CVE-2018-1333 — Uncontrolled Resource Consumption in Apache Http Server

CWE-400 — Uncontrolled Resource Consumption CWE-1333 — Regex Denial of Service21 documents10 sources

Severity

7.5HIGHNVD

OSV5.9

EPSS

9.9%

top 7.00%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Http Server Apache Software Foundation Apache Http Server Canonical Ubuntu Linux +1 more

Timeline

PublishedJun 18

Latest updateMay 23

Description

By specially crafting HTTP/2 requests, workers would be allocated 60 seconds longer than necessary, leading to worker exhaustion and a denial of service. Fixed in Apache HTTP Server 2.4.34 (Affected 2.4.18-2.4.30,2.4.33).

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

▶NVDapache/http_server2.4.18 — 2.4.30+1

▶CVEListV5apache_software_foundation/apache_http_serverFixed in Apache HTTP Server 2.4.34 (Affected 2.4.18-2.4.30,2.4.33)

▶NVDredhat/jboss_core_services1.0

Also affects: Ubuntu Linux 18.04

🔴Vulnerability Details

GHSA

Marked allows Regular Expression Denial of Service (ReDoS) attacks↗2025-05-23

▶

GHSA

is-url Inefficient Regular Expression Complexity vulnerability↗2023-02-04

▶

GHSA

mel-spintax has Inefficient Regular Expression Complexity↗2023-01-18

▶

GHSA

skeemas Inefficient Regular Expression Complexity vulnerability↗2023-01-11

▶

GHSA

rgb2hex vulnerable to inefficient regular expression complexity↗2022-12-31

▶

📋Vendor Advisories

Red Hat

is-url: inefficient regular expression complexity↗2023-02-04

▶

Ubuntu

Apache HTTP Server vulnerabilities↗2018-10-03

▶

Red Hat

httpd: mod_http2: Too much time allocated to workers, possibly leading to DoS↗2018-07-18

▶

Red Hat

nodejs-braces: Regular Expression Denial of Service (ReDoS) in lib/parsers.js↗2018-02-19

▶

Debian

CVE-2018-1333: apache2 - By specially crafting HTTP/2 requests, workers would be allocated 60 seconds lon...↗2018

▶

💬Community

HackerOne

DoS for HTTP/2 connections by crafted requests (CVE-2018-1333)↗2018-10-28

▶

Bugzilla

CVE-2018-1333 httpd: mod_http2: too much time allocated to workers, possibly leading to DoS [fedora-all]↗2018-07-20

▶

Bugzilla

CVE-2018-1333 httpd: mod_http2: Too much time allocated to workers, possibly leading to DoS↗2018-07-20

▶