QwikSec

Security Database

CVE

CWE

Training

CVE Database
/

CVE-2019-10072

Back to search

CVE-2019-10072

Published: Jun 21, 2019

Modified: Aug 4, 2024

PUBLISHED

Description

The fix for CVE-2019-0199 was incomplete and did not address HTTP/2 connection window exhaustion on write in Apache Tomcat versions 9.0.0.M1 to 9.0.19 and 8.5.0 to 8.5.40 . By not sending WINDOW_UPDATE messages for the connection window (stream 0) clients were able to cause server-side threads to block eventually leading to thread exhaustion and a DoS.

VendorProductVersions

n/a

Apache Tomcat

affected
Apache Tomcat 9.0.0.M1 to 9.0.19, 8.5.0 to 8.5.40

References

108874
vdb-entry
x_refsource_BID
USN-4128-1
vendor-advisory
x_refsource_UBUNTU
USN-4128-2
vendor-advisory
x_refsource_UBUNTU
RHSA-2019:3929
vendor-advisory
x_refsource_REDHAT
RHSA-2019:3931
vendor-advisory
x_refsource_REDHAT
openSUSE-SU-2020:0038
vendor-advisory
x_refsource_SUSE
DSA-4680
vendor-advisory
x_refsource_DEBIAN

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now