CVE-2019-9516

CWE-400 — Uncontrolled Resource Consumption CWE-770 — Allocation without Limits19 documents10 sources

Severity

6.5MEDIUM

EPSS

2.2%

top 15.67%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

F5 Nginx Mcafee WEB Gateway Nodejs Node.js +14 more

Timeline

PublishedAug 13

Latest updateMay 24

Description

Some HTTP/2 implementations are vulnerable to a header leak, potentially leading to a denial of service. The attacker sends a stream of headers with a 0-length header name and 0-length header value, optionally Huffman encoded into 1-byte or greater headers. Some implementations allocate memory for these headers and keep the allocation alive until the session dies. This can consume excess memory.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:HExploitability: 2.8 | Impact: 3.6

Affected Packages14 packages

▶NVDredhat/jboss_core_services1.0

▶NVDredhat/openshift_service_mesh1.0

▶NVDf5/nginx1.9.5 — 1.16.1+1

▶NVDnodejs/node.js8.0.0 — 8.16.1+2

▶NVDmcafee/web_gateway7.7.2.0 — 7.7.2.24+2

Also affects: Debian Linux 10.0, 9.0, Fedora 29, 30, 32, Ubuntu Linux 16.04, 18.04, 19.04, Enterprise Linux 8.0

🔴Vulnerability Details

GHSA

GHSA-6gw7-c226-vg73: Some HTTP/2 implementations are vulnerable to a header leak, potentially leading to a denial of service↗2022-05-24

▶

CVEList

Some HTTP/2 implementations are vulnerable to a header leak, potentially leading to a denial of service↗2019-08-13

▶

OSV

CVE-2019-9516: Some HTTP/2 implementations are vulnerable to a header leak, potentially leading to a denial of service↗2019-08-13

▶

📋Vendor Advisories

Ubuntu

nginx vulnerabilities↗2019-08-15

▶

Red Hat

HTTP/2: 0-length headers lead to denial of service↗2019-08-13

▶

Microsoft

Some HTTP/2 implementations are vulnerable to a header leak potentially leading to a denial of service↗2019-08-13

▶

Apple

CVE-2019-9516: SwiftNIO HTTP/2 1.5.0↗2019-08-13

▶

Debian

CVE-2019-9516: nginx - Some HTTP/2 implementations are vulnerable to a header leak, potentially leading...↗2019

▶

💬Community

Bugzilla

EPEL7 nginx package contains multiple CVEs↗2019-09-10

▶

Bugzilla

CVE-2019-9516 undertow: HTTP/2: 0-length headers lead to denial of service [fedora-all]↗2019-09-03

▶

Bugzilla

CVE-2019-9516 nginx: HTTP/2: 0-length headers lead to denial of service [epel-all]↗2019-08-16

▶

Bugzilla

CVE-2019-9516 nodejs: HTTP/2: 0-length headers lead to denial of service [epel-all]↗2019-08-16

▶

Bugzilla

CVE-2019-9511 CVE-2019-9516 CVE-2019-9517 mod_http2: various flaws [fedora-all]↗2019-08-16

▶