CVE-2019-9513

HIGH

HTTP/2 - DoS

Title source: llm

Description

Some HTTP/2 implementations are vulnerable to resource loops, potentially leading to a denial of service. The attacker creates multiple request streams and continually shuffles the priority of the streams in a way that causes substantial churn to the priority tree. This can consume excess CPU.

References (42)

[Mailing List, Third Party Advisory] http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00031.html

[Mailing List, Third Party Advisory] http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00032.html

[Mailing List, Third Party Advisory] http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00035.html

[Mailing List, Third Party Advisory] http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00003.html

[Mailing List, Third Party Advisory] http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00005.html

[Mailing List, Third Party Advisory] http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00014.html

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2019:2692

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2019:2745

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2019:2746

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2019:2775

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2019:2799

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2019:2925

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2019:2939

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2019:2949

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2019:2955

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2019:2966

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2019:3041

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2019:3932

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2019:3933

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2019:3935

... and 22 more

Scores

CVSS v3 7.5

EPSS 0.0731

EPSS Percentile 91.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Classification

CWE

CWE-400

Status published

Affected Products (28)

apple/swiftnio < 1.4.0

apache/traffic_server < 6.2.3

canonical/ubuntu_linux

canonical/ubuntu_linux

canonical/ubuntu_linux

debian/debian_linux

debian/debian_linux

fedoraproject/fedora

synology/skynas

synology/diskstation_manager

synology/vs960hd_firmware

fedoraproject/fedora

opensuse/leap

opensuse/leap

redhat/jboss_core_services

... and 13 more

Timeline

Published Aug 13, 2019

Tracked Since Feb 18, 2026