CVE-2019-0199 — Uncontrolled Resource Consumption in Apache Tomcat
Severity
7.5HIGHNVD
EPSS
65.6%
top 1.50%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedApr 10
Latest updateJun 15
Description
The HTTP/2 implementation in Apache Tomcat 9.0.0.M1 to 9.0.14 and 8.5.0 to 8.5.37 accepted streams with excessive numbers of SETTINGS frames and also permitted clients to keep streams open without reading/writing request/response data. By keeping streams open for requests that utilised the Servlet API's blocking I/O, clients were able to cause server-side threads to block eventually leading to thread exhaustion and a DoS.
CVSS vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6
Affected Packages2 packages
🔴Vulnerability Details
7📋Vendor Advisories
4Red Hat
▶
Debian▶
CVE-2019-0199: tomcat9 - The HTTP/2 implementation in Apache Tomcat 9.0.0.M1 to 9.0.14 and 8.5.0 to 8.5.3...↗2019
💬Community
7Bugzilla▶
Mojarra: Path traversal in ResourceManager.java:getResourceLibraryContracts() via the con parameter↗2020-02-20
Bugzilla▶
CVE-2020-6950 Mojarra: Path traversal via either the loc parameter or the con parameter, incomplete fix of CVE-2018-14371↗2020-02-20
Bugzilla▶
CVE-2019-10072 tomcat: HTTP/2 connection window exhaustion on write, incomplete fix of CVE-2019-0199↗2019-06-25
Bugzilla▶
CVE-2019-10072 tomcat: HTTP/2 connection window exhaustion on write, incomplete fix of CVE-2019-0199 [epel-all]↗2019-06-25
Bugzilla▶
CVE-2019-10072 tomcat: HTTP/2 connection window exhaustion on write, incomplete fix of CVE-2019-0199 [fedora-all]↗2019-06-25