Some HTTP/2 implementations are vulnerable to unconstrained interal data buffering, potentially leading to a denial of service. The attacker opens the HTTP/2 window so the peer can send without constraint; however, they leave the TCP window closed so the peer cannot actually write (many of) the bytes on the wire. The attacker then sends a stream of requests for a large response object. Depending on how the servers queue the responses, this can consume excess memory, CPU, or both.
References
Configurations
Configuration 1 (hide)
AND |
|
Configuration 2 (hide)
|
Configuration 3 (hide)
|
Configuration 4 (hide)
|
Configuration 5 (hide)
|
Configuration 6 (hide)
AND |
|
Configuration 7 (hide)
|
Configuration 8 (hide)
|
Configuration 9 (hide)
|
Configuration 10 (hide)
|
Configuration 11 (hide)
|
Configuration 12 (hide)
|
Configuration 13 (hide)
|
History
07 Nov 2023, 03:13
Type | Values Removed | Values Added |
---|---|---|
References |
|
|
Information
Published : 2019-08-13 21:15
Updated : 2024-02-28 17:08
NVD link : CVE-2019-9517
Mitre link : CVE-2019-9517
CVE.ORG link : CVE-2019-9517
JSON object : View
Products Affected
redhat
- enterprise_linux
- jboss_enterprise_application_platform
- openshift_service_mesh
- quay
- software_collections
- jboss_core_services
apple
- swiftnio
- mac_os_x
apache
- http_server
- traffic_server
nodejs
- node.js
synology
- vs960hd
- diskstation_manager
- skynas
- vs960hd_firmware
oracle
- graalvm
- retail_xstore_point_of_service
- communications_element_manager
- instantis_enterprisetrack
netapp
- clustered_data_ontap
fedoraproject
- fedora
opensuse
- leap
canonical
- ubuntu_linux
mcafee
- web_gateway
debian
- debian_linux