{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-52318", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "state": "PUBLISHED", "assignerShortName": "apache", "dateReserved": "2024-11-07T07:48:18.086Z", "datePublished": "2024-11-18T12:21:39.170Z", "dateUpdated": "2025-01-31T15:02:49.374Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Apache Tomcat", "vendor": "Apache Software Foundation", "versions": [{"status": "affected", "version": "11.0.0", "versionType": "semver"}, {"status": "affected", "version": "10.1.31", "versionType": "semver"}, {"status": "affected", "version": "9.0.96", "versionType": "semver"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>Incorrect object recycling and reuse vulnerability in Apache Tomcat.</p><p>This issue affects Apache Tomcat: 11.0.0, 10.1.31, 9.0.96.</p><p>Users are recommended to upgrade to version 11.0.1, 10.1.32 or 9.0.97, which fixes the issue.</p>"}], "value": "Incorrect object recycling and reuse vulnerability in Apache Tomcat.\n\nThis issue affects Apache Tomcat: 11.0.0, 10.1.31, 9.0.96.\n\nUsers are recommended to upgrade to version 11.0.1, 10.1.32 or 9.0.97, which fixes the issue."}], "metrics": [{"other": {"content": {"text": "important"}, "type": "Textual description of severity"}}], "problemTypes": [{"descriptions": [{"description": "Incorrect object recycling and reuse", "lang": "en"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2024-11-18T12:21:39.170Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://lists.apache.org/thread/co243cw1nlh6p521c5265cm839wkqdp9"}], "source": {"discovery": "UNKNOWN"}, "title": "Apache Tomcat: Incorrect JSP tag recycling leads to XSS", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-326", "lang": "en", "description": "CWE-326 Inadequate Encryption Strength"}]}], "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2024-11-18T14:31:54.340955Z", "id": "CVE-2024-52318", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-11-18T14:34:25.450Z"}}, {"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2024/11/18/4"}, {"url": "https://security.netapp.com/advisory/ntap-20250131-0009/"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2025-01-31T15:02:49.374Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2024/11/18/4"}, {"url": "https://security.netapp.com/advisory/ntap-20250131-0009/"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2025-01-31T15:02:49.374Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2024-52318", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-11-18T14:31:54.340955Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-326", "description": "CWE-326 Inadequate Encryption Strength"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-11-18T14:34:14.511Z"}}], "cna": {"title": "Apache Tomcat: Incorrect JSP tag recycling leads to XSS", "source": {"discovery": "UNKNOWN"}, "metrics": [{"other": {"type": "Textual description of severity", "content": {"text": "important"}}}], "affected": [{"vendor": "Apache Software Foundation", "product": "Apache Tomcat", "versions": [{"status": "affected", "version": "11.0.0", "versionType": "semver"}, {"status": "affected", "version": "10.1.31", "versionType": "semver"}, {"status": "affected", "version": "9.0.96", "versionType": "semver"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://lists.apache.org/thread/co243cw1nlh6p521c5265cm839wkqdp9", "tags": ["vendor-advisory"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "Incorrect object recycling and reuse vulnerability in Apache Tomcat.\n\nThis issue affects Apache Tomcat: 11.0.0, 10.1.31, 9.0.96.\n\nUsers are recommended to upgrade to version 11.0.1, 10.1.32 or 9.0.97, which fixes the issue.", "supportingMedia": [{"type": "text/html", "value": "<p>Incorrect object recycling and reuse vulnerability in Apache Tomcat.</p><p>This issue affects Apache Tomcat: 11.0.0, 10.1.31, 9.0.96.</p><p>Users are recommended to upgrade to version 11.0.1, 10.1.32 or 9.0.97, which fixes the issue.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Incorrect object recycling and reuse"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2024-11-18T12:21:39.170Z"}}}, "cveMetadata": {"cveId": "CVE-2024-52318", "state": "PUBLISHED", "dateUpdated": "2025-01-31T15:02:49.374Z", "dateReserved": "2024-11-07T07:48:18.086Z", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "datePublished": "2024-11-18T12:21:39.170Z", "assignerShortName": "apache"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:tomcat:9.0.96:*:*:*:*:*:*:*", "matchCriteriaId": "6EC401BB-1B62-48AC-8DD6-40391B7C85E3", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:10.1.31:*:*:*:*:*:*:*", "matchCriteriaId": "090488A2-C72A-41CD-8F28-462E6D377EF8", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:11.0.0:-:*:*:*:*:*:*", "matchCriteriaId": "F2F4051E-9D2B-44EF-8F4B-F117AEABB7BC", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Incorrect object recycling and reuse vulnerability in Apache Tomcat.\n\nThis issue affects Apache Tomcat: 11.0.0, 10.1.31, 9.0.96.\n\nUsers are recommended to upgrade to version 11.0.1, 10.1.32 or 9.0.97, which fixes the issue."}, {"lang": "es", "value": "Vulnerabilidad de reutilizaci\u00f3n y reciclaje incorrecto de objetos en Apache Tomcat. Este problema afecta a Apache Tomcat: 11.0.0, 10.1.31, 9.0.96. Se recomienda a los usuarios que actualicen a la versi\u00f3n 11.0.1, 10.1.32 o 9.0.97, que soluciona el problema."}], "id": "CVE-2024-52318", "lastModified": "2025-05-15T17:46:50.373", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2024-11-18T13:15:04.490", "references": [{"source": "security@apache.org", "tags": ["Vendor Advisory"], "url": "https://lists.apache.org/thread/co243cw1nlh6p521c5265cm839wkqdp9"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List"], "url": "http://www.openwall.com/lists/oss-security/2024/11/18/4"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20250131-0009/"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-326"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{"bugzilla": {"description": "tomcat: incorrect JSP tag recycling leads to XSS", "id": "2326985", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2326985"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.4", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", "status": "draft"}, "cwe": "CWE-79", "details": ["Incorrect object recycling and reuse vulnerability in Apache Tomcat.\nThis issue affects Apache Tomcat: 11.0.0, 10.1.31, 9.0.96.\nUsers are recommended to upgrade to version 11.0.1, 10.1.32 or 9.0.97, which fixes the issue.", "A flaw was found in Apache Tomcat. Pooled JavaServer Pages (JSP) tags are not released after use, which could cause the output of some tags not to escape as expected. This unescaped output could leave the application vulnerable to Cross-site scripting (XSS)."], "name": "CVE-2024-52318", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "tomcat", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "pki-deps:10.6/pki-servlet-engine", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "tomcat", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "pki-servlet-engine", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "tomcat", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2024-11-18T12:21:39Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-52318\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-52318\nhttps://lists.apache.org/thread/co243cw1nlh6p521c5265cm839wkqdp9"], "statement": "Per the upstream advisory, this vulnerability is limited to Tomcat versions 9.0.96, 10.1.31, and 11.0.0. No Red Hat products are vulnerable to this flaw.", "threat_severity": "Moderate"}