CVE-2019-10072

Aliases:GHSA-q4hg-rmq2-52q9
Advisory lineage Upstream: 0 Downstream: 14
Modified
Published: 21 Jun 2019, 17:56
Last modified:04 Aug 2024, 22:10

Vulnerability Summary

Overall Risk (default)
medium
44/100
CVSS Score
7.5 HIGH
v3.0 (nvd)
EPSS Score
71.3% CRITICAL
71% probability -0.84%
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected

Timeline

21 Jun 2019, 17:56
Published
Vulnerability first disclosed
04 Aug 2024, 22:10
Last Modified
Vulnerability information updated

Description

The fix for CVE-2019-0199 was incomplete and did not address HTTP/2 connection window exhaustion on write in Apache Tomcat versions 9.0.0.M1 to 9.0.19 and 8.5.0 to 8.5.40 . By not sending WINDOW_UPDATE messages for the connection window (stream 0) clients were able to cause server-side threads to block eventually leading to thread exhaustion and a DoS.

CVSS Metrics

  • v3.0HIGHScore: 7.5CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
  • v2.0MEDIUMScore: 5AV:N/AC:L/Au:N/C:N/I:N/A:P

EPSS Trends

Current EPSS score: 71.30% Percentile: 99%

Techniques & Countermeasures

  • CWE-667Improper Locking

    The product does not properly acquire or release a lock on a resource, leading to unexpected resource state changes and behaviors.

Affected Systems

  • UnknownTomcat

    ≥ 8.5.0, ≤ 8.5.40 | ≥ 9.0.1, ≤ 9.0.19 | 9.0.0:milestone1 | 9.0.0:milestone10 | 9.0.0:milestone11 | 9.0.0:milestone12 | 9.0.0:milestone13 | 9.0.0:milestone14 | 9.0.0:milestone15 | 9.0.0:milestone16 | 9.0.0:milestone17 | 9.0.0:milestone18 | 9.0.0:milestone19 | 9.0.0:milestone2 | 9.0.0:milestone20 | 9.0.0:milestone21 | 9.0.0:milestone22 | 9.0.0:milestone23 | 9.0.0:milestone24 | 9.0.0:milestone25 | 9.0.0:milestone26 | 9.0.0:milestone27 | 9.0.0:milestone3 | 9.0.0:milestone4 | 9.0.0:milestone5 | 9.0.0:milestone6 | 9.0.0:milestone7 | 9.0.0:milestone8 | 9.0.0:milestone9

  • org.apache.tomcat.embedtomcat-embed-core

    ≥ 9.0.0.M1, < 9.0.20 | ≥ 8.5.0, < 8.5.41

References (37)