CVE-2019-9516

MEDIUM

HTTP/2 - DoS

Title source: llm

Description

Some HTTP/2 implementations are vulnerable to a header leak, potentially leading to a denial of service. The attacker sends a stream of headers with a 0-length header name and 0-length header value, optionally Huffman encoded into 1-byte or greater headers. Some implementations allocate memory for these headers and keep the allocation alive until the session dies. This can consume excess memory.

References (37)

[Mailing List, Third Party Advisory] http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00031.html

[Mailing List, Third Party Advisory] http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00032.html

[Mailing List, Third Party Advisory] http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00035.html

[Mailing List, Third Party Advisory] http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00014.html

[Mailing List, Third Party Advisory] http://seclists.org/fulldisclosure/2019/Aug/16

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2019:2745

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2019:2746

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2019:2775

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2019:2799

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2019:2925

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2019:2939

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2019:2946

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2019:2950

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2019:2955

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2019:2966

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2019:3932

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2019:3933

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2019:3935

[Third Party Advisory] https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md

View Writeup ZIP pw:eip

[Third Party Advisory, US Government Resource] https://kb.cert.org/vuls/id/605641/

... and 17 more

Scores

CVSS v3 6.5

EPSS 0.0239

EPSS Percentile 84.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Classification

CWE

CWE-770 CWE-400

Status published

Affected Products (27)

apple/swiftnio < 1.4.0

apache/traffic_server < 6.2.3

canonical/ubuntu_linux

canonical/ubuntu_linux

canonical/ubuntu_linux

debian/debian_linux

debian/debian_linux

fedoraproject/fedora

synology/skynas

synology/diskstation_manager

synology/vs960hd_firmware

fedoraproject/fedora

fedoraproject/fedora

opensuse/leap

opensuse/leap

... and 12 more

Timeline

Published Aug 13, 2019

Tracked Since Feb 18, 2026