CVE-2019-9517
published 2019-08-13CVE-2019-9517: Some HTTP/2 implementations are vulnerable to unconstrained interal data buffering, potentially leading to a denial of service. The attacker opens the HTTP/2…
high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
Some HTTP/2 implementations are vulnerable to unconstrained interal data buffering, potentially leading to a denial of service. The attacker opens the HTTP/2 window so the peer can send without constraint; however, they leave the TCP window closed so the peer cannot actually write (many of) the bytes on the wire. The attacker then sends a stream of requests for a large response object. Depending on how the servers queue the responses, this can consume excess memory, CPU, or both.
Affected
62 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apache | http_server | >= 2.4.20 < 2.4.40 | 2.4.40 |
| apache | traffic_server | 6.0.0 – 6.2.3 | — |
| apache | traffic_server | 7.0.0 – 7.1.6 | — |
| apache | traffic_server | 8.0.0 – 8.0.3 | — |
| apple | swiftnio | 1.0.0 – 1.4.0 | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| debian | apache2 | < apache2 2.4.41-1 (bookworm) | apache2 2.4.41-1 (bookworm) |
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| mcafee | active_response | — | — |
| mcafee | active_response | — | — |
| mcafee | active_response | — | — |
| mcafee | active_response | — | — |
| mcafee | active_response | — | — |
| mcafee | active_response | — | — |
| mcafee | active_response | — | — |
| mcafee | active_response | — | — |
| mcafee | advanced_threat_defense | — | — |
| mcafee | advanced_threat_defense | — | — |
| mcafee | advanced_threat_defense | — | — |
| mcafee | advanced_threat_defense | — | — |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
osv7.5HIGH