CVE-2024-27316

CWE-770 — Allocation without Limits CWE-400 — Uncontrolled Resource Consumption15 documents12 sources

Severity

7.5HIGH

EPSS

89.4%

top 0.45%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Http Server Apache Software Foundation Apache Http Server Fedoraproject Fedora +1 more

Timeline

PublishedApr 4

Latest updateJul 29

Description

HTTP/2 incoming headers exceeding the limit are temporarily buffered in nghttp2 in order to generate an informative HTTP 413 response. If a client does not stop sending headers, this leads to memory exhaustion.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

▶NVDapache/http_server2.4.17 — 2.4.59

▶CVEListV5apache_software_foundation/apache_http_server2.4.17 — 2.4.58

▶Debianapache2< 2.4.59-1~deb11u1+3

Also affects: Ontap 9, Fedora 38, 39, 40

🔴Vulnerability Details

OSV

apache2 vulnerabilities↗2024-04-11

▶

CVEList

Apache HTTP Server: HTTP/2 DoS by memory exhaustion on endless continuation frames↗2024-04-04

▶

OSV

CVE-2024-27316: HTTP/2 incoming headers exceeding the limit are temporarily buffered in nghttp2 in order to generate an informative HTTP 413 response↗2024-04-04

▶

GHSA

GHSA-5qc4-82jh-h385: HTTP/2 incoming headers exceeding the limit are temporarily buffered in nghttp2 in order to generate an informative HTTP 413 response↗2024-04-04

▶

📋Vendor Advisories

Apple

CVE-2024-27316: macOS Sonoma 14.6↗2024-07-29

▶

Oracle

Oracle Oracle Communications Applications Risk Matrix: Core (Apache HTTP Server) — CVE-2024-27316↗2024-07-15

▶

Ubuntu

Apache HTTP Server vulnerabilities↗2024-04-29

▶

Ubuntu

Apache HTTP Server vulnerabilities↗2024-04-17

▶

Ubuntu

Apache HTTP Server vulnerabilities↗2024-04-11

▶

💬Community

HackerOne

Apache HTTP Server: HTTP/2 DoS by memory exhaustion on endless continuation frames↗2024-04-24

▶