CVE-2018-16844

CWE-400Uncontrolled Resource Consumption12 documents9 sources
Severity
7.5HIGH
EPSS
10.9%
top 6.62%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
5
Apple XcodeF5 Nginx[unknown] Nginx+2 more
Timeline
PublishedNov 7
Latest updateMay 13

Description

nginx before versions 1.15.6 and 1.14.1 has a vulnerability in the implementation of HTTP/2 that can allow for excessive CPU usage. This issue affects nginx compiled with the ngx_http_v2_module (not compiled by default) if the 'http2' option of the 'listen' directive is used in a configuration file.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages4 packages

NVDf5/nginx1.9.51.14.1+1
Debiannginx< 1.14.1-1+3
CVEListV5[unknown]/nginx1.14.1, 1.15.6+1
NVDapple/xcode< 13.0

Also affects: Debian Linux 9.0, Ubuntu Linux 14.04, 16.04, 18.04, 18.10

🔴Vulnerability Details

4
GHSA
GHSA-4576-cf38-77f2: nginx before versions 12022-05-13
CVEList
CVE-2018-16844: nginx before versions 12018-11-07
OSV
CVE-2018-16844: nginx before versions 12018-11-07
OSV
nginx vulnerabilities2018-11-07

📋Vendor Advisories

4
Apple
CVE-2018-16844: Xcode 132021-09-20
Ubuntu
nginx vulnerabilities2018-11-07
Red Hat
nginx: Excessive CPU usage via flaw in HTTP/2 implementation2018-11-06
Debian
CVE-2018-16844: nginx - nginx before versions 1.15.6 and 1.14.1 has a vulnerability in the implementatio...2018

💬Community

3
Bugzilla
CVE-2018-16844 nginx: Excessive CPU usage via flaw in HTTP/2 implementation [epel-all]2018-11-07
Bugzilla
CVE-2018-16844 nginx: Excessive CPU usage via flaw in HTTP/2 implementation [fedora-all]2018-11-07
Bugzilla
CVE-2018-16844 nginx: Excessive CPU usage via flaw in HTTP/2 implementation2018-10-31