Lucene search

K
cvelistApacheCVELIST:CVE-2019-0199
HistoryApr 10, 2019 - 2:21 p.m.

CVE-2019-0199

2019-04-1014:21:50
apache
www.cve.org
9
apache tomcat
http/2
dos

AI Score

7.6

Confidence

High

EPSS

0.727

Percentile

98.1%

The HTTP/2 implementation in Apache Tomcat 9.0.0.M1 to 9.0.14 and 8.5.0 to 8.5.37 accepted streams with excessive numbers of SETTINGS frames and also permitted clients to keep streams open without reading/writing request/response data. By keeping streams open for requests that utilised the Servlet API’s blocking I/O, clients were able to cause server-side threads to block eventually leading to thread exhaustion and a DoS.

CNA Affected

[
  {
    "product": "Apache Tomcat",
    "vendor": "n/a",
    "versions": [
      {
        "status": "affected",
        "version": "Apache Tomcat 9.0.0.M1 to 9.0.14, 8.5.0 to 8.5.37"
      }
    ]
  }
]

References