CVE-2019-10072 — Vulnetix

Try Vulnetix Request Demo

CVE-2019-10072 PUBLISHED

The fix for CVE-2019-0199 was incomplete and did not address HTTP/2 connection window exhaustion on write in Apache Tomcat versions 9.0.0.M1 to 9.0.19 and 8.5.0 to 8.5.40 . By not sending WINDOW_UPDATE messages for the connection window (stream 0) clients were able to cause server-side threads to block eventually leading to thread exhaustion and a DoS.

EPSS 72.14% · 98.7th percentile

Risk Scores

EPSS Score

72.14%

98.7th percentile

Affected Products

Vendor	Product	Versions
Ubuntu:18.04:LTS	tomcat9	0, 9.0.16-3~18.04.1
Ubuntu:18.04:LTS	tomcat8	8.5.29-1, 8.5.30-1, 8.5.30-1ubuntu1

Timeline

CVE Published
Jun 11, 2020 PoC Published
Apr 14, 2021 EPSS Score
Jan 6, 2022 EPSS Score
Feb 4, 2022 EPSS Score
Mar 7, 2023 EPSS Score
Apr 10, 2023 EPSS Score
May 12, 2023 EPSS Score
Jun 14, 2023 EPSS Score
Jun 28, 2023 EPSS Score
Apr 26, 2024 EPSS Score
Jun 14, 2024 EPSS Score

References

https://ubuntu.com/security/CVE-2019-10072 third-party-advisory
https://lists.apache.org/thread.html/df1a2c1b87c8a6c500ecdbbaf134c7f1491c8d79d98b48c6b9f0fa6a@%3Cannounce.tomcat.apache.org%3E third-party-advisory
http://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.20 third-party-advisory
http://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.41 third-party-advisory
https://ubuntu.com/security/notices/USN-4128-1 vendor-advisory
https://ubuntu.com/security/notices/USN-4128-2 vendor-advisory
https://www.cve.org/CVERecord?id=CVE-2019-10072 third-party-advisory

Open in Interactive Console →