CVE-2019-0199
published 2019-04-10CVE-2019-0199: The HTTP/2 implementation in Apache Tomcat 9.0.0.M1 to 9.0.14 and 8.5.0 to 8.5.37 accepted streams with excessive numbers of SETTINGS frames and also permitted…
high7.5CVSS 3.0
AVNACLPRNUINSUCNINAH
The HTTP/2 implementation in Apache Tomcat 9.0.0.M1 to 9.0.14 and 8.5.0 to 8.5.37 accepted streams with excessive numbers of SETTINGS frames and also permitted clients to keep streams open without reading/writing request/response data. By keeping streams open for requests that utilised the Servlet API's blocking I/O, clients were able to cause server-side threads to block eventually leading to thread exhaustion and a DoS.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apache | tomcat | — | — |
| apache | tomcat | — | — |
| apache | tomcat | 8.5.0 – 8.5.37 | — |
| apache | tomcat | 8.5.0 – 8.5.40 | — |
| apache | tomcat | 9.0.1 – 9.0.14 | — |
| apache | tomcat | 9.0.1 – 9.0.19 | — |
| debian | tomcat9 | < tomcat9 9.0.16-1 (bookworm) | tomcat9 9.0.16-1 (bookworm) |
| debian | tomcat9 | < tomcat9 9.0.22-1 (bookworm) | tomcat9 9.0.22-1 (bookworm) |
CVSS provenance
nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
ghsa7.5HIGH
osv7.5HIGH