QwikSec

Security Database

CVE

CWE

Training

CVE Database
/

CVE-2017-5650

Back to search

CVE-2017-5650

Published: Apr 17, 2017

Modified: Aug 5, 2024

PUBLISHED

Description

In Apache Tomcat 9.0.0.M1 to 9.0.0.M18 and 8.5.0 to 8.5.12, the handling of an HTTP/2 GOAWAY frame for a connection did not close streams associated with that connection that were currently waiting for a WINDOW_UPDATE before allowing the application to write more data. These waiting streams each consumed a thread. A malicious client could therefore construct a series of HTTP/2 requests that would consume all available processing threads.

VendorProductVersions

Apache Software Foundation

Apache Tomcat

affected
9.0.0.M1 to 9.0.0.M18
affected
8.5.0 to 8.5.12

References

97531
vdb-entry
x_refsource_BID
GLSA-201705-09
vendor-advisory
x_refsource_GENTOO
1038217
vdb-entry
x_refsource_SECTRACK

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now