CVE-2018-11763

CWE-20Improper Input Validation12 documents10 sources
Severity
5.9MEDIUM
EPSS
17.4%
top 4.93%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
9
Apache Http ServerApache Software Foundation Apache Http ServerCanonical Ubuntu Linux+6 more
Timeline
PublishedSep 25
Latest updateMay 13

Description

In Apache HTTP Server 2.4.17 to 2.4.34, by sending continuous, large SETTINGS frames a client can occupy a connection, server thread and CPU time without any connection timeout coming to effect. This affects only HTTP/2 connections. A possible mitigation is to not enable the h2 protocol.

CVSS vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 2.2 | Impact: 3.6

Affected Packages8 packages

NVDapache/http_server2.4.172.4.34
Debianapache2< 2.4.35-1+3

Also affects: Ubuntu Linux 18.04, Enterprise Linux 6.0, 7.0, 7.4, 7.5, 7.6

Patches

Patch: www.oracle.comPatch: www.oracle.comPatch: www.oracle.com

🔴Vulnerability Details

5
GHSA
GHSA-c8x9-mqh7-g47j: In Apache HTTP Server 22022-05-13
OSV
apache2 vulnerabilities2018-10-03
CVEList
CVE-2018-11763: In Apache HTTP Server 22018-09-25
OSV
CVE-2018-11763: In Apache HTTP Server 22018-09-25
VulnCheck
Apache HTTP Server SETTINGS Frames Vulnerability2018

📋Vendor Advisories

4
Ubuntu
Apache HTTP Server vulnerabilities2018-10-03
Red Hat
httpd: DoS for HTTP/2 connections by continuous SETTINGS frames2018-09-25
Debian
CVE-2018-11763: apache2 - In Apache HTTP Server 2.4.17 to 2.4.34, by sending continuous, large SETTINGS fr...2018
Apache
Apache httpd: CVE-2018-11763

💬Community

2
Bugzilla
CVE-2018-11763 mod_http2: httpd: DoS for HTTP/2 connections by continuous SETTINGS frames [fedora-all]2018-09-26
Bugzilla
CVE-2018-11763 httpd: DoS for HTTP/2 connections by continuous SETTINGS frames2018-09-26