CVE-2024-34750: 
Java vulnerability analysis and mitigation

CVE-2024-34750 is a vulnerability in Apache Tomcat affecting versions from 11.0.0-M1 through 11.0.0-M20, 10.1.0-M1 through 10.1.24, and 9.0.0-M1 through 9.0.89. The vulnerability was discovered and disclosed on July 3, 2024, and is related to improper handling of exceptional conditions and uncontrolled resource consumption in HTTP/2 stream processing (NVD).

The vulnerability occurs when processing an HTTP/2 stream, where Tomcat fails to handle some cases of excessive HTTP headers correctly. This leads to a miscounting of active HTTP/2 streams, which subsequently results in the use of an incorrect infinite timeout, allowing connections to remain open that should have been closed. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (CISA-ADP).

The successful exploitation of this vulnerability could lead to a Denial of Service (DoS) condition. The vulnerability affects the availability of the system without compromising confidentiality or integrity (NetApp Advisory).

Users are recommended to upgrade to Apache Tomcat version 11.0.0-M21, 10.1.25, or 9.0.90, which contain fixes for this vulnerability. These versions address the HTTP/2 stream handling issue and prevent the incorrect timeout behavior (NVD).