CVE-2019-9514
CWE-400 — Uncontrolled Resource ConsumptionCWE-770 — Allocation without Limits29 documents11 sources
Severity
7.5HIGH
EPSS
9.5%
top 7.17%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedAug 13
Latest updateAug 1
Description
Some HTTP/2 implementations are vulnerable to a reset flood, potentially leading to a denial of service. The attacker opens a number of streams and sends an invalid request over each stream that should solicit a stream of RST_STREAM frames from the peer. Depending on how the peer queues the RST_STREAM frames, this can consume excess memory, CPU, or both.
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6
Affected Packages26 packages
Also affects: Openshift Container Platform 3.10, 3.11, 3.9, 4.1, 4.2, Debian Linux 10.0, 9.0, Fedora 29, 30, Ubuntu Linux 16.04, 18.04, 19.04, Enterprise Linux 8.0, 8.1
🔴Vulnerability Details
10🔍Detection Rules
1Suricata▶
ET DOS Possible Microsoft Windows HTTP2 Reset Flood Denial of Service Inbound (CVE-2019-9514)↗2021-10-04
📋Vendor Advisories
6💬Community
11Bugzilla▶
CVE-2019-9514 undertow: HTTP/2: flood using HEADERS frames results in unbounded memory growth [fedora-all]↗2019-09-03
Bugzilla▶
CVE-2019-9514 kubernetes: HTTP/2: flood using HEADERS frames results in unbounded memory growth [fedora-all]↗2019-08-26
Bugzilla▶
CVE-2019-9514 nodejs: HTTP/2: flood using HEADERS frames results in unbounded memory growth [epel-all]↗2019-08-16
Bugzilla▶
CVE-2019-9514 nodejs: http/2: HTTP/2 flood using HEADERS frames results in unbounded memory growth [fedora-all]↗2019-08-16
Bugzilla▶
CVE-2019-9514 golang: HTTP/2: flood using HEADERS frames results in unbounded memory growth [fedora-all]↗2019-08-16