Description
The HTTP/2 implementation in Apache Tomcat 9.0.0.M1 to 9.0.14 and 8.5.0 to 8.5.37 accepted streams with excessive numbers of SETTINGS frames and also permitted clients to keep streams open without reading/writing request/response data. By keeping streams open for requests that utilised the Servlet API's blocking I/O, clients were able to cause server-side threads to block eventually leading to thread exhaustion and a DoS.
Remediation
References
Related Vulnerabilities
Atlassian Jira Cross-Site Request Forgery (CSRF) Vulnerability (CVE-2008-6832)
Joomla! Core Remote Code Execution (1.5.0 - 3.4.5)
phpMyAdmin Other Vulnerability (CVE-2006-1258)
WordPress Plugin Software License Manager Cross-Site Request Forgery (4.4.5)
WordPress Plugin Orbit Fox by ThemeIsle Multiple Vulnerabilities (2.10.2)