThrone
CVE-2025-24480 impacts Rockwell Automation

CVE-2025-24480 is a critical vulnerability that has been identified in FactoryTalk View Machine Edition, a widely used industrial automation software from Rockwell Automation. This vulnerability is pa ... Read more

Published Date: Feb 02, 2025 (7 months ago)
  • TheCyberThrone
TheCyberThrone CyberSecurity Newsletter Top 5 Articles – January 2025

Welcome to TheCyberThrone cybersecurity month in review will be posted covering the important security happenings . This review is for the month ending January 2025Subscribers favorite #1Exploit Code ... Read more

Published Date: Feb 01, 2025 (7 months ago)
  • TheCyberThrone
CVE-2024-53299 impacts Apache Wicket

BackgroundCVE-2024-53299 is a significant security vulnerability identified in Apache Wicket, specifically impacting versions prior to 9.19.0 and 10.3.0. This vulnerability allows attackers to initiat ... Read more

Published Date: Jan 26, 2025 (7 months, 1 week ago)
  • TheCyberThrone
TheCyberThrone Security BiWeekly Review – January 25, 2025

Welcome to TheCyberThrone. Cybersecurity week in review will be posted covering the important security happenings. This review is for the bi-weekly ending on Saturday, January 25, 2025.CVE-2025-0411 i ... Read more

Published Date: Jan 26, 2025 (7 months, 1 week ago)
  • TheCyberThrone
CVE-2024-53691: PoC Exploit Code Release for QNAP Flaw

CVE-2024-53691 is a severe remote code execution (RCE) vulnerability discovered in QNAP NAS devices. Recently, security researcher c411e released a Proof-of-Concept (PoC) exploit code, underscoring th ... Read more

Published Date: Jan 20, 2025 (7 months, 2 weeks ago)
  • TheCyberThrone
CVE-2025-0107 PoC Exploit Code Released for PaloAlto Flaw

Background:CVE-2025-0107 is a critical OS command injection vulnerability discovered in Palo Alto Networks’ Expedition Tool, version 1.2.101 and earlier. Recently, security researchers released a Proo ... Read more

Published Date: Jan 19, 2025 (7 months, 2 weeks ago)
  • TheCyberThrone
CVE-2024-44243: macOS SIP Bypass Flaw

CVE-2024-44243 is a critical vulnerability discovered in macOS that allows attackers to bypass Apple’s System Integrity Protection (SIP) by exploiting third-party kernel extensions. This vulnerability ... Read more

Published Date: Jan 15, 2025 (7 months, 2 weeks ago)
  • TheCyberThrone
CISA adds Fortinet flaw CVE-2024-55591 to KEV Catalog

CVE-2024-55591 is a critical vulnerability affecting Fortinet’s FortiOS and FortiProxy devices. This vulnerability allows a remote attacker to bypass authentication mechanisms and gain super-admin pri ... Read more

Published Date: Jan 15, 2025 (7 months, 2 weeks ago)
  • TheCyberThrone
CVE-2024-5594 impacts OpenVPN

CVE-2024-5594 is a critical vulnerability identified in OpenVPN versions prior to 2.6.11. This vulnerability stems from improper sanitization of PUSH_REPLY messages, which allows attackers to inject u ... Read more

Published Date: Jan 12, 2025 (7 months, 3 weeks ago)
  • TheCyberThrone
CVE-2024-53704 impacts SonicWall

CVE-2024-53704 is a high-severity vulnerability impacting SonicWall’s SSLVPN authentication mechanism. This flaw, with a CVSS score of 8.2, allows remote attackers to bypass authentication and gain un ... Read more

Published Date: Jan 11, 2025 (7 months, 3 weeks ago)
  • TheCyberThrone
CISA KEV UPDATE Part I – January 2025

The US CISA has added 3  vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog based on the evidence of active exploitation.CVE-2024-41713: Mitel MiCollab Path Traversal VulnerabilityDe ... Read more

Published Date: Jan 08, 2025 (7 months, 3 weeks ago)
  • TheCyberThrone
TheCyberThrone Security Biweekly Review – December 28, 2024

Welcome to TheCyberThrone cybersecurity week in review will be posted covering the important security happenings. This review is for the biweekly ending Saturday, December 28, 2024.Indian users are ta ... Read more

Published Date: Dec 30, 2024 (8 months ago)
  • TheCyberThrone
CVE-2024-45387 Critical Bug in Apache Traffic Control

CVE-2024-45387 represents a significant security concern within the Traffic Ops component of Apache Traffic Control, specifically impacting versionsThe heart of this vulnerability is an SQL injection ... Read more

Published Date: Dec 25, 2024 (8 months, 1 week ago)
  • TheCyberThrone
Microsoft Patch Tuesday Year 2024 Analysis

In 2024, Microsoft’s Patch Tuesday updates played a critical role in addressing security vulnerabilities across various platforms. Throughout the year, a total of 1,000+ vulnerabilities were patched, ... Read more

Published Date: Dec 25, 2024 (8 months, 1 week ago)
  • TheCyberThrone
Zeroday Vulnerabilities Prevailed in 2024 Analysis-Part II

This is the continuation of Zeroday vulnerabilities in 2024. Let’s delve deeply into the continuation of  zero-day vulnerabilities of 2024, providing a comprehensive analysis.1. CVE-2023-46805: Authen ... Read more

Published Date: Dec 24, 2024 (8 months, 1 week ago)
  • TheCyberThrone
CISA adds Acclaim Flaw CVE-2021-44207 to KEV Catalog

The US CISA has added new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitationCVE-2021-44207: Acclaim Systems USAHERDS Use of Hard-Coded Credentials V ... Read more

Published Date: Dec 23, 2024 (8 months, 1 week ago)
  • TheCyberThrone
BeyondTrust SaaS Breach  Comprehensive Breakdown

Incident DiscoveryOn December 2, 2024, BeyondTrust identified a significant security breach during a forensics investigation. This discovery set off a series of urgent actions to mitigate the impact a ... Read more

Published Date: Dec 23, 2024 (8 months, 1 week ago)
  • Cybersecurity News
CVE-2024-56337: Apache Tomcat Patches Critical RCE Vulnerability

The Apache Software Foundation recently released a critical security update to address a remote code execution (RCE) vulnerability in Apache Tomcat, identified as CVE-2024-56337. This vulnerability af ... Read more

Published Date: Dec 23, 2024 (8 months, 1 week ago)
  • TheCyberThrone
Detailing Databricks Vulnerability CVE-2024-49194

A critical vulnerability has been identified that affects the Databricks JDBC Driver. This vulnerability allows for remote code execution (RCE) through a JNDI injection exploit using a malicious JDBC ... Read more

Published Date: Dec 21, 2024 (8 months, 2 weeks ago)

The following table lists the changes that have been made to the CVE-2024-54677 vulnerability over time.

Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.

  • CVE Modified by [email protected]

    Aug. 08, 2025

    Action Type Old Value New Value
    Changed Description Uncontrolled Resource Consumption vulnerability in the examples web application provided with Apache Tomcat leads to denial of service. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.1, from 10.1.0-M1 through 10.1.33, from 9.0.0.M1 through 9.9.97. Older, EOL versions may also be affected. Users are recommended to upgrade to version 11.0.2, 10.1.34 or 9.0.98, which fixes the issue. Uncontrolled Resource Consumption vulnerability in the examples web application provided with Apache Tomcat leads to denial of service. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.1, from 10.1.0-M1 through 10.1.33, from 9.0.0.M1 through 9.9.97. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 though 8.5.100. Other, older, EOL versions may also be affected. Users are recommended to upgrade to version 11.0.2, 10.1.34 or 9.0.98, which fixes the issue.
  • CVE Modified by [email protected]

    Aug. 07, 2025

    Action Type Old Value New Value
    Changed Description Uncontrolled Resource Consumption vulnerability in the examples web application provided with Apache Tomcat leads to denial of service. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.1, from 10.1.0-M1 through 10.1.33, from 9.0.0.M1 through 9.9.97. Users are recommended to upgrade to version 11.0.2, 10.1.34 or 9.0.98, which fixes the issue. Uncontrolled Resource Consumption vulnerability in the examples web application provided with Apache Tomcat leads to denial of service. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.1, from 10.1.0-M1 through 10.1.33, from 9.0.0.M1 through 9.9.97. Older, EOL versions may also be affected. Users are recommended to upgrade to version 11.0.2, 10.1.34 or 9.0.98, which fixes the issue.
  • Initial Analysis by [email protected]

    Jul. 01, 2025

    Action Type Old Value New Value
    Added CPE Configuration OR *cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:* versions from (including) 10.1.0 up to (excluding) 10.1.34 *cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:* versions from (including) 11.0.0 up to (excluding) 11.0.2 *cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:* versions from (including) 9.0.0 up to (excluding) 9.0.98
    Added CPE Configuration AND OR *cpe:2.3:o:netapp:bootstrap_os:-:*:*:*:*:*:*:* OR cpe:2.3:h:netapp:hci_compute_node:-:*:*:*:*:*:*:*
    Added Reference Type CVE: http://www.openwall.com/lists/oss-security/2024/12/17/5 Types: Mailing List
    Added Reference Type CVE: http://www.openwall.com/lists/oss-security/2024/12/17/6 Types: Mailing List
    Added Reference Type CVE: http://www.openwall.com/lists/oss-security/2024/12/18/1 Types: Mailing List
    Added Reference Type Apache Software Foundation: https://lists.apache.org/thread/tdtbbxpg5trdwc2wnopcth9ccvdftq2n Types: Mailing List, Vendor Advisory
    Added Reference Type CVE: https://security.netapp.com/advisory/ntap-20250131-0006/ Types: Third Party Advisory
  • CVE Modified by af854a3a-2127-422b-91ae-364da2661108

    Jan. 31, 2025

    Action Type Old Value New Value
    Added Reference https://security.netapp.com/advisory/ntap-20250131-0006/
  • CVE Modified by af854a3a-2127-422b-91ae-364da2661108

    Dec. 18, 2024

    Action Type Old Value New Value
    Added Reference http://www.openwall.com/lists/oss-security/2024/12/18/1
  • CVE Modified by af854a3a-2127-422b-91ae-364da2661108

    Dec. 17, 2024

    Action Type Old Value New Value
    Added Reference http://www.openwall.com/lists/oss-security/2024/12/17/6
  • CVE Modified by af854a3a-2127-422b-91ae-364da2661108

    Dec. 17, 2024

    Action Type Old Value New Value
    Added Reference http://www.openwall.com/lists/oss-security/2024/12/17/5
  • CVE Modified by 134c704f-9b21-4f2e-91b3-4a467353bcc0

    Dec. 17, 2024

    Action Type Old Value New Value
    Added CVSS V3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
  • New CVE Received by [email protected]

    Dec. 17, 2024

    Action Type Old Value New Value
    Added Description Uncontrolled Resource Consumption vulnerability in the examples web application provided with Apache Tomcat leads to denial of service. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.1, from 10.1.0-M1 through 10.1.33, from 9.0.0.M1 through 9.9.97. Users are recommended to upgrade to version 11.0.2, 10.1.34 or 9.0.98, which fixes the issue.
    Added CWE CWE-400
    Added Reference https://lists.apache.org/thread/tdtbbxpg5trdwc2wnopcth9ccvdftq2n
EPSS is a daily estimate of the probability of exploitation activity being observed over the next 30 days. Following chart shows the EPSS score history of the vulnerability.
Vulnerability Scoring Details
Base CVSS Score: 5.3
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact