CVE-2019-9517

HIGH

HTTP/2 - DoS

Title source: llm

Description

Some HTTP/2 implementations are vulnerable to unconstrained interal data buffering, potentially leading to a denial of service. The attacker opens the HTTP/2 window so the peer can send without constraint; however, they leave the TCP window closed so the peer cannot actually write (many of) the bytes on the wire. The attacker then sends a stream of requests for a large response object. Depending on how the servers queue the responses, this can consume excess memory, CPU, or both.

References (47)

[Mailing List, Third Party Advisory] http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00004.html

[Mailing List, Third Party Advisory] http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00031.html

[Mailing List, Third Party Advisory] http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00032.html

[Mailing List, Third Party Advisory] http://www.openwall.com/lists/oss-security/2019/08/15/7

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2019:2893

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2019:2925

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2019:2939

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2019:2946

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2019:2949

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2019:2950

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2019:2955

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2019:3932

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2019:3933

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2019:3935

[Third Party Advisory] https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md

View Writeup ZIP pw:eip

[Third Party Advisory, US Government Resource] https://kb.cert.org/vuls/id/605641/

[Third Party Advisory] https://kc.mcafee.com/corporate/index?page=content&id=SB10296

[Mailing List] https://lists.apache.org/thread.html/4610762456644181b267c846423b3a990bd4aaea1886ecc7d51febdb%40%3Cannounce.httpd.apache.org%3E

[Mailing List] https://lists.apache.org/thread.html/56c2e7cc9deb1c12a843d0dc251ea7fd3e7e80293cde02fcd65286ba%40%3Ccvs.httpd.apache.org%3E

[Mailing List] https://lists.apache.org/thread.html/d89f999e26dfb1d50f247ead1fe8538014eb412b2dbe5be4b1a9ef50%40%3Cdev.httpd.apache.org%3E

... and 27 more

Scores

CVSS v3 7.5

EPSS 0.0456

EPSS Percentile 89.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Classification

CWE

CWE-770 CWE-400

Status published

Affected Products (33)

apple/swiftnio < 1.4.0

apache/http_server < 2.4.40

apache/traffic_server < 6.2.3

canonical/ubuntu_linux

canonical/ubuntu_linux

canonical/ubuntu_linux

debian/debian_linux

debian/debian_linux

synology/skynas

synology/diskstation_manager

synology/vs960hd_firmware

fedoraproject/fedora

fedoraproject/fedora

opensuse/leap

opensuse/leap

... and 18 more

Timeline

Published Aug 13, 2019

Tracked Since Feb 18, 2026