You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Path to dependency file: /tmp/ws-scm/swagger-aggregator/greeting-service/build.gradle
Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/org.apache.tomcat.embed/tomcat-embed-core/9.0.16/d7069e3d0f760035b26b68b7b6af5eaa0c1862f/tomcat-embed-core-9.0.16.jar,/root/.gradle/caches/modules-2/files-2.1/org.apache.tomcat.embed/tomcat-embed-core/9.0.16/d7069e3d0f760035b26b68b7b6af5eaa0c1862f/tomcat-embed-core-9.0.16.jar
The fix for CVE-2019-0199 was incomplete and did not address HTTP/2 connection window exhaustion on write in Apache Tomcat versions 9.0.0.M1 to 9.0.19 and 8.5.0 to 8.5.40 . By not sending WINDOW_UPDATE messages for the connection window (stream 0) clients were able to cause server-side threads to block eventually leading to thread exhaustion and a DoS.
Issue-Label Bot is automatically applying the label bug to this issue, with a confidence of 0.79. Please mark this comment with 👍 or 👎 to give our bot feedback!
CVE-2019-10072 - High Severity Vulnerability
Vulnerable Library - tomcat-embed-core-9.0.16.jar
Core Tomcat implementation
Library home page: https://tomcat.apache.org/
Path to dependency file: /tmp/ws-scm/swagger-aggregator/greeting-service/build.gradle
Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/org.apache.tomcat.embed/tomcat-embed-core/9.0.16/d7069e3d0f760035b26b68b7b6af5eaa0c1862f/tomcat-embed-core-9.0.16.jar,/root/.gradle/caches/modules-2/files-2.1/org.apache.tomcat.embed/tomcat-embed-core/9.0.16/d7069e3d0f760035b26b68b7b6af5eaa0c1862f/tomcat-embed-core-9.0.16.jar
Dependency Hierarchy:
Found in HEAD commit: 2dddf68b2f335a7c2374a186f1417bb31e3421c1
Vulnerability Details
The fix for CVE-2019-0199 was incomplete and did not address HTTP/2 connection window exhaustion on write in Apache Tomcat versions 9.0.0.M1 to 9.0.19 and 8.5.0 to 8.5.40 . By not sending WINDOW_UPDATE messages for the connection window (stream 0) clients were able to cause server-side threads to block eventually leading to thread exhaustion and a DoS.
Publish Date: 2019-06-21
URL: CVE-2019-10072
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: http://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.41
Release Date: 2019-06-21
Fix Resolution: org.apache.tomcat.embed:tomcat-embed-core:8.5.41,org.apache.tomcat.embed:tomcat-embed-core:9.0.20
Step up your Open Source Security Game with WhiteSource here
The text was updated successfully, but these errors were encountered: