Vulnerability in Apache Tomcat
CVE-2019-0199
The HTTP/2 implementation in Apache Tomcat 9.0.0.M1 to 9.0.14 and 8.5.0 to 8.5.37 accepted streams with excessive numbers of SETTINGS frames and also permitted clients to keep streams open without reading/writing request/response data. By…
EPSS: 0.656 (98.5th percentile) — read the EPSS interpretation.
Affected products
- N/a Apache Tomcat — versions Apache Tomcat 9.0.0.M1 to 9.0.14, 8.5.0 to 8.5.37
Public proof-of-concept exploits
References
- lists.apache.org/thread.html/e1b0b273b6e8ddcc72c9023bc2394b1276fc72664144bf21d0… (x_refsource_MISC)
- [tomcat-dev] 20190413 svn commit: r1857494 [17/20] - in /tomcat/site/trunk: ./ docs/ xdocs/ (mailing-list, x_refsource_MLIST)
- [tomcat-dev] 20190413 svn commit: r1857496 [3/4] - in /tomcat/site/trunk: ./ docs/ xdocs/ (mailing-list, x_refsource_MLIST)
- [tomcat-dev] 20190415 svn commit: r1857582 [18/22] - in /tomcat/site/trunk: docs/ xdocs/stylesheets/ (mailing-list, x_refsource_MLIST)
- [tomcat-dev] 20190415 svn commit: r1857582 [19/22] - in /tomcat/site/trunk: docs/ xdocs/stylesheets/ (mailing-list, x_refsource_MLIST)
- security.netapp.com/advisory/ntap-20190419-0001/ (x_refsource_CONFIRM)
- [tomee-commits] 20190528 [jira] [Closed] (TOMEE-2497) Upgrade Tomcat in TomEE 7.0.x/7.1.x/8.0.x for CVE-2019-0199 (mailing-list, x_refsource_MLIST)
- [tomcat-users] 20190620 Re: [EXTERNAL] [SECURITY] CVE-2019-10072 Apache Tomcat HTTP/2 DoS (mailing-list, x_refsource_MLIST)
- [tomcat-dev] 20190620 [SECURITY] CVE-2019-10072 Apache Tomcat HTTP/2 DoS (mailing-list, x_refsource_MLIST)
- [announce] 20190620 [SECURITY] CVE-2019-10072 Apache Tomcat HTTP/2 DoS (mailing-list, x_refsource_MLIST)
Frequently asked questions
- What is CVE-2019-0199?
- CVE-2019-0199 is a vulnerability in Apache Tomcat. Published 2019-04-10.
- Is CVE-2019-0199 known to be exploited?
- 4 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.