CVE-2024-52317: 
Java vulnerability analysis and mitigation

Incorrect object re-cycling and re-use vulnerability was discovered in Apache Tomcat's HTTP/2 request handling. The vulnerability affects Apache Tomcat versions 11.0.0-M23 through 11.0.0-M26, 10.1.27 through 10.1.30, and 9.0.92 through 9.0.95. The issue was disclosed on November 18, 2024, and involves incorrect recycling of request and response objects that could lead to request and/or response mix-up between users (Apache Security, OSS Security).

The vulnerability stems from improper object recycling and reuse in Apache Tomcat's HTTP/2 request handling mechanism. The CVSS v3.1 base score is 6.5 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N, indicating that the vulnerability can be exploited remotely without requiring privileges or user interaction. The issue is associated with CWE-326 (Inadequate Encryption Strength) (NVD).

When successfully exploited, this vulnerability can lead to the disclosure of sensitive information and potential modification of data through request and response mix-ups between different users. The vulnerability allows attackers to potentially access or modify data intended for other users, compromising the confidentiality and integrity of communications (NetApp Security).

Users are strongly recommended to upgrade to the fixed versions: Apache Tomcat 11.0.0, 10.1.31, or 9.0.96. These versions contain the necessary patches to address the vulnerability (Apache Security).