Vulnerability Database

289,599

Total vulnerabilities in the database

CVE-2019-0199

The HTTP/2 implementation in Apache Tomcat 9.0.0.M1 to 9.0.14 and 8.5.0 to 8.5.37 accepted streams with excessive numbers of SETTINGS frames and also permitted clients to keep streams open without reading/writing request/response data. By keeping streams open for requests that utilised the Servlet API's blocking I/O, clients were able to cause server-side threads to block eventually leading to thread exhaustion and a DoS.

CVSS v3:

  • Severity: High
  • Score: 7.5
  • AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS v2:

  • Severity: Medium
  • Score: 5
  • AV:N/AC:L/Au:N/C:N/I:N/A:P

CWEs:

Software From Fixed in
apache / tomcat 9.0.1 9.0.14.x
apache / tomcat 8.5.0 8.5.37.x
org.apache.tomcat.embed / tomcat-embed-core 9.0.0 9.0.16
org.apache.tomcat.embed / tomcat-embed-core 8.0.0 8.5.38
apache / tomcat 9.0.0-milestone1 9.0.0-milestone1.x
apache / tomcat 9.0.0-milestone10 9.0.0-milestone10.x
apache / tomcat 9.0.0-milestone11 9.0.0-milestone11.x
apache / tomcat 9.0.0-milestone12 9.0.0-milestone12.x
apache / tomcat 9.0.0-milestone13 9.0.0-milestone13.x
apache / tomcat 9.0.0-milestone14 9.0.0-milestone14.x
apache / tomcat 9.0.0-milestone15 9.0.0-milestone15.x
apache / tomcat 9.0.0-milestone16 9.0.0-milestone16.x
apache / tomcat 9.0.0-milestone17 9.0.0-milestone17.x
apache / tomcat 9.0.0-milestone18 9.0.0-milestone18.x
apache / tomcat 9.0.0-milestone19 9.0.0-milestone19.x
apache / tomcat 9.0.0-milestone2 9.0.0-milestone2.x
apache / tomcat 9.0.0-milestone20 9.0.0-milestone20.x
apache / tomcat 9.0.0-milestone21 9.0.0-milestone21.x
apache / tomcat 9.0.0-milestone3 9.0.0-milestone3.x
apache / tomcat 9.0.0-milestone4 9.0.0-milestone4.x
apache / tomcat 9.0.0-milestone5 9.0.0-milestone5.x
apache / tomcat 9.0.0-milestone6 9.0.0-milestone6.x
apache / tomcat 9.0.0-milestone7 9.0.0-milestone7.x
apache / tomcat 9.0.0-milestone8 9.0.0-milestone8.x
apache / tomcat 9.0.0-milestone9 9.0.0-milestone9.x