buildguy
commented
2 months ago
[](https://docs.jfrog-applications.jfrog.io/jfrog-applications/frogbot)
📦 Vulnerable Dependencies
✍️ Summary
| SEVERITY | DIRECT DEPENDENCIES | IMPACTED DEPENDENCY | FIXED VERSIONS | CVES |
| :---------------------: | :-----------------------------------: | :-----------------------------------: | :-----------------------------------: | :-----------------------------------: |
| 
High | org.apache.tomcat:tomcat-catalina:9.0.86
pentaho:pentaho-tomcat-logs:10.2.0.0-SNAPSHOT | org.apache.tomcat:tomcat-coyote 9.0.86 | [10.1.25]
[11.0.0-M21]
[9.0.90] | CVE-2024-34750 |
High | org.apache.tomcat:tomcat-catalina:9.0.86
pentaho:pentaho-tomcat-logs:10.2.0.0-SNAPSHOT | org.apache.tomcat:tomcat-coyote 9.0.86 | [10.1.25]
[11.0.0-M21]
[9.0.90] | CVE-2024-34750 |
🔬 Research Details
Description: Improper Handling of Exceptional Conditions, Uncontrolled Resource Consumption vulnerability in Apache Tomcat. When processing an HTTP/2 stream, Tomcat did not handle some cases of excessive HTTP headers correctly. This led to a miscounting of active HTTP/2 streams which in turn led to the use of an incorrect infinite timeout which allowed connections to remain open which should have been closed.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M20, from 10.1.0-M1 through 10.1.24, from 9.0.0-M1 through 9.0.89.
Users are recommended to upgrade to version 11.0.0-M21, 10.1.25 or 9.0.90, which fixes the issue.
Note:
---
**Frogbot** also supports **Contextual Analysis, Secret Detection, IaC and SAST Vulnerabilities Scanning**. This features are included as part of the [JFrog Advanced Security](https://jfrog.com/advanced-security) package, which isn't enabled on your system.
[🐸 JFrog Frogbot](https://docs.jfrog-applications.jfrog.io/jfrog-applications/frogbot)
SonarQube Quality Gate