CVE-2019-9512
published 2019-08-13CVE-2019-9512: Some HTTP/2 implementations are vulnerable to ping floods, potentially leading to a denial of service. The attacker sends continual pings to an HTTP/2 peer…
high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
Some HTTP/2 implementations are vulnerable to ping floods, potentially leading to a denial of service. The attacker sends continual pings to an HTTP/2 peer, causing the peer to build an internal queue of responses. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both.
Affected
33 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apache | traffic_server | 6.0.0 – 6.2.3 | — |
| apache | traffic_server | 7.0.0 – 7.1.6 | — |
| apache | traffic_server | 8.0.0 – 8.0.3 | — |
| apple | swiftnio | 1.0.0 – 1.4.0 | — |
| apple | swiftnio_http_2 | — | — |
| debian | debian_linux | — | — |
| debian | h2o | < h2o 2.2.5+dfsg2-3 (bookworm) | h2o 2.2.5+dfsg2-3 (bookworm) |
| debian | trafficserver | < h2o 2.2.5+dfsg2-3 (bookworm) | h2o 2.2.5+dfsg2-3 (bookworm) |
| golang.org | x_net | >= 0 < 0.0.0-20190813141303-74dc4d7220e7 | 0.0.0-20190813141303-74dc4d7220e7 |
| h2o | h2o | >= 0 < 2.2.5+dfsg2-3 | 2.2.5+dfsg2-3 |
| h2o | h2o | >= 0 < 2.2.5+dfsg2-3 | 2.2.5+dfsg2-3 |
| msrc | windows_10 | — | — |
| msrc | windows_10_version_1607 | — | — |
| msrc | windows_10_version_1703 | — | — |
| msrc | windows_10_version_1709 | — | — |
| msrc | windows_10_version_1803 | — | — |
| msrc | windows_10_version_1809 | — | — |
| msrc | windows_10_version_1903 | — | — |
| msrc | windows_server_2016 | — | — |
| msrc | windows_server_2019 | — | — |
| msrc | windows_server_version_1709 | — | — |
| msrc | windows_server_version_1803 | — | — |
| msrc | windows_server_version_1903 | — | — |
| netty | netty | >= 0 < 1:4.1.7-4ubuntu0.1+esm1 | 1:4.1.7-4ubuntu0.1+esm1 |
| nodejs | node.js | 10.0.0 – 10.12.0 | — |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
ghsa7.5HIGH
osv7.5HIGH