CVE-2019-10072

UNKNOWN

Published 2019-06-21T17:56:42

Actions:

Expert Analysis

Professional remediation guidance

Get tailored security recommendations from our analyst team for CVE-2019-10072. We'll provide specific mitigation strategies based on your environment and risk profile.

No CVSS data available

Description

The fix for CVE-2019-0199 was incomplete and did not address HTTP/2 connection window exhaustion on write in Apache Tomcat versions 9.0.0.M1 to 9.0.19 and 8.5.0 to 8.5.40 . By not sending WINDOW_UPDATE messages for the connection window (stream 0) clients were able to cause server-side threads to block eventually leading to thread exhaustion and a DoS.

Available Exploits

No exploits available for this CVE.

Related News

No news articles found for this CVE.

GitHub Security Advisories

Community-driven vulnerability intelligence from GitHub

✓ GitHub Reviewed HIGH

Improper Locking in Apache Tomcat

GHSA-q4hg-rmq2-52q9

Advisory Details

Affected Packages

Maven org.apache.tomcat.embed:tomcat-embed-core

ECOSYSTEM: ≥9.0.0.M1 <9.0.20

Maven org.apache.tomcat.embed:tomcat-embed-core

ECOSYSTEM: ≥8.5.0 <8.5.41

CVSS Scoring

CVSS Score

7.5

CVSS Vector


                                    CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2019-10072

WEB https://github.com/apache/tomcat/commit/0bcd69c9dd8ae0ff424f2cd46de51583510b7f35

WEB https://github.com/apache/tomcat/commit/7f748eb6bfaba5207c89dbd7d5adf50fae847145

WEB https://github.com/apache/tomcat/commit/8d14c6f21d29768a39be4b6b9517060dc6606758

WEB https://github.com/apache/tomcat/commit/ada725a50a60867af3422c8e612aecaeea856a9a

WEB https://security.netapp.com/advisory/ntap-20190625-0002

WEB https://support.f5.com/csp/article/K17321505

WEB https://tomcat.apache.org/security-8.html

WEB https://tomcat.apache.org/security-9.html

WEB https://usn.ubuntu.com/4128-1

WEB https://usn.ubuntu.com/4128-2

WEB https://web.archive.org/web/20200227033743/http://www.securityfocus.com/bid/108874

WEB https://www.debian.org/security/2020/dsa-4680

WEB https://www.oracle.com/security-alerts/cpuApr2021.html

WEB https://www.oracle.com/security-alerts/cpuapr2020.html

WEB https://www.oracle.com/security-alerts/cpujan2020.html

WEB https://www.oracle.com/security-alerts/cpuoct2020.html

WEB https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html

WEB https://www.synology.com/security/advisory/Synology_SA_19_29

WEB https://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a@%3Cdev.tomcat.apache.org%3E

WEB https://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a%40%3Cdev.tomcat.apache.org%3E

WEB https://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9@%3Cdev.tomcat.apache.org%3E

WEB https://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9%40%3Cdev.tomcat.apache.org%3E

WEB https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0@%3Cdev.tomcat.apache.org%3E

WEB https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0%40%3Cdev.tomcat.apache.org%3E

WEB https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d@%3Cdev.tomcat.apache.org%3E

WEB https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d%40%3Cdev.tomcat.apache.org%3E

WEB https://lists.apache.org/thread.html/df1a2c1b87c8a6c500ecdbbaf134c7f1491c8d79d98b48c6b9f0fa6a@%3Cannounce.tomcat.apache.org%3E

WEB https://lists.apache.org/thread.html/df1a2c1b87c8a6c500ecdbbaf134c7f1491c8d79d98b48c6b9f0fa6a%40%3Cannounce.tomcat.apache.org%3E

PACKAGE https://github.com/apache/tomcat

WEB https://access.redhat.com/errata/RHSA-2019:3931

WEB https://access.redhat.com/errata/RHSA-2019:3929

WEB http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00013.html

Advisory provided by GitHub Security Advisory Database. Published: June 26, 2019, Modified: March 11, 2024

References

http://www.securityfocus.com/bid/108874

https://usn.ubuntu.com/4128-1/

https://usn.ubuntu.com/4128-2/

https://access.redhat.com/errata/RHSA-2019:3929

https://access.redhat.com/errata/RHSA-2019:3931

http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00013.html

https://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9%40%3Cdev.tomcat.apache.org%3E

https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d%40%3Cdev.tomcat.apache.org%3E

https://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a%40%3Cdev.tomcat.apache.org%3E

https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0%40%3Cdev.tomcat.apache.org%3E

https://www.debian.org/security/2020/dsa-4680

https://www.oracle.com/security-alerts/cpuapr2020.html

https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html

https://www.oracle.com/security-alerts/cpujan2020.html

https://www.oracle.com/security-alerts/cpuoct2020.html

https://lists.apache.org/thread.html/df1a2c1b87c8a6c500ecdbbaf134c7f1491c8d79d98b48c6b9f0fa6a%40%3Cannounce.tomcat.apache.org%3E

https://www.synology.com/security/advisory/Synology_SA_19_29

https://security.netapp.com/advisory/ntap-20190625-0002/

https://support.f5.com/csp/article/K17321505

https://www.oracle.com/security-alerts/cpuApr2021.html

HackerOne Reports

Tomcat examples available for public, Disclosure Apache Tomcat version, Critical/High/Medium CVE Medium

pvm

U.S. Dept Of Defense

Information Exposure Through an Error Message

View Report

Published: 2019-06-21T17:56:42

Last Modified: 2024-08-04T22:10:09.192Z

Copied to clipboard!

CVE-2019-10072

Expert Analysis

Description

Available Exploits

Related News

GitHub Security Advisories

Improper Locking in Apache Tomcat

Advisory Details

Affected Packages

CVSS Scoring

CVSS Score

CVSS Vector

References

References

HackerOne Reports

Request Analysis

What to expect

Request Received!