CVE-2018-1000168
HIGHnghttp2 1.10.0-1.31.0 - Denial of Service via ALTSVC Frame Handling
Title source: llmDescription
nghttp2 version >= 1.10.0 and nghttp2 <= v1.31.0 contains an Improper Input Validation CWE-20 vulnerability in ALTSVC frame handling that can result in segmentation fault leading to denial of service. This attack appears to be exploitable via network client. This vulnerability appears to have been fixed in >= 1.31.1.
References (6)
Core 6
Core References
Third Party Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2019:0367
Release Notes, Third Party Advisory x_refsource_confirm
https://nodejs.org/en/blog/vulnerability/june-2018-security-releases/
Broken Link, Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/103952
Vendor Advisory x_refsource_confirm
https://nghttp2.org/blog/2018/04/12/nghttp2-v1-31-1/
Third Party Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2019:0366
Mailing List, Third Party Advisory mailing-list
x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2021/10/msg00011.html
Scores
CVSS v3
7.5
EPSS
0.0336
EPSS Percentile
87.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-476
CWE-20
Status
published
Products (5)
debian/debian_linux
9.0
nghttp2/nghttp2
1.10.0 - 1.31.0
nodejs/node.js
6.0.0 - 6.8.1
nodejs/node.js
8.4.0 - 8.17.0
nodejs/node.js
9.0.0 - 9.11.2
Published
May 08, 2018
Tracked Since
Feb 18, 2026