Lucene search

[email protected]NVD:CVE-2017-5650

HistoryApr 17, 2017 - 4:59 p.m.

CVE-2017-5650

2017-04-1716:59:00

CWE-404

[email protected]

web.nvd.nist.gov

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS

0.833

Percentile

98.5%

JSON

In Apache Tomcat 9.0.0.M1 to 9.0.0.M18 and 8.5.0 to 8.5.12, the handling of an HTTP/2 GOAWAY frame for a connection did not close streams associated with that connection that were currently waiting for a WINDOW_UPDATE before allowing the application to write more data. These waiting streams each consumed a thread. A malicious client could therefore construct a series of HTTP/2 requests that would consume all available processing threads.

Affected configurations

Nvd

Node

apachetomcatMatch8.5.0

apachetomcatMatch8.5.1

apachetomcatMatch8.5.2

apachetomcatMatch8.5.3

apachetomcatMatch8.5.4

apachetomcatMatch8.5.5

apachetomcatMatch8.5.6

apachetomcatMatch8.5.7

apachetomcatMatch8.5.8

apachetomcatMatch8.5.9

apachetomcatMatch8.5.10

apachetomcatMatch8.5.11

apachetomcatMatch8.5.12

Node

apachetomcatMatch9.0.0milestone1

apachetomcatMatch9.0.0milestone10

apachetomcatMatch9.0.0milestone11

apachetomcatMatch9.0.0milestone12

apachetomcatMatch9.0.0milestone13

apachetomcatMatch9.0.0milestone14

apachetomcatMatch9.0.0milestone15

apachetomcatMatch9.0.0milestone16

apachetomcatMatch9.0.0milestone17

apachetomcatMatch9.0.0milestone18

apachetomcatMatch9.0.0milestone2

apachetomcatMatch9.0.0milestone3

apachetomcatMatch9.0.0milestone4

apachetomcatMatch9.0.0milestone5

apachetomcatMatch9.0.0milestone6

apachetomcatMatch9.0.0milestone7

apachetomcatMatch9.0.0milestone8

apachetomcatMatch9.0.0milestone9

VendorProductVersionCPE
apachetomcat8.5.0cpe:2.3:a:apache:tomcat:8.5.0:*:*:*:*:*:*:*
apachetomcat8.5.1cpe:2.3:a:apache:tomcat:8.5.1:*:*:*:*:*:*:*
apachetomcat8.5.2cpe:2.3:a:apache:tomcat:8.5.2:*:*:*:*:*:*:*
apachetomcat8.5.3cpe:2.3:a:apache:tomcat:8.5.3:*:*:*:*:*:*:*
apachetomcat8.5.4cpe:2.3:a:apache:tomcat:8.5.4:*:*:*:*:*:*:*
apachetomcat8.5.5cpe:2.3:a:apache:tomcat:8.5.5:*:*:*:*:*:*:*
apachetomcat8.5.6cpe:2.3:a:apache:tomcat:8.5.6:*:*:*:*:*:*:*
apachetomcat8.5.7cpe:2.3:a:apache:tomcat:8.5.7:*:*:*:*:*:*:*
apachetomcat8.5.8cpe:2.3:a:apache:tomcat:8.5.8:*:*:*:*:*:*:*
apachetomcat8.5.9cpe:2.3:a:apache:tomcat:8.5.9:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
apache	tomcat	8.5.0	cpe:2.3:a:apache:tomcat:8.5.0:::::::*
apache	tomcat	8.5.1	cpe:2.3:a:apache:tomcat:8.5.1:::::::*
apache	tomcat	8.5.2	cpe:2.3:a:apache:tomcat:8.5.2:::::::*
apache	tomcat	8.5.3	cpe:2.3:a:apache:tomcat:8.5.3:::::::*
apache	tomcat	8.5.4	cpe:2.3:a:apache:tomcat:8.5.4:::::::*
apache	tomcat	8.5.5	cpe:2.3:a:apache:tomcat:8.5.5:::::::*
apache	tomcat	8.5.6	cpe:2.3:a:apache:tomcat:8.5.6:::::::*
apache	tomcat	8.5.7	cpe:2.3:a:apache:tomcat:8.5.7:::::::*
apache	tomcat	8.5.8	cpe:2.3:a:apache:tomcat:8.5.8:::::::*
apache	tomcat	8.5.9	cpe:2.3:a:apache:tomcat:8.5.9:::::::*