CVE-2024-52318 — Apache Tomcat: Incorrect JSP tag recycling leads to XSS

Description

Incorrect object recycling and reuse vulnerability in Apache Tomcat. This issue affects Apache Tomcat: 11.0.0, 10.1.31, 9.0.96. Users are recommended to upgrade to version 11.0.1, 10.1.32 or 9.0.97, which fixes the issue.

How to fix CVE-2024-52318

To remediate CVE-2024-52318, upgrade the affected package to a fixed version below.

Bitnami/tomcat—upgrade to 9.0.97 or later
—upgrade to 10.1.33-1 or later
—upgrade to 11.0.1 or later

Is CVE-2024-52318 being exploited?

Moderate — EPSS is 15.5%. Track this CVE but it's not at the top of the prioritisation list.

Affected packages (3)

>= 9.0.96, < 9.0.97, >= 10.1.31, < 10.1.33, >= 11.0.0, < 11.0.9
from 0, < 10.1.33-1
>= 11.0.0, < 11.0.1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM6.1	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References (11)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2024-52318
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2024-52318
PATCHgithub.com/apache/tomcat
WEBbz.apache.org/bugzilla/show_bug.cgi?id=69333
WEB