CVE-2024-27316

HTTP/2 incoming headers exceeding the limit are temporarily buffered in nghttp2 in order to generate an informative HTTP 413 response. If a client does not stop sending headers, this leads to memory exhaustion.
Configurations

Configuration 1 (hide)

cpe:2.3:a:apache:http_server:*:*:*:*:*:*:*:*

Configuration 2 (hide)

OR cpe:2.3:o:fedoraproject:fedora:38:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:39:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:40:*:*:*:*:*:*:*

Configuration 3 (hide)

cpe:2.3:a:netapp:ontap:9:*:*:*:*:*:*:*

History

21 Nov 2024, 09:04

Type Values Removed Values Added
References () http://seclists.org/fulldisclosure/2024/Jul/18 - () http://seclists.org/fulldisclosure/2024/Jul/18 -
References () http://www.openwall.com/lists/oss-security/2024/04/04/4 - Mailing List () http://www.openwall.com/lists/oss-security/2024/04/04/4 - Mailing List
References () https://httpd.apache.org/security/vulnerabilities_24.html - Product, Release Notes () https://httpd.apache.org/security/vulnerabilities_24.html - Product, Release Notes
References () https://support.apple.com/kb/HT214119 - () https://support.apple.com/kb/HT214119 -
References () https://www.openwall.com/lists/oss-security/2024/04/03/16 - () https://www.openwall.com/lists/oss-security/2024/04/03/16 -

30 Jul 2024, 02:15

Type Values Removed Values Added
References
  • () http://seclists.org/fulldisclosure/2024/Jul/18 -

29 Jul 2024, 22:15

Type Values Removed Values Added
References
  • () https://support.apple.com/kb/HT214119 -

22 Jul 2024, 09:15

Type Values Removed Values Added
CWE CWE-400
References
  • {'url': 'http://www.openwall.com/lists/oss-security/2024/04/03/16', 'tags': ['Mailing List'], 'source': 'security@apache.org'}
  • {'url': 'https://lists.debian.org/debian-lts-announce/2024/05/msg00013.html', 'source': 'security@apache.org'}
  • {'url': 'https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FO73U3SLBYFGIW2YKXOK7RI4D6DJSZ2B/', 'tags': ['Release Notes'], 'source': 'security@apache.org'}
  • {'url': 'https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MIUBKSCJGPJ6M2U63V6BKFDF725ODLG7/', 'tags': ['Release Notes'], 'source': 'security@apache.org'}
  • {'url': 'https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QKKDVFWBKIHCC3WXNH3W75WWY4NW42OB/', 'tags': ['Release Notes'], 'source': 'security@apache.org'}
  • {'url': 'https://security.netapp.com/advisory/ntap-20240415-0013/', 'tags': ['Third Party Advisory'], 'source': 'security@apache.org'}
  • () https://www.openwall.com/lists/oss-security/2024/04/03/16 -

10 Jun 2024, 17:16

Type Values Removed Values Added
References
  • () https://lists.debian.org/debian-lts-announce/2024/05/msg00013.html -

06 Jun 2024, 19:29

Type Values Removed Values Added
References () http://www.openwall.com/lists/oss-security/2024/04/03/16 - () http://www.openwall.com/lists/oss-security/2024/04/03/16 - Mailing List
References () http://www.openwall.com/lists/oss-security/2024/04/04/4 - () http://www.openwall.com/lists/oss-security/2024/04/04/4 - Mailing List
References () https://httpd.apache.org/security/vulnerabilities_24.html - () https://httpd.apache.org/security/vulnerabilities_24.html - Product, Release Notes
References () https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FO73U3SLBYFGIW2YKXOK7RI4D6DJSZ2B/ - () https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FO73U3SLBYFGIW2YKXOK7RI4D6DJSZ2B/ - Release Notes
References () https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MIUBKSCJGPJ6M2U63V6BKFDF725ODLG7/ - () https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MIUBKSCJGPJ6M2U63V6BKFDF725ODLG7/ - Release Notes
References () https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QKKDVFWBKIHCC3WXNH3W75WWY4NW42OB/ - () https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QKKDVFWBKIHCC3WXNH3W75WWY4NW42OB/ - Release Notes
References () https://security.netapp.com/advisory/ntap-20240415-0013/ - () https://security.netapp.com/advisory/ntap-20240415-0013/ - Third Party Advisory
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 7.5
CWE CWE-770
CPE cpe:2.3:o:fedoraproject:fedora:39:*:*:*:*:*:*:*
cpe:2.3:a:netapp:ontap:9:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:*:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:38:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:40:*:*:*:*:*:*:*
First Time Apache http Server
Fedoraproject
Netapp ontap
Apache
Fedoraproject fedora
Netapp

01 May 2024, 18:15

Type Values Removed Values Added
References
  • () http://www.openwall.com/lists/oss-security/2024/04/03/16 -

01 May 2024, 17:15

Type Values Removed Values Added
References
  • () http://www.openwall.com/lists/oss-security/2024/04/04/4 -

21 Apr 2024, 04:15

Type Values Removed Values Added
References
  • () https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FO73U3SLBYFGIW2YKXOK7RI4D6DJSZ2B/ -

21 Apr 2024, 03:15

Type Values Removed Values Added
References
  • () https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MIUBKSCJGPJ6M2U63V6BKFDF725ODLG7/ -
  • () https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QKKDVFWBKIHCC3WXNH3W75WWY4NW42OB/ -
  • () https://security.netapp.com/advisory/ntap-20240415-0013/ -

05 Apr 2024, 12:40

Type Values Removed Values Added
Summary
  • (es) Los encabezados entrantes HTTP/2 que exceden el límite se almacenan temporalmente en nghttp2 para generar una respuesta HTTP 413 informativa. Si un cliente no deja de enviar encabezados, esto provoca que se agote la memoria.

04 Apr 2024, 20:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-04-04 20:15

Updated : 2024-11-21 09:04


NVD link : CVE-2024-27316

Mitre link : CVE-2024-27316

CVE.ORG link : CVE-2024-27316


JSON object : View

Products Affected

apache

  • http_server

fedoraproject

  • fedora

netapp

  • ontap
CWE
CWE-770

Allocation of Resources Without Limits or Throttling