CVE-2019-9511

CWE-400 — Uncontrolled Resource Consumption CWE-770 — Allocation without Limits25 documents10 sources

Severity

7.5HIGH

EPSS

13.9%

top 5.68%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

F5 Nginx Mcafee WEB Gateway Nodejs Node.js +15 more

Timeline

PublishedAug 13

Latest updateMay 7

Description

Some HTTP/2 implementations are vulnerable to window size manipulation and stream prioritization manipulation, potentially leading to a denial of service. The attacker requests a large amount of data from a specified resource over multiple streams. They manipulate window size and stream priority to force the server to queue the data in 1-byte chunks. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages18 packages

▶Debiannghttp2< 1.39.2-1+3

▶Ubuntunghttp2< 1.40.0-1ubuntu0.3+4

▶NVDapache/traffic_server6.0.0 — 6.2.3+2

▶NVDredhat/jboss_core_services1.0

▶NVDredhat/openshift_service_mesh1.0

Also affects: Debian Linux 10.0, 9.0, Fedora 29, 30, Ubuntu Linux 16.04, 18.04, 19.04, Enterprise Linux 8.0

Patches

Patch: www.oracle.com ↗Patch: www.oracle.com ↗

🔴Vulnerability Details

OSV

nghttp2 vulnerability↗2024-05-07

▶

OSV

nghttp2 vulnerabilities↗2024-04-25

▶

GHSA

GHSA-89fc-749h-w2fj: Some HTTP/2 implementations are vulnerable to window size manipulation and stream prioritization manipulation, potentially leading to a denial of serv↗2022-05-24

▶

OSV

CVE-2019-9511: Some HTTP/2 implementations are vulnerable to window size manipulation and stream prioritization manipulation, potentially leading to a denial of serv↗2019-08-13

▶

CVEList

Some HTTP/2 implementations are vulnerable to window size manipulation and stream prioritization manipulation, potentially leading to a denial of service↗2019-08-13

▶

📋Vendor Advisories

Ubuntu

nghttp2 vulnerabilities↗2024-04-25

▶

Ubuntu

nginx vulnerabilities↗2019-08-15

▶

Red Hat

HTTP/2: large amount of data requests leads to denial of service↗2019-08-13

▶

Microsoft

HTTP/2 Server Denial of Service Vulnerability↗2019-08-13

▶

Debian

CVE-2019-9511: nghttp2 - Some HTTP/2 implementations are vulnerable to window size manipulation and strea...↗2019

▶

💬Community

Bugzilla

EPEL7 nginx package contains multiple CVEs↗2019-09-10

▶

Bugzilla

CVE-2019-9511 undertow: HTTP/2: large amount of data requests leads to denial of service [fedora-all]↗2019-09-03

▶

Bugzilla

CVE-2019-9511 nghttp2: HTTP/2: large amount of data request leads to denial of service [epel-all]↗2019-08-22

▶

Bugzilla

CVE-2019-9511 nghttp2: HTTP/2: large amount of data request leads to denial of service [fedora-all]↗2019-08-22

▶

Bugzilla

CVE-2019-9511 nodejs: HTTP/2: large amount of data request leads to denial of service [fedora-all]↗2019-08-16

▶