High severity7.5NVD Advisory· Published Jun 21, 2019· Updated Jun 17, 2026
CVE-2019-10072
CVE-2019-10072
Description
The fix for CVE-2019-0199 was incomplete and did not address HTTP/2 connection window exhaustion on write in Apache Tomcat versions 9.0.0.M1 to 9.0.19 and 8.5.0 to 8.5.40 . By not sending WINDOW_UPDATE messages for the connection window (stream 0) clients were able to cause server-side threads to block eventually leading to thread exhaustion and a DoS.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.tomcat.embed:tomcat-embed-coreMaven | >= 9.0.0.M1, < 9.0.20 | 9.0.20 |
org.apache.tomcat.embed:tomcat-embed-coreMaven | >= 8.5.0, < 8.5.41 | 8.5.41 |
Affected products
11- ghsa-coords10 versionspkg:maven/org.apache.tomcat.embed/tomcat-embed-corepkg:rpm/opensuse/tomcat10&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/tomcat&distro=openSUSE%20Leap%2015.1pkg:rpm/opensuse/tomcat&distro=openSUSE%20Tumbleweedpkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Web%20and%20Scripting%2015pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Web%20and%20Scripting%2015%20SP1pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP4pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP4pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP5
>= 9.0.0.M1, < 9.0.20+ 9 more
- (no CPE)range: >= 9.0.0.M1, < 9.0.20
- (no CPE)range: < 10.1.14-1.1
- (no CPE)range: < 9.0.30-lp151.3.6.1
- (no CPE)range: < 9.0.36-8.4
- (no CPE)range: < 9.0.30-3.34.1
- (no CPE)range: < 9.0.30-4.10.1
- (no CPE)range: < 9.0.21-3.13.2
- (no CPE)range: < 9.0.31-3.25.1
- (no CPE)range: < 9.0.21-3.13.2
- (no CPE)range: < 9.0.31-3.25.1
Patches
Vulnerability mechanics
References
37- github.com/advisories/GHSA-q4hg-rmq2-52q9ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-10072ghsaADVISORY
- lists.opensuse.org/opensuse-security-announce/2020-01/msg00013.htmlnvdWEB
- access.redhat.com/errata/RHSA-2019:3929nvdWEB
- access.redhat.com/errata/RHSA-2019:3931nvdWEB
- github.com/apache/tomcat/commit/0bcd69c9dd8ae0ff424f2cd46de51583510b7f35ghsaWEB
- github.com/apache/tomcat/commit/7f748eb6bfaba5207c89dbd7d5adf50fae847145ghsaWEB
- github.com/apache/tomcat/commit/8d14c6f21d29768a39be4b6b9517060dc6606758ghsaWEB
- github.com/apache/tomcat/commit/ada725a50a60867af3422c8e612aecaeea856a9aghsaWEB
- lists.apache.org/thread.html/df1a2c1b87c8a6c500ecdbbaf134c7f1491c8d79d98b48c6b9f0fa6a%40%3Cannounce.tomcat.apache.org%3EnvdWEB
- lists.apache.org/thread.html/df1a2c1b87c8a6c500ecdbbaf134c7f1491c8d79d98b48c6b9f0fa6a@%3Cannounce.tomcat.apache.org%3EghsaWEB
- lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d%40%3Cdev.tomcat.apache.org%3EnvdWEB
- lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d@%3Cdev.tomcat.apache.org%3EghsaWEB
- lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0%40%3Cdev.tomcat.apache.org%3EnvdWEB
- lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0@%3Cdev.tomcat.apache.org%3EghsaWEB
- lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9%40%3Cdev.tomcat.apache.org%3EnvdWEB
- lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9@%3Cdev.tomcat.apache.org%3EghsaWEB
- lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a%40%3Cdev.tomcat.apache.org%3EnvdWEB
- lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a@%3Cdev.tomcat.apache.org%3EghsaWEB
- security.netapp.com/advisory/ntap-20190625-0002ghsaWEB
- support.f5.com/csp/article/K17321505nvdWEB
- tomcat.apache.org/security-8.htmlghsaWEB
- tomcat.apache.org/security-9.htmlghsaWEB
- usn.ubuntu.com/4128-1ghsaWEB
- usn.ubuntu.com/4128-2ghsaWEB
- web.archive.org/web/20200227033743/http://www.securityfocus.com/bid/108874ghsaWEB
- www.debian.org/security/2020/dsa-4680nvdWEB
- www.oracle.com/security-alerts/cpuApr2021.htmlnvdWEB
- www.oracle.com/security-alerts/cpuapr2020.htmlnvdWEB
- www.oracle.com/security-alerts/cpujan2020.htmlnvdWEB
- www.oracle.com/security-alerts/cpuoct2020.htmlnvdWEB
- www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.htmlnvdWEB
- www.synology.com/security/advisory/Synology_SA_19_29nvdWEB
- www.securityfocus.com/bid/108874nvd
- security.netapp.com/advisory/ntap-20190625-0002/nvd
- usn.ubuntu.com/4128-1/nvd
- usn.ubuntu.com/4128-2/nvd
News mentions
0No linked articles in our index yet.