Main Vulnerability Database Vulnerabilities #VU20992

Resource management error in Apache Tomcat - CVE-2019-10072

Published: September 10, 2019 / Updated: January 20, 2020

Vulnerability identifier: #VU20992

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2019-10072

CWE-ID: CWE-399

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Apache Foundation

Affected software:
Apache Tomcat

Detailed vulnerability description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to incomplete fix for SB2019020812 when processing HTTP/2 requests. A remote attacker can perform denial of service attack by not sending WINDOW_UPDATE messages for the connection window (stream 0).

How to mitigate CVE-2019-10072

Install updates from vendor's website.

Sources

https://lists.apache.org/thread.html/df1a2c1b87c8a6c500ecdbbaf134c7f1491c8d79d98b48c6b9f0fa6a@%3Cannounce.tomcat.apache.org%3E

Resource management error in Apache Tomcat - CVE-2019-10072

Detailed vulnerability description

How to mitigate CVE-2019-10072

Sources

Please verify you're human