CVE-2019-9513

Home/CVE/Some HTTP/2 implementations are vulnerable to resource loops, potentially leading to a denial of service. The attacker c

CVE

Some HTTP/2 implementations are vulnerable to resource loops, potentially leading to a denial of service. The attacker c

Some HTTP/2 implementations are vulnerable to resource loops, potentially leading to a denial of service. The attacker creates multiple request streams and continually shuffles the priority of the streams in a way that causes substantial churn to the priority tree. This can consume excess CPU.

HIGH · CVSS 7.5 EPSS 0.06587

Schedule remediation

EPSS percentile: top 9% of all CVEs by exploitation likelihood
CVSS base score ≥ 7.0

Sigma rules1 YARA rules0

⬡

Weakness Classification

CWE-400Uncontrolled Resource Consumption

▤

Affected Products & Versions

apple swiftnio>= 1.0.0 and <= 1.4.0
apache traffic server>= 6.0.0 and <= 6.2.3
apache traffic server>= 7.0.0 and <= 7.1.6
apache traffic server>= 8.0.0 and <= 8.0.3
canonical ubuntu linuxall versions
debian linuxall versions
fedoraproject fedoraall versions
synology skynasall versions
Show all 29 affected productssynology diskstation managerall versions
synology vs960hd firmwareall versions
opensuse leapall versions
redhat jboss core servicesall versions
redhat jboss enterprise application platformall versions
redhat openshift service meshall versions
redhat quayall versions
redhat software collectionsall versions
redhat enterprise linuxall versions
oracle graalvmall versions
mcafee web gateway>= 7.7.2.0 and < 7.7.2.24
mcafee web gateway>= 7.8.2.0 and < 7.8.2.13
mcafee web gateway>= 8.1.0 and < 8.2.0
f5 nginx>= 1.9.5 and < 1.16.1
f5 nginx>= 1.17.0 and <= 1.17.2
oracle enterprise communications brokerall versions
nodejs node.js>= 8.0.0 and <= 8.8.1
nodejs node.js>= 8.9.0 and < 8.16.1
nodejs node.js>= 10.0.0 and <= 10.12.0
nodejs node.js>= 10.13.0 and < 10.16.3
nodejs node.js>= 12.0.0 and < 12.8.1

◈

Sigma Hunt Rules

Exact rules name this CVE ID. Product rules name an affected product in their title. Related rules cover techniques used by actors who exploited this CVE. Showing the most relevant matches; the complete related set is on the full drill-down.

producthighNginx Core Dump

▣

Scoring & Timeline

7.5

HIGH · CVSS v3.1 · cret@cert.org

View on NVD

Attack Vector

Network Adjacent Local Physical

Attack Complexity

Low High

Privileges Required

None Low High

User Interaction

None Required

Scope

Unchanged Changed

Confidentiality

None Low High

Integrity

None Low High

Availability

None Low High

Published to NVD13 Aug 2019 · 09:15 PM

CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

⚑

Vendor Advisories

usnUSN-6754-1
suse-csafSUSE-SU-2021:0932-1
suse-csafSUSE-SU-2019:14246-1
rhsaRHSA-2020:0983Important
suse-csafSUSE-SU-2020:0059-1
Show all 30 vendor advisoriessuse-csafopenSUSE-SU-2019:2264-1
suse-csafSUSE-SU-2019:2559-1
suse-csafopenSUSE-SU-2019:2232-1
suse-csafopenSUSE-SU-2019:2234-1
suse-csafSUSE-SU-2019:2473-1
suse-csafopenSUSE-SU-2019:2114-1
suse-csafopenSUSE-SU-2019:2115-1
suse-csafopenSUSE-SU-2019:2120-1
suse-csafSUSE-SU-2019:2309-1
suse-csafSUSE-SU-2019:2259-1
suse-csafSUSE-SU-2019:2260-1
suse-csafSUSE-SU-2019:2254-1
usnUSN-4099-1
msrcCVE-2019-9513Denial of Service
rhsaRHSA-2019:2966Important
rhsaRHSA-2019:2925Important
rhsaRHSA-2019:2955Important
rhsaRHSA-2019:2939Important
rhsaRHSA-2019:3932Important
rhsaRHSA-2019:2799Important
rhsaRHSA-2019:2775Important
rhsaRHSA-2019:3041Important
rhsaRHSA-2019:2692Important
rhsaRHSA-2019:2946Important
rhsaRHSA-2019:2746Important