CVE-2017-5650
Published Apr 17, 2017
Last updated a year ago
Overview
- Description
- In Apache Tomcat 9.0.0.M1 to 9.0.0.M18 and 8.5.0 to 8.5.12, the handling of an HTTP/2 GOAWAY frame for a connection did not close streams associated with that connection that were currently waiting for a WINDOW_UPDATE before allowing the application to write more data. These waiting streams each consumed a thread. A malicious client could therefore construct a series of HTTP/2 requests that would consume all available processing threads.
- Source
- security@apache.org
- NVD status
- Modified
Social media
- Hype score
- Not currently trending
Risk scores
CVSS 3.0
- Type
- Primary
- Base score
- 7.5
- Impact score
- 3.6
- Exploitability score
- 3.9
- Vector string
- CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
- Severity
- HIGH
CVSS 2.0
- Type
- Primary
- Base score
- 5
- Impact score
- 2.9
- Exploitability score
- 10
- Vector string
- AV:N/AC:L/Au:N/C:N/I:N/A:P
Weaknesses
- nvd@nist.gov
- CWE-404
Configurations
[
{
"nodes": [
{
"negate": false,
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:tomcat:8.5.0:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "69A7FC28-A0EC-4516-9776-700343D2F4DB"
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.5.1:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "18814653-6D44-47D9-A2F5-89C5AFB255F8"
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.5.2:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "D4D811A9-4988-4C11-AA27-F5BE2B93D8D4"
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.5.3:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "FAEF824D-7E95-4BC1-8DBB-787DCE595E21"
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.5.4:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "97F4A2B3-DB1D-4D0B-B5FF-7EE2A0D291BB"
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.5.5:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "0B461D5A-1208-498F-B551-46C6D514AC2B"
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.5.6:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "598E5D91-0165-4D55-9EDD-EBB5AAAD1172"
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.5.7:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "4B6B61B7-09A3-41C8-8333-0417C14CC87E"
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.5.8:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "95A139BA-CD3C-42F5-88BA-BE7BE58246D7"
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.5.9:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "876EADA5-60AD-4849-BE10-61C75AA75053"
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.5.10:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "1814F8DE-2060-411F-9FCC-6EC42AF5663D"
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.5.11:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "1AF6DBF7-BB0A-4AE6-84DA-51428ACF47CD"
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.5.12:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "A34F72ED-04FE-4EDE-BB18-BE8B1E99EEF1"
}
],
"operator": "OR"
}
]
},
{
"nodes": [
{
"negate": false,
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone1:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "9D0689FE-4BC0-4F53-8C79-34B21F9B86C2"
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone10:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "89B129B2-FB6F-4EF9-BF12-E589A87996CF"
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone11:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "8B6787B6-54A8-475E-BA1C-AB99334B2535"
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone12:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "EABB6FBC-7486-44D5-A6AD-FFF1D3F677E1"
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone13:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "E10C03BC-EE6B-45B2-83AE-9E8DFB58D7DB"
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone14:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "8A6DA0BE-908C-4DA8-A191-A0113235E99A"
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone15:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "39029C72-28B4-46A4-BFF5-EC822CFB2A4C"
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone16:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "1A2E05A3-014F-4C4D-81E5-88E725FBD6AD"
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone17:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "166C533C-0833-41D5-99B6-17A4FAB3CAF0"
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone18:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "D3768C60-21FA-4B92-B98C-C3A2602D1BC4"
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone2:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "9F542E12-6BA8-4504-A494-DA83E7E19BD5"
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone3:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "C0C5F004-F7D8-45DB-B173-351C50B0EC16"
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone4:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "D1902D2E-1896-4D3D-9E1C-3A675255072C"
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone5:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "49AAF4DF-F61D-47A8-8788-A21E317A145D"
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone6:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "454211D0-60A2-4661-AECA-4C0121413FEB"
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone7:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "0686F977-889F-4960-8E0B-7784B73A7F2D"
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone8:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "558703AE-DB5E-4DFF-B497-C36694DD7B24"
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone9:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "ED6273F2-1165-47A4-8DD7-9E9B2472941B"
}
],
"operator": "OR"
}
]
}
]