var-201904-1069
Vulnerability from variot
The HTTP/2 implementation in Apache Tomcat 9.0.0.M1 to 9.0.14 and 8.5.0 to 8.5.37 accepted streams with excessive numbers of SETTINGS frames and also permitted clients to keep streams open without reading/writing request/response data. By keeping streams open for requests that utilised the Servlet API's blocking I/O, clients were able to cause server-side threads to block eventually leading to thread exhaustion and a DoS. Apache Tomcat Contains a resource exhaustion vulnerability.Service operation interruption (DoS) There is a possibility of being put into a state. Apache Tomcat is a lightweight web application server from the Apache Software Foundation. This program implements support for Servlet and JavaServerPage (JSP). There is a security vulnerability in Apache Tomcat. An attacker could exploit the vulnerability to cause a denial of service. Attackers may leverage this issue to cause denial-of-service conditions. A vulnerability in Apache Tomcat could allow an unauthenticated, remote malicious user to cause a denial of service (DoS) condition on a targeted system. The vulnerability is due to a resource exhaustion condition in the HTTP/2 implementation of the affected software. A successful exploit could result in a DoS condition on the targeted system. Apache has confirmed the vulnerability and released software updates. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
Debian Security Advisory DSA-4596-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff December 27, 2019 https://www.debian.org/security/faq
Package : tomcat8 CVE ID : CVE-2018-8014 CVE-2018-11784 CVE-2019-0199 CVE-2019-0221 CVE-2019-12418 CVE-2019-17563
Several issues were discovered in the Tomcat servlet and JSP engine, which could result in session fixation attacks, information disclosure, cross- site scripting, denial of service via resource exhaustion and insecure redirects.
For the oldstable distribution (stretch), these problems have been fixed in version 8.5.50-0+deb9u1. This update also requires an updated version of tomcat-native which has been updated to 1.2.21-1~deb9u1.
We recommend that you upgrade your tomcat8 packages.
For the detailed security status of tomcat8 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/tomcat8
Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/
Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAl4GgDcACgkQEMKTtsN8 TjaVxA//dmUGPdFZSI6VW/avTJ8YKIgVaKTLJz47hl9GKWJoGI4lG5TE4INs193y xKf2gtuPb/YCdqZj2VphPTiPiIbycXrRXTq9uGnioteeAZfgKnqSokcQ+EvUItsp Q7nBeuFNdSHaK1TAQ74Ty4qcwM/WXQ5c0UfZvAbMzYp3PRrkHkMXhUHMj7MJNz7W 6I/ehY+h+VkvTj7P6U3icEoLsTqOwKiHFiAVKD9DiUZqRI62nmbMW2il1zgF3pOZ QNrDGhNsaVfhJbIES3/vuF/qSQIm6GryQ1dwxbFBszemdHTGEQmANsxLLXWnPDH1 2KigZh5bkSlQZvJRHgbJp+LdM+DSY7VI1KtwTIkpwFZ2/kbz+kMGGT+TQplSORyL IY9SK1aQduWBx2yi3X7/wPXVdV7KA1cMCPhSt8fVieYxZWtONALBuCdnSSEweIEq myd2GD75QIHjZy7JZoVc421kCjH4IrXxuwEQDkHjKTladjdklOREEocAc8R+NjSS kUKdS2cOel6M2yjH/ieOv3DVaUPplgl+0KJGXqAhdkCQUwTMsw1tmR/ObWkCHQov k79Isubwc5kuQD/iBCuIQM8TgfNcyWXNAyHbpKR7kGkrn/ihN7dsCdvRjrMPrvRJ x/PLd3rjlgS5D1cEf7PTZZjym4mwDPrKgamSt9V3f3RwFwV75vY= =je4v -----END PGP SIGNATURE----- . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
===================================================================== Red Hat Security Advisory
Synopsis: Important: Red Hat support for Spring Boot 2.1.12 security and bug fix update Advisory ID: RHSA-2020:2366-01 Product: Red Hat OpenShift Application Runtimes Advisory URL: https://access.redhat.com/errata/RHSA-2020:2366 Issue date: 2020-06-04 CVE Names: CVE-2019-0199 CVE-2019-3868 CVE-2019-3875 CVE-2019-10199 CVE-2019-10201 CVE-2019-14832 =====================================================================
- Summary:
An update is now available for Red Hat OpenShift Application Runtimes.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
[NOTE: This security advisory was unintentionally omitted at the time of the initial software release on 2020-02-18. The advisory is informational only; no files in the release have changed.]
- Description:
Red Hat support for Spring Boot provides an application platform that reduces the complexity of developing and operating applications (monoliths and microservices) for OpenShift as a containerized platform.
This release of Red Hat support for Spring Boot 2.1.12 serves as a replacement for Red Hat support for Spring Boot 2.1.6, and includes security and bug fixes and enhancements. For further information, refer to the release notes linked to in the References section.
Security Fix(es):
-
tomcat: Apache Tomcat HTTP/2 DoS (CVE-2019-0199)
-
keycloak: SAML broker does not check existence of signature on document allowing any user impersonation (CVE-2019-10201)
-
keycloak: session hijack using the user access token (CVE-2019-3868)
-
keycloak: missing signatures validation on CRL used to verify client certificates (CVE-2019-3875)
-
keycloak: CSRF check missing in My Resources functionality in the Account Console (CVE-2019-10199)
-
keycloak: cross-realm user access auth bypass (CVE-2019-14832)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
- Solution:
Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.
The References section of this erratum contains a download link (you must log in to download the update).
- Bugs fixed (https://bugzilla.redhat.com/):
1679144 - CVE-2019-3868 keycloak: session hijack using the user access token 1690628 - CVE-2019-3875 keycloak: missing signatures validation on CRL used to verify client certificates 1693325 - CVE-2019-0199 tomcat: Apache Tomcat HTTP/2 DoS 1728609 - CVE-2019-10201 keycloak: SAML broker does not check existence of signature on document allowing any user impersonation 1729261 - CVE-2019-10199 keycloak: CSRF check missing in My Resources functionality in the Account Console 1749487 - CVE-2019-14832 keycloak: cross-realm user access auth bypass
- References:
https://access.redhat.com/security/cve/CVE-2019-0199 https://access.redhat.com/security/cve/CVE-2019-3868 https://access.redhat.com/security/cve/CVE-2019-3875 https://access.redhat.com/security/cve/CVE-2019-10199 https://access.redhat.com/security/cve/CVE-2019-10201 https://access.redhat.com/security/cve/CVE-2019-14832 https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=catRhoar.spring.boot&downloadType=distributions&version=2.1.12 https://access.redhat.com/documentation/en-us/red_hat_support_for_spring_boot/2.1/html-single/release_notes_for_spring_boot_2.1/
- Contact:
The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/
Copyright 2020 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1
iQIVAwUBXtjx9tzjgjWX9erEAQhFOA//Tkk46vAF4/aJiKVApEHvF5R96081W2Hq G96k3lUPuatTrcD/2yek9whs1Bf9MQgWcaFWCgx63nsNs6Mm81frsR/dt4YV8mWc 97y4u6kz6nvQQ6Wz6Xuic9km17/yXuNl5JqgmcLtltgNhtWgZhpQUKfbP3ot0T2X FStJvnZlPrgDnpnVZ8y6x++otaDfbXGiy2FyGepXei8WWxXtQ/XYPoQC/mYbuXgM eUNsFLEyY9hWLCE4vfavLCM4fHs+djrL2E6N431JhpLyCrbTx0nYkaMkoOoJlLe2 agJjBzd5iYnBbD6p9K5okIWR1U2gNsdV6Q7UROTLiEFoxBOr1hO1mzqYkJ80t1Pm d48N7OuQ4MhYgiKftVDmsVgXuQzySUrjZWnZZnDbVZo02gwD8T1NXgq9zCX64/sl ucKvbDnnmLDYQYsKRCjf1aH1ZDrrPOPIOkTbMlb4+Wqc/O8jrRfzvya0ym9wnN8v CG3VmxPBPeNgp6/pmTBrJU9c+dER9qmavAB77Vl09dH88V9Ne4GLiVfqSVOEhY1w vwZo31fNXNYFYT/NV2v9CiZwrRcsqn60VH0E4Qc+zTOb5esR7bIidcBMGtPm+BI0 80uR7D6DwjVmZsfzwakCIiGMaChysonql+P72iOd2Xerj7osdvMSEQHSVSjuILh7 wiv1ksQVw/s= =pUHq -----END PGP SIGNATURE-----
-- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce
Show details on source website{ "@context": { "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#", "affected_products": { "@id": "https://www.variotdbs.pl/ref/affected_products" }, "configurations": { "@id": "https://www.variotdbs.pl/ref/configurations" }, "credits": { "@id": "https://www.variotdbs.pl/ref/credits" }, "cvss": { "@id": "https://www.variotdbs.pl/ref/cvss/" }, "description": { "@id": "https://www.variotdbs.pl/ref/description/" }, "exploit_availability": { "@id": "https://www.variotdbs.pl/ref/exploit_availability/" }, "external_ids": { "@id": "https://www.variotdbs.pl/ref/external_ids/" }, "iot": { "@id": "https://www.variotdbs.pl/ref/iot/" }, "iot_taxonomy": { "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/" }, "patch": { "@id": "https://www.variotdbs.pl/ref/patch/" }, "problemtype_data": { "@id": "https://www.variotdbs.pl/ref/problemtype_data/" }, "references": { "@id": "https://www.variotdbs.pl/ref/references/" }, "sources": { "@id": "https://www.variotdbs.pl/ref/sources/" }, "sources_release_date": { "@id": "https://www.variotdbs.pl/ref/sources_release_date/" }, "sources_update_date": { "@id": "https://www.variotdbs.pl/ref/sources_update_date/" }, "threat_type": { "@id": "https://www.variotdbs.pl/ref/threat_type/" }, "title": { "@id": "https://www.variotdbs.pl/ref/title/" }, "type": { "@id": "https://www.variotdbs.pl/ref/type/" } }, "@id": "https://www.variotdbs.pl/vuln/VAR-201904-1069", "affected_products": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/affected_products#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" }, "@id": "https://www.variotdbs.pl/ref/sources" } }, "data": [ { "model": "tomcat", "scope": "eq", "trust": 1.1, "vendor": "apache", "version": "9.0.0" }, { "model": "tomcat", "scope": "lte", "trust": 1.0, "vendor": "apache", "version": "9.0.14" }, { "model": "tomcat", "scope": "gte", "trust": 1.0, "vendor": "apache", "version": "8.5.0" }, { "model": "tomcat", "scope": "gte", "trust": 1.0, "vendor": "apache", "version": "9.0.1" }, { "model": "tomcat", "scope": "lte", "trust": 1.0, "vendor": "apache", "version": "8.5.37" }, { "model": "tomcat", "scope": "eq", "trust": 0.8, "vendor": "apache", "version": "8.5.0 to 8.5.37" }, { "model": "tomcat", "scope": "eq", "trust": 0.8, "vendor": "apache", "version": "9.0.0.m1 to 9.0.14" }, { "model": "tomcat", "scope": null, "trust": 0.6, "vendor": "apache", "version": null }, { "model": "tomcat", "scope": "eq", "trust": 0.4, "vendor": "apache", "version": "8.5.0" }, { "model": "tomcat", "scope": "eq", "trust": 0.4, "vendor": "apache", "version": "8.5.1" }, { "model": "tomcat", "scope": "eq", "trust": 0.4, "vendor": "apache", "version": "8.5.2" }, { "model": "tomcat", "scope": "eq", "trust": 0.4, "vendor": "apache", "version": "8.5.3" }, { "model": "tomcat", "scope": "eq", "trust": 0.4, "vendor": "apache", "version": "8.5.4" }, { "model": "tomcat", "scope": "eq", "trust": 0.4, "vendor": "apache", "version": "8.5.5" }, { "model": "tomcat", "scope": "eq", "trust": 0.4, "vendor": "apache", "version": "8.5.6" }, { "model": "tomcat", "scope": "eq", "trust": 0.4, "vendor": "apache", "version": "8.5.7" }, { "model": "tomcat", "scope": "eq", "trust": 0.4, "vendor": "apache", "version": "8.5.8" }, { "model": "tomcat", "scope": "eq", "trust": 0.4, "vendor": "apache", "version": "8.5.9" }, { "model": "tomcat", "scope": "eq", "trust": 0.4, "vendor": "apache", "version": "8.5.11" }, { "model": "tomcat", "scope": "eq", "trust": 0.4, "vendor": "apache", "version": "8.5.12" }, { "model": "tomcat", "scope": "eq", "trust": 0.4, "vendor": "apache", "version": "8.5.13" }, { "model": "tomcat", "scope": "eq", "trust": 0.4, "vendor": "apache", "version": "8.5.14" }, { "model": "tomcat", "scope": "eq", "trust": 0.4, "vendor": "apache", "version": "8.5.15" }, { "model": "tomcat", "scope": "eq", "trust": 0.4, "vendor": "apache", "version": "8.5.16" }, { "model": "tomcat", "scope": "eq", "trust": 0.4, "vendor": "apache", "version": "8.5.23" }, { "model": "tomcat", "scope": "eq", "trust": 0.4, "vendor": "apache", "version": "8.5.24" }, { "model": "tomcat", "scope": "eq", "trust": 0.4, "vendor": "apache", "version": "8.5.27" }, { "model": "tomcat", "scope": "eq", "trust": 0.4, "vendor": "apache", "version": "8.5.28" }, { "model": "tomcat", "scope": "eq", "trust": 0.4, "vendor": "apache", "version": "8.5.30" }, { "model": "tomcat", "scope": "eq", "trust": 0.4, "vendor": "apache", "version": "8.5.31" }, { "model": "tomcat", "scope": "eq", "trust": 0.4, "vendor": "apache", "version": "8.5.32" }, { "model": "tomcat", "scope": "eq", "trust": 0.4, "vendor": "apache", "version": "8.5.34" }, { "model": "tomcat", "scope": "eq", "trust": 0.4, "vendor": "apache", "version": "8.5.37" }, { "model": "tomcat", "scope": "eq", "trust": 0.4, "vendor": "apache", "version": "9.0.1" }, { "model": "tomcat", "scope": "eq", "trust": 0.4, "vendor": "apache", "version": "9.0.4" }, { "model": "tomcat", "scope": "eq", "trust": 0.4, "vendor": "apache", "version": "9.0.5" }, { "model": "tomcat", "scope": "eq", "trust": 0.4, "vendor": "apache", "version": "9.0.7" }, { "model": "tomcat", "scope": "eq", "trust": 0.4, "vendor": "apache", "version": "9.0.8" }, { "model": "tomcat", "scope": "eq", "trust": 0.4, "vendor": "apache", "version": "9.0.9" }, { "model": "tomcat", "scope": "eq", "trust": 0.4, "vendor": "apache", "version": "9.0.10" }, { "model": "tomcat", "scope": "eq", "trust": 0.4, "vendor": "apache", "version": "9.0.12" }, { "model": "tomcat", "scope": "eq", "trust": 0.4, "vendor": "apache", "version": "9.0.14" }, { "model": "instantis enterprisetrack", "scope": "eq", "trust": 0.3, "vendor": "oracle", "version": "17.3" }, { "model": "instantis enterprisetrack", "scope": "eq", "trust": 0.3, "vendor": "oracle", "version": "17.2" }, { "model": "instantis enterprisetrack", "scope": "eq", "trust": 0.3, "vendor": "oracle", "version": "17.1" }, { "model": "tomcat 9.0.0m8", "scope": null, "trust": 0.3, "vendor": "apache", "version": null }, { "model": "tomcat 9.0.0m6", "scope": null, "trust": 0.3, "vendor": "apache", "version": null }, { "model": "tomcat 9.0.0.m9", "scope": null, "trust": 0.3, "vendor": "apache", "version": null }, { "model": "tomcat 9.0.0.m7", "scope": null, "trust": 0.3, "vendor": "apache", "version": null }, { "model": "tomcat 9.0.0.m5", "scope": null, "trust": 0.3, "vendor": "apache", "version": null }, { "model": "tomcat 9.0.0.m4", "scope": null, "trust": 0.3, "vendor": "apache", "version": null }, { "model": "tomcat 9.0.0.m3", "scope": null, "trust": 0.3, "vendor": "apache", "version": null }, { "model": "tomcat 9.0.0.m22", "scope": null, "trust": 0.3, "vendor": "apache", "version": null }, { "model": "tomcat 9.0.0.m21", "scope": null, "trust": 0.3, "vendor": "apache", "version": null }, { "model": "tomcat 9.0.0.m20", "scope": null, "trust": 0.3, "vendor": "apache", "version": null }, { "model": "tomcat 9.0.0.m2", "scope": null, "trust": 0.3, "vendor": "apache", "version": null }, { "model": "tomcat 9.0.0.m19", "scope": null, "trust": 0.3, "vendor": "apache", "version": null }, { "model": "tomcat 9.0.0.m18", "scope": null, "trust": 0.3, "vendor": "apache", "version": null }, { "model": "tomcat 9.0.0.m17", "scope": null, "trust": 0.3, "vendor": "apache", "version": null }, { "model": "tomcat 9.0.0.m15", "scope": null, "trust": 0.3, "vendor": "apache", "version": null }, { "model": "tomcat 9.0.0.m13", "scope": null, "trust": 0.3, "vendor": "apache", "version": null }, { "model": "tomcat 9.0.0.m12", "scope": null, "trust": 0.3, "vendor": "apache", "version": null }, { "model": "tomcat 9.0.0.m11", "scope": null, "trust": 0.3, "vendor": "apache", "version": null }, { "model": "tomcat 9.0.0.m10", "scope": null, "trust": 0.3, "vendor": "apache", "version": null }, { "model": "tomcat 9.0.0.m1", "scope": null, "trust": 0.3, "vendor": "apache", "version": null }, { "model": "tomcat", "scope": "ne", "trust": 0.3, "vendor": "apache", "version": "9.0.16" }, { "model": "tomcat", "scope": "ne", "trust": 0.3, "vendor": "apache", "version": "8.5.38" }, { "model": "tomcat", "scope": "eq", "trust": 0.1, "vendor": "apache", "version": "8.5.10" }, { "model": "tomcat", "scope": "eq", "trust": 0.1, "vendor": "apache", "version": "8.5.17" }, { "model": "tomcat", "scope": "eq", "trust": 0.1, "vendor": "apache", "version": "8.5.18" }, { "model": "tomcat", "scope": "eq", "trust": 0.1, "vendor": "apache", "version": "8.5.19" }, { "model": "tomcat", "scope": "eq", "trust": 0.1, "vendor": "apache", "version": "8.5.20" }, { "model": "tomcat", "scope": "eq", "trust": 0.1, "vendor": "apache", "version": "8.5.21" }, { "model": "tomcat", "scope": "eq", "trust": 0.1, "vendor": "apache", "version": "8.5.22" }, { "model": "tomcat", "scope": "eq", "trust": 0.1, "vendor": "apache", "version": "8.5.25" }, { "model": "tomcat", "scope": "eq", "trust": 0.1, "vendor": "apache", "version": "8.5.26" }, { "model": "tomcat", "scope": "eq", "trust": 0.1, "vendor": "apache", "version": "8.5.29" }, { "model": "tomcat", "scope": "eq", "trust": 0.1, "vendor": "apache", "version": "8.5.33" }, { "model": "tomcat", "scope": "eq", "trust": 0.1, "vendor": "apache", "version": "8.5.35" }, { "model": "tomcat", "scope": "eq", "trust": 0.1, "vendor": "apache", "version": "8.5.36" }, { "model": "tomcat", "scope": "eq", "trust": 0.1, "vendor": "apache", "version": "9.0.2" }, { "model": "tomcat", "scope": "eq", "trust": 0.1, "vendor": "apache", "version": "9.0.3" }, { "model": "tomcat", "scope": "eq", "trust": 0.1, "vendor": "apache", "version": "9.0.6" }, { "model": "tomcat", "scope": "eq", "trust": 0.1, "vendor": "apache", "version": "9.0.11" }, { "model": "tomcat", "scope": "eq", "trust": 0.1, "vendor": "apache", "version": "9.0.13" } ], "sources": [ { "db": "CNVD", "id": "CNVD-2019-15086" }, { "db": "VULMON", "id": "CVE-2019-0199" }, { "db": "BID", "id": "107674" }, { "db": "JVNDB", "id": "JVNDB-2019-003375" }, { "db": "NVD", "id": "CVE-2019-0199" } ] }, "configurations": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/configurations#", "children": { "@container": "@list" }, "cpe_match": { "@container": "@list" }, "data": { "@container": "@list" }, "nodes": { "@container": "@list" } }, "data": [ { "CVE_data_version": "4.0", "nodes": [ { "cpe_match": [ { "cpe22Uri": "cpe:/a:apache:tomcat", "vulnerable": true } ], "operator": "OR" } ] } ], "sources": [ { "db": "JVNDB", "id": "JVNDB-2019-003375" } ] }, "credits": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/credits#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "Inc,Debian,Michal Karm Babacek from Red Hat", "sources": [ { "db": "CNNVD", "id": "CNNVD-201903-919" } ], "trust": 0.6 }, "cve": "CVE-2019-0199", "cvss": { "@context": { "cvssV2": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#" }, "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2" }, "cvssV3": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#" }, "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/" }, "severity": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/cvss/severity#" }, "@id": "https://www.variotdbs.pl/ref/cvss/severity" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" }, "@id": "https://www.variotdbs.pl/ref/sources" } }, "data": [ { "cvssV2": [ { "accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "author": "nvd@nist.gov", "availabilityImpact": "PARTIAL", "baseScore": 5.0, "confidentialityImpact": "NONE", "exploitabilityScore": 10.0, "id": "CVE-2019-0199", "impactScore": 2.9, "integrityImpact": "NONE", "severity": "MEDIUM", "trust": 1.9, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0" }, { "accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "author": "CNVD", "availabilityImpact": "PARTIAL", "baseScore": 5.0, "confidentialityImpact": "NONE", "exploitabilityScore": 10.0, "id": "CNVD-2019-15086", "impactScore": 2.9, "integrityImpact": "NONE", "severity": "MEDIUM", "trust": 0.6, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0" } ], "cvssV3": [ { "attackComplexity": "LOW", "attackVector": "NETWORK", "author": "nvd@nist.gov", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "exploitabilityScore": 3.9, "id": "CVE-2019-0199", "impactScore": 3.6, "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "trust": 1.8, "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.0" } ], "severity": [ { "author": "nvd@nist.gov", "id": "CVE-2019-0199", "trust": 1.0, "value": "HIGH" }, { "author": "NVD", "id": "CVE-2019-0199", "trust": 0.8, "value": "High" }, { "author": "CNVD", "id": "CNVD-2019-15086", "trust": 0.6, "value": "MEDIUM" }, { "author": "CNNVD", "id": "CNNVD-201903-919", "trust": 0.6, "value": "HIGH" }, { "author": "VULMON", "id": "CVE-2019-0199", "trust": 0.1, "value": "MEDIUM" } ] } ], "sources": [ { "db": "CNVD", "id": "CNVD-2019-15086" }, { "db": "VULMON", "id": "CVE-2019-0199" }, { "db": "JVNDB", "id": "JVNDB-2019-003375" }, { "db": "CNNVD", "id": "CNNVD-201903-919" }, { "db": "NVD", "id": "CVE-2019-0199" } ] }, "description": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/description#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "The HTTP/2 implementation in Apache Tomcat 9.0.0.M1 to 9.0.14 and 8.5.0 to 8.5.37 accepted streams with excessive numbers of SETTINGS frames and also permitted clients to keep streams open without reading/writing request/response data. By keeping streams open for requests that utilised the Servlet API\u0027s blocking I/O, clients were able to cause server-side threads to block eventually leading to thread exhaustion and a DoS. Apache Tomcat Contains a resource exhaustion vulnerability.Service operation interruption (DoS) There is a possibility of being put into a state. Apache Tomcat is a lightweight web application server from the Apache Software Foundation. This program implements support for Servlet and JavaServerPage (JSP). There is a security vulnerability in Apache Tomcat. An attacker could exploit the vulnerability to cause a denial of service. \nAttackers may leverage this issue to cause denial-of-service conditions. A vulnerability in Apache Tomcat could allow an unauthenticated, remote malicious user to cause a denial of service (DoS) condition on a targeted system. \nThe vulnerability is due to a resource exhaustion condition in the HTTP/2 implementation of the affected software. A successful exploit could result in a DoS condition on the targeted system. \nApache has confirmed the vulnerability and released software updates. -----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA512\n\n- -------------------------------------------------------------------------\nDebian Security Advisory DSA-4596-1 security@debian.org\nhttps://www.debian.org/security/ Moritz Muehlenhoff\nDecember 27, 2019 https://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : tomcat8\nCVE ID : CVE-2018-8014 CVE-2018-11784 CVE-2019-0199 CVE-2019-0221 \n CVE-2019-12418 CVE-2019-17563\n\nSeveral issues were discovered in the Tomcat servlet and JSP engine, which\ncould result in session fixation attacks, information disclosure, cross-\nsite scripting, denial of service via resource exhaustion and insecure\nredirects. \n\nFor the oldstable distribution (stretch), these problems have been fixed\nin version 8.5.50-0+deb9u1. This update also requires an updated version\nof tomcat-native which has been updated to 1.2.21-1~deb9u1. \n\nWe recommend that you upgrade your tomcat8 packages. \n\nFor the detailed security status of tomcat8 please refer to\nits security tracker page at:\nhttps://security-tracker.debian.org/tracker/tomcat8\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n-----BEGIN PGP SIGNATURE-----\n\niQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAl4GgDcACgkQEMKTtsN8\nTjaVxA//dmUGPdFZSI6VW/avTJ8YKIgVaKTLJz47hl9GKWJoGI4lG5TE4INs193y\nxKf2gtuPb/YCdqZj2VphPTiPiIbycXrRXTq9uGnioteeAZfgKnqSokcQ+EvUItsp\nQ7nBeuFNdSHaK1TAQ74Ty4qcwM/WXQ5c0UfZvAbMzYp3PRrkHkMXhUHMj7MJNz7W\n6I/ehY+h+VkvTj7P6U3icEoLsTqOwKiHFiAVKD9DiUZqRI62nmbMW2il1zgF3pOZ\nQNrDGhNsaVfhJbIES3/vuF/qSQIm6GryQ1dwxbFBszemdHTGEQmANsxLLXWnPDH1\n2KigZh5bkSlQZvJRHgbJp+LdM+DSY7VI1KtwTIkpwFZ2/kbz+kMGGT+TQplSORyL\nIY9SK1aQduWBx2yi3X7/wPXVdV7KA1cMCPhSt8fVieYxZWtONALBuCdnSSEweIEq\nmyd2GD75QIHjZy7JZoVc421kCjH4IrXxuwEQDkHjKTladjdklOREEocAc8R+NjSS\nkUKdS2cOel6M2yjH/ieOv3DVaUPplgl+0KJGXqAhdkCQUwTMsw1tmR/ObWkCHQov\nk79Isubwc5kuQD/iBCuIQM8TgfNcyWXNAyHbpKR7kGkrn/ihN7dsCdvRjrMPrvRJ\nx/PLd3rjlgS5D1cEf7PTZZjym4mwDPrKgamSt9V3f3RwFwV75vY=\n=je4v\n-----END PGP SIGNATURE-----\n. -----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA256\n\n=====================================================================\n Red Hat Security Advisory\n\nSynopsis: Important: Red Hat support for Spring Boot 2.1.12 security and bug fix update\nAdvisory ID: RHSA-2020:2366-01\nProduct: Red Hat OpenShift Application Runtimes\nAdvisory URL: https://access.redhat.com/errata/RHSA-2020:2366\nIssue date: 2020-06-04\nCVE Names: CVE-2019-0199 CVE-2019-3868 CVE-2019-3875 \n CVE-2019-10199 CVE-2019-10201 CVE-2019-14832 \n=====================================================================\n\n1. Summary:\n\nAn update is now available for Red Hat OpenShift Application Runtimes. \n\nRed Hat Product Security has rated this update as having a security impact\nof Important. A Common Vulnerability Scoring System (CVSS) base score,\nwhich gives a detailed severity rating, is available for each vulnerability\nfrom the CVE link(s) in the References section. \n\n[NOTE: This security advisory was unintentionally omitted at the time of\nthe initial software release on 2020-02-18. The advisory is informational\nonly; no files in the release have changed.]\n\n2. Description:\n\nRed Hat support for Spring Boot provides an application platform that\nreduces the complexity of developing and operating applications (monoliths\nand microservices) for OpenShift as a containerized platform. \n\nThis release of Red Hat support for Spring Boot 2.1.12 serves as a\nreplacement for Red Hat support for Spring Boot 2.1.6, and includes\nsecurity and bug fixes and enhancements. For further information, refer to\nthe release notes linked to in the References section. \n\nSecurity Fix(es):\n\n* tomcat: Apache Tomcat HTTP/2 DoS (CVE-2019-0199)\n\n* keycloak: SAML broker does not check existence of signature on document\nallowing any user impersonation (CVE-2019-10201)\n\n* keycloak: session hijack using the user access token (CVE-2019-3868)\n\n* keycloak: missing signatures validation on CRL used to verify client\ncertificates (CVE-2019-3875)\n\n* keycloak: CSRF check missing in My Resources functionality in the Account\nConsole (CVE-2019-10199)\n\n* keycloak: cross-realm user access auth bypass (CVE-2019-14832)\n\nFor more details about the security issue(s), including the impact, a CVSS\nscore, acknowledgments, and other related information, refer to the CVE\npage(s) listed in the References section. \n\n3. Solution:\n\nBefore applying the update, back up your existing installation, including\nall applications, configuration files, databases and database settings, and\nso on. \n\nThe References section of this erratum contains a download link (you must\nlog in to download the update). \n\n4. Bugs fixed (https://bugzilla.redhat.com/):\n\n1679144 - CVE-2019-3868 keycloak: session hijack using the user access token\n1690628 - CVE-2019-3875 keycloak: missing signatures validation on CRL used to verify client certificates\n1693325 - CVE-2019-0199 tomcat: Apache Tomcat HTTP/2 DoS\n1728609 - CVE-2019-10201 keycloak: SAML broker does not check existence of signature on document allowing any user impersonation\n1729261 - CVE-2019-10199 keycloak: CSRF check missing in My Resources functionality in the Account Console\n1749487 - CVE-2019-14832 keycloak: cross-realm user access auth bypass\n\n5. References:\n\nhttps://access.redhat.com/security/cve/CVE-2019-0199\nhttps://access.redhat.com/security/cve/CVE-2019-3868\nhttps://access.redhat.com/security/cve/CVE-2019-3875\nhttps://access.redhat.com/security/cve/CVE-2019-10199\nhttps://access.redhat.com/security/cve/CVE-2019-10201\nhttps://access.redhat.com/security/cve/CVE-2019-14832\nhttps://access.redhat.com/security/updates/classification/#important\nhttps://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=catRhoar.spring.boot\u0026downloadType=distributions\u0026version=2.1.12\nhttps://access.redhat.com/documentation/en-us/red_hat_support_for_spring_boot/2.1/html-single/release_notes_for_spring_boot_2.1/\n\n6. Contact:\n\nThe Red Hat security contact is \u003csecalert@redhat.com\u003e. More contact\ndetails at https://access.redhat.com/security/team/contact/\n\nCopyright 2020 Red Hat, Inc. \n-----BEGIN PGP SIGNATURE-----\nVersion: GnuPG v1\n\niQIVAwUBXtjx9tzjgjWX9erEAQhFOA//Tkk46vAF4/aJiKVApEHvF5R96081W2Hq\nG96k3lUPuatTrcD/2yek9whs1Bf9MQgWcaFWCgx63nsNs6Mm81frsR/dt4YV8mWc\n97y4u6kz6nvQQ6Wz6Xuic9km17/yXuNl5JqgmcLtltgNhtWgZhpQUKfbP3ot0T2X\nFStJvnZlPrgDnpnVZ8y6x++otaDfbXGiy2FyGepXei8WWxXtQ/XYPoQC/mYbuXgM\neUNsFLEyY9hWLCE4vfavLCM4fHs+djrL2E6N431JhpLyCrbTx0nYkaMkoOoJlLe2\nagJjBzd5iYnBbD6p9K5okIWR1U2gNsdV6Q7UROTLiEFoxBOr1hO1mzqYkJ80t1Pm\nd48N7OuQ4MhYgiKftVDmsVgXuQzySUrjZWnZZnDbVZo02gwD8T1NXgq9zCX64/sl\nucKvbDnnmLDYQYsKRCjf1aH1ZDrrPOPIOkTbMlb4+Wqc/O8jrRfzvya0ym9wnN8v\nCG3VmxPBPeNgp6/pmTBrJU9c+dER9qmavAB77Vl09dH88V9Ne4GLiVfqSVOEhY1w\nvwZo31fNXNYFYT/NV2v9CiZwrRcsqn60VH0E4Qc+zTOb5esR7bIidcBMGtPm+BI0\n80uR7D6DwjVmZsfzwakCIiGMaChysonql+P72iOd2Xerj7osdvMSEQHSVSjuILh7\nwiv1ksQVw/s=\n=pUHq\n-----END PGP SIGNATURE-----\n\n--\nRHSA-announce mailing list\nRHSA-announce@redhat.com\nhttps://www.redhat.com/mailman/listinfo/rhsa-announce\n", "sources": [ { "db": "NVD", "id": "CVE-2019-0199" }, { "db": "JVNDB", "id": "JVNDB-2019-003375" }, { "db": "CNVD", "id": "CNVD-2019-15086" }, { "db": "BID", "id": "107674" }, { "db": "VULMON", "id": "CVE-2019-0199" }, { "db": "PACKETSTORM", "id": "155792" }, { "db": "PACKETSTORM", "id": "157964" } ], "trust": 2.7 }, "external_ids": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/external_ids#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "db": "NVD", "id": "CVE-2019-0199", "trust": 3.6 }, { "db": "BID", "id": "107674", "trust": 1.9 }, { "db": "JVNDB", "id": "JVNDB-2019-003375", "trust": 0.8 }, { "db": "PACKETSTORM", "id": "155792", "trust": 0.7 }, { "db": "PACKETSTORM", "id": "157964", "trust": 0.7 }, { "db": "CNVD", "id": "CNVD-2019-15086", "trust": 0.6 }, { "db": "AUSCERT", "id": "ESB-2019.2230", "trust": 0.6 }, { "db": "AUSCERT", "id": "ESB-2019.1958", "trust": 0.6 }, { "db": "AUSCERT", "id": "ESB-2019.0980", "trust": 0.6 }, { "db": "AUSCERT", "id": "ESB-2019.4405", "trust": 0.6 }, { "db": "AUSCERT", "id": "ESB-2020.0014", "trust": 0.6 }, { "db": "AUSCERT", "id": "ESB-2019.2295", "trust": 0.6 }, { "db": "AUSCERT", "id": "ESB-2019.1966", "trust": 0.6 }, { "db": "AUSCERT", "id": "ESB-2020.1983", "trust": 0.6 }, { "db": "CNNVD", "id": "CNNVD-201903-919", "trust": 0.6 }, { "db": "VULMON", "id": "CVE-2019-0199", "trust": 0.1 } ], "sources": [ { "db": "CNVD", "id": "CNVD-2019-15086" }, { "db": "VULMON", "id": "CVE-2019-0199" }, { "db": "BID", "id": "107674" }, { "db": "JVNDB", "id": "JVNDB-2019-003375" }, { "db": "PACKETSTORM", "id": "155792" }, { "db": "PACKETSTORM", "id": "157964" }, { "db": "CNNVD", "id": "CNNVD-201903-919" }, { "db": "NVD", "id": "CVE-2019-0199" } ] }, "id": "VAR-201904-1069", "iot": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/iot#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": true, "sources": [ { "db": "CNVD", "id": "CNVD-2019-15086" } ], "trust": 0.06 }, "iot_taxonomy": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "category": [ "Network device" ], "sub_category": null, "trust": 0.6 } ], "sources": [ { "db": "CNVD", "id": "CNVD-2019-15086" } ] }, "last_update_date": "2024-11-23T19:55:11.837000Z", "patch": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/patch#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "title": "svn commit: r1857582 [18/22] - in /tomcat/site/trunk: docs/ xdocs/stylesheets/", "trust": 0.8, "url": "https://lists.apache.org/thread.html/1dd0a59c1295cc08ce4c9e7edae5ad2268acc9ba55adcefa0532e5ba@%3Cdev.tomcat.apache.org%3E" }, { "title": "svn commit: r1857582 [19/22] - in /tomcat/site/trunk: docs/ xdocs/stylesheets/", "trust": 0.8, "url": "https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3@%3Cdev.tomcat.apache.org%3E" }, { "title": "svn commit: r1857494 [17/20] - in /tomcat/site/trunk: ./ docs/ xdocs/", "trust": 0.8, "url": "https://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a@%3Cdev.tomcat.apache.org%3E" }, { "title": "[SECURITY] CVE-2019-0199 Apache Tomcat HTTP/2 DoS", "trust": 0.8, "url": "https://lists.apache.org/thread.html/e1b0b273b6e8ddcc72c9023bc2394b1276fc72664144bf21d0a87995@%3Cannounce.tomcat.apache.org%3E" }, { "title": "svn commit: r1857496 [3/4] - in /tomcat/site/trunk: ./ docs/ xdocs/", "trust": 0.8, "url": "https://lists.apache.org/thread.html/e85e83e9954f169bbb77b44baae5a33d8de878df557bb32b7f793661@%3Cdev.tomcat.apache.org%3E" }, { "title": "Patch for ApacheTomcat Resource Management Error Vulnerability (CNVD-2019-15086)", "trust": 0.6, "url": "https://www.cnvd.org.cn/patchInfo/show/161993" }, { "title": "Apache Tomcat Security vulnerabilities", "trust": 0.6, "url": "http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=90371" }, { "title": "Debian CVElist Bug Report Logs: tomcat9: CVE-2019-10072", "trust": 0.1, "url": "https://vulmon.com/vendoradvisory?qidtp=debian_cvelist_bugreportlogs\u0026qid=7966741ad75ea9ed4ce251ef47c32196" }, { "title": "Ubuntu Security Notice: tomcat9 vulnerabilities", "trust": 0.1, "url": "https://vulmon.com/vendoradvisory?qidtp=ubuntu_security_notice\u0026qid=USN-4128-2" }, { "title": "Ubuntu Security Notice: tomcat8 vulnerabilities", "trust": 0.1, "url": "https://vulmon.com/vendoradvisory?qidtp=ubuntu_security_notice\u0026qid=USN-4128-1" }, { "title": "Red Hat: Moderate: Red Hat JBoss Web Server 5.2 security release", "trust": 0.1, "url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=RHSA-20193929 - Security Advisory" }, { "title": "Amazon Linux AMI: ALAS-2019-1234", "trust": 0.1, "url": "https://vulmon.com/vendoradvisory?qidtp=amazon_linux_ami\u0026qid=ALAS-2019-1234" }, { "title": "IBM: Security Bulletin: CVE-2019-10072", "trust": 0.1, "url": "https://vulmon.com/vendoradvisory?qidtp=ibm_psirt_blog\u0026qid=4cfa73e64dc3855ace71ce18bac6fba2" }, { "title": "IBM: IBM Security Bulletin: Apache Tomcat as used in IBM QRadar SIEM is vulnerable to denial of service (CVE-2019-0199)", "trust": 0.1, "url": "https://vulmon.com/vendoradvisory?qidtp=ibm_psirt_blog\u0026qid=2579e74a8148d49567b550a034c8f808" }, { "title": "Amazon Linux AMI: ALAS-2019-1208", "trust": 0.1, "url": "https://vulmon.com/vendoradvisory?qidtp=amazon_linux_ami\u0026qid=ALAS-2019-1208" }, { "title": "IBM: IBM Security Bulletin: IBM WebSphere Cast Iron Solution \u0026 App Connect Professional is affected by Apache Tomcat vulnerabilities.", "trust": 0.1, "url": "https://vulmon.com/vendoradvisory?qidtp=ibm_psirt_blog\u0026qid=6a3950e54c50353235e3e8004916f871" }, { "title": "Red Hat: Moderate: Red Hat JBoss Web Server 5.2 security release", "trust": 0.1, "url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=RHSA-20193931 - Security Advisory" }, { "title": "Debian Security Advisories: DSA-4596-1 tomcat8 -- security update", "trust": 0.1, "url": "https://vulmon.com/vendoradvisory?qidtp=debian_security_advisories\u0026qid=4cb7c55b01cbf593c9c3969d59695c8a" }, { "title": "tool", "trust": 0.1, "url": "https://github.com/Mal-lol-git/tool " }, { "title": "AwareIM-resources", "trust": 0.1, "url": "https://github.com/RennurApps/AwareIM-resources " }, { "title": "cybsec", "trust": 0.1, "url": "https://github.com/ilmari666/cybsec " }, { "title": "cybersecuritybase-project", "trust": 0.1, "url": "https://github.com/mikademo/cybersecuritybase-project " } ], "sources": [ { "db": "CNVD", "id": "CNVD-2019-15086" }, { "db": "VULMON", "id": "CVE-2019-0199" }, { "db": "JVNDB", "id": "JVNDB-2019-003375" }, { "db": "CNNVD", "id": "CNNVD-201903-919" } ] }, "problemtype_data": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "problemtype": "CWE-400", "trust": 1.8 } ], "sources": [ { "db": "JVNDB", "id": "JVNDB-2019-003375" }, { "db": "NVD", "id": "CVE-2019-0199" } ] }, "references": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/references#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "trust": 2.2, "url": "https://nvd.nist.gov/vuln/detail/cve-2019-0199" }, { "trust": 1.9, "url": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html" }, { "trust": 1.7, "url": "https://security.netapp.com/advisory/ntap-20190419-0001/" }, { "trust": 1.6, "url": "https://access.redhat.com/errata/rhsa-2019:3931" }, { "trust": 1.6, "url": "https://access.redhat.com/errata/rhsa-2019:3929" }, { "trust": 1.6, "url": "https://www.debian.org/security/2019/dsa-4596" }, { "trust": 1.6, "url": "http://www.securityfocus.com/bid/107674" }, { "trust": 1.0, "url": "https://lists.apache.org/thread.html/df1a2c1b87c8a6c500ecdbbaf134c7f1491c8d79d98b48c6b9f0fa6a%40%3cannounce.tomcat.apache.org%3e" }, { "trust": 1.0, "url": "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00090.html" }, { "trust": 1.0, "url": "https://lists.apache.org/thread.html/9fe25f98bac6d66f8a663a15c37a98bc2d8f8bbed1d408791a3e4067%40%3cusers.tomcat.apache.org%3e" }, { "trust": 1.0, "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/nphqel5aq6lzszd2y6tyz4rc3wi7nxj3/" }, { "trust": 1.0, "url": "https://www.oracle.com/security-alerts/cpujan2020.html" }, { "trust": 1.0, "url": "https://lists.apache.org/thread.html/4c438fa4c78cb1ce8979077f668ab7145baf83e7c59f2faf7eccf094%40%3cdev.tomcat.apache.org%3e" }, { "trust": 1.0, "url": "https://lists.apache.org/thread.html/e1b0b273b6e8ddcc72c9023bc2394b1276fc72664144bf21d0a87995%40%3cannounce.tomcat.apache.org%3e" }, { "trust": 1.0, "url": "https://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a%40%3cdev.tomcat.apache.org%3e" }, { "trust": 1.0, "url": "https://lists.apache.org/thread.html/e85e83e9954f169bbb77b44baae5a33d8de878df557bb32b7f793661%40%3cdev.tomcat.apache.org%3e" }, { "trust": 1.0, "url": "https://lists.apache.org/thread.html/7bb193bc68b28d21ff1c726fd38bea164deb6333b59eec2eb3661da6%40%3cusers.tomcat.apache.org%3e" }, { "trust": 1.0, "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/zqtz5bj5f4kv6n53sgnksw3uy5dbiq46/" }, { "trust": 1.0, "url": "https://www.oracle.com/security-alerts/cpuapr2020.html" }, { "trust": 1.0, "url": "https://seclists.org/bugtraq/2019/dec/43" }, { "trust": 1.0, "url": "https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d%40%3cdev.tomcat.apache.org%3e" }, { "trust": 1.0, "url": "https://lists.apache.org/thread.html/158ab719cf60448ddbb074798f09152fdb572fc8f781e70a56118d1a%40%3cdev.tomcat.apache.org%3e" }, { "trust": 1.0, "url": "https://lists.apache.org/thread.html/a7a201bd23e67fd3326c9b22b814dd0537d3270b3b54a768e2e7ef50%40%3cdev.tomcat.apache.org%3e" }, { "trust": 1.0, "url": "https://support.f5.com/csp/article/k17321505" }, { "trust": 1.0, "url": "https://lists.apache.org/thread.html/1dd0a59c1295cc08ce4c9e7edae5ad2268acc9ba55adcefa0532e5ba%40%3cdev.tomcat.apache.org%3e" }, { "trust": 1.0, "url": "https://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a%40%3cdev.tomcat.apache.org%3e" }, { "trust": 1.0, "url": "https://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9%40%3cdev.tomcat.apache.org%3e" }, { "trust": 1.0, "url": "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00054.html" }, { "trust": 1.0, "url": "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00013.html" }, { "trust": 1.0, "url": "https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0%40%3cdev.tomcat.apache.org%3e" }, { "trust": 1.0, "url": "https://lists.apache.org/thread.html/ac0185ce240a711b542a55bccf9349ab0c2f343d70cf7835e08fabc9%40%3cannounce.apache.org%3e" }, { "trust": 1.0, "url": "https://lists.apache.org/thread.html/e87733036e8c84ea648cdcdca3098f3c8a897e2652c33062b2b1535c%40%3cusers.tomcat.apache.org%3e" }, { "trust": 1.0, "url": "https://lists.apache.org/thread.html/cf4eb2bd2083cebb3602a293c653f9a7faa96c86f672c876f25b37ef%40%3cannounce.apache.org%3e" }, { "trust": 1.0, "url": "https://lists.apache.org/thread.html/e56886e1bac9319ecce81b3612dd7a1a43174a3a741a1c805e16880e%40%3ccommits.tomee.apache.org%3e" }, { "trust": 1.0, "url": "https://lists.apache.org/thread.html/dddb3590bac28fbe89f69f5ccbe26283d014ddc691abdd042de14600%40%3cannounce.tomcat.apache.org%3e" }, { "trust": 1.0, "url": "https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3%40%3cdev.tomcat.apache.org%3e" }, { "trust": 0.9, "url": "http://tomcat.apache.org/security-8.html" }, { "trust": 0.9, "url": "http://tomcat.apache.org/security-9.html" }, { "trust": 0.9, "url": "http://tomcat.apache.org/" }, { "trust": 0.8, "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-0199" }, { "trust": 0.7, "url": "https://lists.apache.org/thread.html/1dd0a59c1295cc08ce4c9e7edae5ad2268acc9ba55adcefa0532e5ba@%3cdev.tomcat.apache.org%3e" }, { "trust": 0.7, "url": "https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3@%3cdev.tomcat.apache.org%3e" }, { "trust": 0.7, "url": "https://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a@%3cdev.tomcat.apache.org%3e" }, { "trust": 0.7, "url": "https://lists.apache.org/thread.html/e1b0b273b6e8ddcc72c9023bc2394b1276fc72664144bf21d0a87995@%3cannounce.tomcat.apache.org%3e" }, { "trust": 0.7, "url": "https://lists.apache.org/thread.html/e56886e1bac9319ecce81b3612dd7a1a43174a3a741a1c805e16880e@%3ccommits.tomee.apache.org%3e" }, { "trust": 0.7, "url": "https://lists.apache.org/thread.html/e85e83e9954f169bbb77b44baae5a33d8de878df557bb32b7f793661@%3cdev.tomcat.apache.org%3e" }, { "trust": 0.6, "url": "https://www.mail-archive.com/dev" }, { "trust": 0.6, "url": "http://www.ibm.com/support/docview.wss?uid=ibm10886317" }, { "trust": 0.6, "url": "https://www.mail-archive.com/users@tomcat.apache.org/msg132248.html" }, { "trust": 0.6, "url": "http://www.ibm.com/support/docview.wss?uid=ibm10885114" }, { "trust": 0.6, "url": "https://www.suse.com/support/update/announcement/2019/suse-su-20191693-1.html" }, { "trust": 0.6, "url": "https://www.auscert.org.au/bulletins/esb-2019.4405/" }, { "trust": 0.6, "url": "https://packetstormsecurity.com/files/155792/debian-security-advisory-4596-1.html" }, { "trust": 0.6, "url": "https://www-01.ibm.com/support/docview.wss?uid=ibm10886317" }, { "trust": 0.6, "url": "https://www.auscert.org.au/bulletins/esb-2019.2230/" }, { "trust": 0.6, "url": "https://vigilance.fr/vulnerability/apache-tomcat-denial-of-service-via-http-2-frames-28842" }, { "trust": 0.6, "url": "https://www.auscert.org.au/bulletins/esb-2020.0014/" }, { "trust": 0.6, "url": "https://www.auscert.org.au/bulletins/esb-2019.2295/" }, { "trust": 0.6, "url": "https://packetstormsecurity.com/files/157964/red-hat-security-advisory-2020-2366-01.html" }, { "trust": 0.6, "url": "https://www.auscert.org.au/bulletins/esb-2019.1958/" }, { "trust": 0.6, "url": "https://www.auscert.org.au/bulletins/77766" }, { "trust": 0.6, "url": "https://www.auscert.org.au/bulletins/esb-2019.1966/" }, { "trust": 0.6, "url": "http-2-implementation-in-embded-apache-tomcat-denial-of-service-vulnerability/" }, { "trust": 0.6, "url": "https://www.ibm.com/blogs/psirt/security-bulletin-cve-2019-0199-the-" }, { "trust": 0.6, "url": "https://www.auscert.org.au/bulletins/esb-2020.1983/" }, { "trust": 0.1, "url": "https://cwe.mitre.org/data/definitions/400.html" }, { "trust": 0.1, "url": "https://www.rapid7.com/db/vulnerabilities/apache-tomcat-cve-2019-0199" }, { "trust": 0.1, "url": "https://nvd.nist.gov" }, { "trust": 0.1, "url": "https://usn.ubuntu.com/4128-2/" }, { "trust": 0.1, "url": "https://tools.cisco.com/security/center/viewalert.x?alertid=59989" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2019-17563" }, { "trust": 0.1, "url": "https://www.debian.org/security/faq" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2018-8014" }, { "trust": 0.1, "url": "https://www.debian.org/security/" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2019-0221" }, { "trust": 0.1, "url": "https://security-tracker.debian.org/tracker/tomcat8" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2019-12418" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2018-11784" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2019-3875" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2019-14832" }, { "trust": 0.1, "url": "https://access.redhat.com/security/updates/classification/#important" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2019-10201" }, { "trust": 0.1, "url": "https://access.redhat.com/errata/rhsa-2020:2366" }, { "trust": 0.1, "url": "https://access.redhat.com/jbossnetwork/restricted/listsoftware.html?product=catrhoar.spring.boot\u0026downloadtype=distributions\u0026version=2.1.12" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2019-3868" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2019-0199" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2019-10201" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2019-3875" }, { "trust": 0.1, "url": "https://access.redhat.com/security/team/contact/" }, { "trust": 0.1, "url": "https://www.redhat.com/mailman/listinfo/rhsa-announce" }, { "trust": 0.1, "url": "https://bugzilla.redhat.com/):" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2019-3868" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2019-14832" }, { "trust": 0.1, "url": "https://access.redhat.com/documentation/en-us/red_hat_support_for_spring_boot/2.1/html-single/release_notes_for_spring_boot_2.1/" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2019-10199" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2019-10199" } ], "sources": [ { "db": "CNVD", "id": "CNVD-2019-15086" }, { "db": "VULMON", "id": "CVE-2019-0199" }, { "db": "BID", "id": "107674" }, { "db": "JVNDB", "id": "JVNDB-2019-003375" }, { "db": "PACKETSTORM", "id": "155792" }, { "db": "PACKETSTORM", "id": "157964" }, { "db": "CNNVD", "id": "CNNVD-201903-919" }, { "db": "NVD", "id": "CVE-2019-0199" } ] }, "sources": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", "data": { "@container": "@list" } }, "data": [ { "db": "CNVD", "id": "CNVD-2019-15086" }, { "db": "VULMON", "id": "CVE-2019-0199" }, { "db": "BID", "id": "107674" }, { "db": "JVNDB", "id": "JVNDB-2019-003375" }, { "db": "PACKETSTORM", "id": "155792" }, { "db": "PACKETSTORM", "id": "157964" }, { "db": "CNNVD", "id": "CNNVD-201903-919" }, { "db": "NVD", "id": "CVE-2019-0199" } ] }, "sources_release_date": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#", "data": { "@container": "@list" } }, "data": [ { "date": "2019-05-23T00:00:00", "db": "CNVD", "id": "CNVD-2019-15086" }, { "date": "2019-04-10T00:00:00", "db": "VULMON", "id": "CVE-2019-0199" }, { "date": "2019-02-08T00:00:00", "db": "BID", "id": "107674" }, { "date": "2019-05-15T00:00:00", "db": "JVNDB", "id": "JVNDB-2019-003375" }, { "date": "2019-12-30T18:38:42", "db": "PACKETSTORM", "id": "155792" }, { "date": "2020-06-05T18:32:22", "db": "PACKETSTORM", "id": "157964" }, { "date": "2019-03-25T00:00:00", "db": "CNNVD", "id": "CNNVD-201903-919" }, { "date": "2019-04-10T15:29:00.390000", "db": "NVD", "id": "CVE-2019-0199" } ] }, "sources_update_date": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#", "data": { "@container": "@list" } }, "data": [ { "date": "2019-05-23T00:00:00", "db": "CNVD", "id": "CNVD-2019-15086" }, { "date": "2019-05-28T00:00:00", "db": "VULMON", "id": "CVE-2019-0199" }, { "date": "2019-07-17T09:00:00", "db": "BID", "id": "107674" }, { "date": "2019-05-15T00:00:00", "db": "JVNDB", "id": "JVNDB-2019-003375" }, { "date": "2020-06-09T00:00:00", "db": "CNNVD", "id": "CNNVD-201903-919" }, { "date": "2024-11-21T04:16:28.177000", "db": "NVD", "id": "CVE-2019-0199" } ] }, "threat_type": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/threat_type#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "remote", "sources": [ { "db": "CNNVD", "id": "CNNVD-201903-919" } ], "trust": 0.6 }, "title": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/title#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "Apache Tomcat Vulnerable to resource exhaustion", "sources": [ { "db": "JVNDB", "id": "JVNDB-2019-003375" } ], "trust": 0.8 }, "type": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/type#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "resource management error", "sources": [ { "db": "CNNVD", "id": "CNNVD-201903-919" } ], "trust": 0.6 } }
Sightings
Author | Source | Type | Date |
---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.