CVE-2019-10079: Apache Traffic Server is vulnerable to HTTP/2 setting flood attacks. Earlier versions of Apache Traffic Server didn't limit the number of setting frames sent…

high7.5CVSS 3.1

AVNACLPRNUINSUCNINAH

Apache Traffic Server is vulnerable to HTTP/2 setting flood attacks. Earlier versions of Apache Traffic Server didn't limit the number of setting frames sent from the client using the HTTP/2 protocol. Users should upgrade to Apache Traffic Server 7.1.7, 8.0.4, or later versions.

Affected

3 ranges

Vendor	Product	Version range	Fixed in
apache	traffic_server	< 7.1.7	7.1.7
apache	traffic_server	>= 8.0.0 < 8.0.4	8.0.4
debian	trafficserver	< trafficserver 8.0.5+ds-1 (bookworm)	trafficserver 8.0.5+ds-1 (bookworm)

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

osv7.5HIGH