Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).
CVE-2016-8740
Severity
7.5HIGH
EPSS
68.3%
top 1.40%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
Timeline
PublishedDec 5
Latest updateMay 13
Description
The mod_http2 module in the Apache HTTP Server 2.4.17 through 2.4.23, when the Protocols configuration includes h2 or h2c, does not restrict request-header length, which allows remote attackers to cause a denial of service (memory consumption) via crafted CONTINUATION frames in an HTTP/2 request.
CVSS vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6
Affected Packages3 packages
Patches
🔴Vulnerability Details
3💥Exploits & PoCs
1📋Vendor Advisories
5Apple▶
CVE-2016-8740: macOS High Sierra 10.13.1, Security Update 2017-001 Sierra, and Security Update 2017-004 El Capitan↗2017-10-31
Apple▶
CVE-2016-8740: macOS Sierra 10.12.4, Security Update 2017-001 El Capitan, and Security Update 2017-001 Yosemite↗2017-03-27
Debian▶
CVE-2016-8740: apache2 - The mod_http2 module in the Apache HTTP Server 2.4.17 through 2.4.23, when the P...↗2016