CVE-2019-0197: A vulnerability was found in Apache HTTP Server 2.4.34 to 2.4.38. When HTTP/2 was enabled for a http: host or H2Upgrade was enabled for h2 on a https: host, an…

medium4.2CVSS 3.1

AVNACHPRLUINSUCNILAL

A vulnerability was found in Apache HTTP Server 2.4.34 to 2.4.38. When HTTP/2 was enabled for a http: host or H2Upgrade was enabled for h2 on a https: host, an Upgrade request from http/1.1 to http/2 that was not the first request on a connection could lead to a misconfiguration and crash. Server that never enabled the h2 protocol or that only enabled it for https: and did not set "H2Upgrade on" are unaffected by this issue.

Affected

26 ranges· showing 25

Vendor	Product	Version range	Fixed in
apache	http_server	2.4.34 – 2.4.38	—
apache_software_foundation	apache_http_server	—	—
canonical	ubuntu_linux	—	—
canonical	ubuntu_linux	—	—
canonical	ubuntu_linux	—	—
debian	apache2	< apache2 2.4.38-3 (bookworm)	apache2 2.4.38-3 (bookworm)
fedoraproject	fedora	—	—
opensuse	leap	—	—
opensuse	leap	—	—
oracle	communications_session_report_manager	—	—
oracle	communications_session_report_manager	—	—
oracle	communications_session_report_manager	—	—
oracle	communications_session_report_manager	—	—
oracle	communications_session_route_manager	—	—
oracle	communications_session_route_manager	—	—
oracle	communications_session_route_manager	—	—
oracle	communications_session_route_manager	—	—
oracle	enterprise_manager_ops_center	—	—
oracle	enterprise_manager_ops_center	—	—
oracle	http_server	—	—
oracle	instantis_enterprisetrack	—	—
oracle	instantis_enterprisetrack	—	—
oracle	instantis_enterprisetrack	—	—
oracle	retail_xstore_point_of_service	—	—
oracle	retail_xstore_point_of_service	—	—

CVSS provenance

nvdv3.14.2MEDIUMCVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:L

osv4.2MEDIUM