CVE-2019-10072

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2019-10072
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2019-10072.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2019-10072
Aliases
Downstream
Related
Published
2019-06-21T18:15:09.513Z
Modified
2026-02-12T00:25:14.287983Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
[none]
Details

The fix for CVE-2019-0199 was incomplete and did not address HTTP/2 connection window exhaustion on write in Apache Tomcat versions 9.0.0.M1 to 9.0.19 and 8.5.0 to 8.5.40 . By not sending WINDOW_UPDATE messages for the connection window (stream 0) clients were able to cause server-side threads to block eventually leading to thread exhaustion and a DoS.

References

Affected packages

Git / github.com/apache/tomcat

Affected ranges

Type
GIT
Repo
https://github.com/apache/tomcat
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
29b07def810d335012e738b22ab44d4e232b50d1
Introduced
3c78e95e36268dfb76db1570f0cf49104fa6eabc
Last affected
854f4dcf435a6d335576aa22402e2871c66f4fd9
Introduced
e37b977db6f47e4380ad67114a49e8568951c953
Last affected
5ec070352b283535946327b44228b610a27a76c5

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2019-10072.json"