[SECURITY] CVE-2024-52317 Apache Tomcat - Request and/or response mix-up Post to announce@tomcat.apache.org Mark Thomas - Monday, November 18, 2024 7:20:42 PM GMT+8 Note: Correction to 10.1.x affected versions CVE-2024-52317 Apache Tomcat - Request and/or response mix-up Severity: Important Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 11.0.0-M23 to 11.0.0-M26 Apache Tomcat 10.1.27 to 10.1.30 Apache Tomcat 9.0.92 to 9.0.95 Description: Incorrect recycling of the request and response used by HTTP/2 requests could lead to request and/or response mix-up between users. Mitigation: Users of the affected versions should apply one of the following mitigations: Upgrade to Apache Tomcat 11.0.0 or later Upgrade to Apache Tomcat 10.1.31 or later Upgrade to Apache Tomcat 9.0.96 or later Credit: This vulnerability identified by the Tomcat security team History: 2024-11-18 Original advisory 2024-11-18 Correct 10.1.x affected versions References: 1. 2. 3.