Some HTTP/2 implementations are vulnerable to unconstrained interal data buffering, potentially leading to a denial of service. The attacker opens the HTTP/2 window so the peer can send without constraint; however, they leave the TCP window closed so the peer cannot actually write (many of) the bytes on the wire. The attacker then sends a stream of requests for a large response object. Depending on how the servers queue the responses, this can consume excess memory, CPU, or both.
References
Configurations
Configuration 1 (hide)
AND |
|
Configuration 2 (hide)
|
Configuration 3 (hide)
|
Configuration 4 (hide)
|
Configuration 5 (hide)
|
Configuration 6 (hide)
AND |
|
Configuration 7 (hide)
|
Configuration 8 (hide)
|
Configuration 9 (hide)
|
Configuration 10 (hide)
|
Configuration 11 (hide)
|
Configuration 12 (hide)
|
Configuration 13 (hide)
|
History
12 Aug 2022, 18:40
Type | Values Removed | Values Added |
---|---|---|
References | (MLIST) https://lists.apache.org/thread.html/rd2fb621142e7fa187cfe12d7137bf66e7234abcbbcd800074c84a538@%3Ccvs.httpd.apache.org%3E - Mailing List, Third Party Advisory | |
References | (MLIST) https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9@%3Ccvs.httpd.apache.org%3E - Mailing List, Third Party Advisory | |
References | (MLIST) https://lists.apache.org/thread.html/r06f0d87ebb6d59ed8379633f36f72f5b1f79cadfda72ede0830b42cf@%3Ccvs.httpd.apache.org%3E - Mailing List, Third Party Advisory | |
References | (MLIST) https://lists.apache.org/thread.html/r3c5c3104813c1c5508b55564b66546933079250a46ce50eee90b2e36@%3Ccvs.httpd.apache.org%3E - Mailing List, Third Party Advisory | |
References | (MLIST) https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920@%3Ccvs.httpd.apache.org%3E - Mailing List, Third Party Advisory | |
References | (MLIST) https://lists.apache.org/thread.html/rc998b18880df98bafaade071346690c2bc1444adaa1a1ea464b93f0a@%3Ccvs.httpd.apache.org%3E - Mailing List, Third Party Advisory | |
References | (MLIST) https://lists.apache.org/thread.html/r76142b8c5119df2178be7c2dba88fde552eedeec37ea993dfce68d1d@%3Ccvs.httpd.apache.org%3E - Mailing List, Third Party Advisory | |
References | (MLIST) https://lists.apache.org/thread.html/r03ee478b3dda3e381fd6189366fa7af97c980d2f602846eef935277d@%3Ccvs.httpd.apache.org%3E - Mailing List, Third Party Advisory | |
CPE | cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:* cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:* |
06 Jun 2021, 11:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
Information
Published : 2019-08-13 21:15
Updated : 2024-02-04 20:20
NVD link : CVE-2019-9517
Mitre link : CVE-2019-9517
CVE.ORG link : CVE-2019-9517
JSON object : View
Products Affected
netapp
- clustered_data_ontap
nodejs
- node.js
synology
- vs960hd_firmware
- diskstation_manager
- vs960hd
- skynas
redhat
- quay
- openshift_service_mesh
- enterprise_linux
- software_collections
- jboss_core_services
- jboss_enterprise_application_platform
oracle
- graalvm
- retail_xstore_point_of_service
- instantis_enterprisetrack
- communications_element_manager
apple
- mac_os_x
- swiftnio
mcafee
- web_gateway
debian
- debian_linux
canonical
- ubuntu_linux
fedoraproject
- fedora
apache
- traffic_server
- http_server
opensuse
- leap