VDB
CVE-2019-10072
CVE-2019-10072
PUBLISHED
The fix for CVE-2019-0199 was incomplete and did not address HTTP/2 connection window exhaustion on write in Apache Tomcat versions 9.0.0.M1 to 9.0.19 and 8.5.0 to 8.5.40 . By not sending WINDOW_UPDATE messages for the connection window (stream 0) clients were able to cause server-side threads to block eventually leading to thread exhaustion and a DoS.
EPSS 71.30% · 98.7th percentile
Risk Scores
EPSS Score
71.30%
98.7th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Ubuntu:18.04:LTS | tomcat9 | 0, * |
| Ubuntu:18.04:LTS | tomcat8 | 0, 8.5.21-1ubuntu1, 8.5.29-1 |
Exploit Intelligence
- Tomcat examples available for public, Disclosure Apache Tomcat version, Critical/High/Medium CVE (hackerone)
- Tomcat examples available for public, Disclosure Apache Tomcat version, Critical/High/Medium CVE (hackerone)
- Tomcat examples available for public, Disclosure Apache Tomcat version, Critical/High/Medium CVE (hackerone)
Timeline
- CVE Published
- Jun 11, 2020 PoC Published
- Apr 14, 2021 EPSS Score
- Jan 6, 2022 EPSS Score
- Feb 4, 2022 EPSS Score
- Mar 7, 2023 EPSS Score
- Apr 10, 2023 EPSS Score
- May 12, 2023 EPSS Score
- Jun 14, 2023 EPSS Score
- Jun 28, 2023 EPSS Score
- Apr 26, 2024 EPSS Score
- Mar 17, 2025 EPSS Score
References
- https://ubuntu.com/security/CVE-2019-10072 third-party-advisory
- https://lists.apache.org/thread.html/df1a2c1b87c8a6c500ecdbbaf134c7f1491c8d79d98b48c6b9f0fa6a@%3Cannounce.tomcat.apache.org%3E third-party-advisory
- http://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.20 third-party-advisory
- http://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.41 third-party-advisory
- https://ubuntu.com/security/notices/USN-4128-1 vendor-advisory
- https://ubuntu.com/security/notices/USN-4128-2 vendor-advisory
- https://www.cve.org/CVERecord?id=CVE-2019-10072 third-party-advisory