VulnerableCode Package Details - pkg:rpm/redhat/jws5-tomcat-native@1.2.21-34.redhat

Search for packages

Vulnerability	Summary	Fixed by
VCID-39e3-jfbg-s3hk Aliases: CVE-2019-10072 GHSA-q4hg-rmq2-52q9	The fix for CVE-2019-0199 was incomplete and did not address HTTP/2 connection window exhaustion on write in Apache Tomcat versions 9.0.0.M1 to 9.0.19 and 8.5.0 to 8.5.40 . By not sending WINDOW_UPDATE messages for the connection window (stream 0) clients were able to cause server-side threads to block eventually leading to thread exhaustion and a DoS.	There are no reported fixed by versions.
VCID-4aaa-errb-2qdw Aliases: CVE-2019-0232 GHSA-8vmx-qmch-mpqg	When running on Windows with enableCmdLineArguments enabled, the CGI Servlet in Apache Tomcat 9.0.0.M1 to 9.0.17, 8.5.0 to 8.5.39 and 7.0.0 to 7.0.93 is vulnerable to Remote Code Execution due to a bug in the way the JRE passes command line arguments to Windows. The CGI Servlet is disabled by default. The CGI option enableCmdLineArguments is disable by default in Tomcat 9.0.x (and will be disabled by default in all versions in response to this vulnerability). For a detailed explanation of the JRE behaviour, see Markus Wulftange's blog (https://codewhitesec.blogspot.com/2016/02/java-and-command-line-injections-in-windows.html) and this archived MSDN blog (https://web.archive.org/web/20161228144344/https://blogs.msdn.microsoft.com/twistylittlepassagesallalike/2011/04/23/everyone-quotes-command-line-arguments-the-wrong-way/).	There are no reported fixed by versions.
VCID-5q23-97z3-ybhz Aliases: CVE-2019-1559	Multiple Information Disclosure vulnerabilities in OpenSSL allow attackers to obtain sensitive information.	There are no reported fixed by versions.
VCID-arkn-bca7-hqam Aliases: CVE-2019-0221 GHSA-jjpq-gp5q-8q6w	The SSI printenv command in Apache Tomcat 9.0.0.M1 to 9.0.0.17, 8.5.0 to 8.5.39 and 7.0.0 to 7.0.93 echoes user provided data without escaping and is, therefore, vulnerable to XSS. SSI is disabled by default. The printenv command is intended for debugging and is unlikely to be present in a production website.	There are no reported fixed by versions.
VCID-wbaq-j85q-y3c6 Aliases: CVE-2019-0199 GHSA-qcxh-w3j9-58qr	The HTTP/2 implementation in Apache Tomcat 9.0.0.M1 to 9.0.14 and 8.5.0 to 8.5.37 accepted streams with excessive numbers of SETTINGS frames and also permitted clients to keep streams open without reading/writing request/response data. By keeping streams open for requests that utilised the Servlet API's blocking I/O, clients were able to cause server-side threads to block eventually leading to thread exhaustion and a DoS.	There are no reported fixed by versions.
VCID-z3fb-nqcp-g3fq Aliases: CVE-2018-5407	Multiple Information Disclosure vulnerabilities in OpenSSL allow attackers to obtain sensitive information.	There are no reported fixed by versions.

Vulnerability

Summary

Fixed by

VCID-39e3-jfbg-s3hk
Aliases:
CVE-2019-10072
GHSA-q4hg-rmq2-52q9

The fix for CVE-2019-0199 was incomplete and did not address HTTP/2 connection window exhaustion on write in Apache Tomcat versions 9.0.0.M1 to 9.0.19 and 8.5.0 to 8.5.40 . By not sending WINDOW_UPDATE messages for the connection window (stream 0) clients were able to cause server-side threads to block eventually leading to thread exhaustion and a DoS.