CVE-2019-10072 (High) detected in tomcat-embed-core-9.0.17.jar

[mend-bolt-for-github[bot]]

CVE-2019-10072 - High Severity Vulnerability

Vulnerable Library - tomcat-embed-core-9.0.17.jar

Core Tomcat implementation

Path to dependency file: /tmp/ws-scm/assessment/pom.xml

Path to vulnerable library: /root/.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/9.0.17/tomcat-embed-core-9.0.17.jar

Dependency Hierarchy: - spring-boot-starter-web-2.1.4.RELEASE.jar (Root Library) - spring-boot-starter-tomcat-2.1.4.RELEASE.jar - :x: **tomcat-embed-core-9.0.17.jar** (Vulnerable Library)

Found in HEAD commit: 0b0141cbd532a1b08f6a2060584c3620fcb2527e

Vulnerability Details

The fix for CVE-2019-0199 was incomplete and did not address HTTP/2 connection window exhaustion on write in Apache Tomcat versions 9.0.0.M1 to 9.0.19 and 8.5.0 to 8.5.40 . By not sending WINDOW_UPDATE messages for the connection window (stream 0) clients were able to cause server-side threads to block eventually leading to thread exhaustion and a DoS.

Publish Date: 2019-06-21

URL: CVE-2019-10072

CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: http://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.41

Release Date: 2019-06-21

Fix Resolution: 8.5.41,9.0.20

---

Step up your Open Source Security Game with WhiteSource here

[issue-label-bot[bot]]

Issue-Label Bot is automatically applying the label bug to this issue, with a confidence of 0.81. Please mark this comment with :thumbsup: or :thumbsdown: to give our bot feedback!

Links: app homepage, dashboard and code for this bot.