CVE-2019-9515

Home/CVE/Some HTTP/2 implementations are vulnerable to a settings flood, potentially leading to a denial of service. The attacker

CVE

Some HTTP/2 implementations are vulnerable to a settings flood, potentially leading to a denial of service. The attacker

Some HTTP/2 implementations are vulnerable to a settings flood, potentially leading to a denial of service. The attacker sends a stream of SETTINGS frames to the peer. Since the RFC requires that the peer reply with one acknowledgement per SETTINGS frame, an empty SETTINGS frame is almost equivalent in behavior to a ping.

Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both.

HIGH · CVSS 7.5 EPSS 0.08892

Schedule remediation

EPSS percentile: top 7% of all CVEs by exploitation likelihood
CVSS base score ≥ 7.0

Sigma rules0 YARA rules0

⬡

Weakness Classification

CWE-400Uncontrolled Resource Consumption

CWE-770Allocation of Resources Without Limits or Throttling

▤

Affected Products & Versions

apple swiftnio>= 1.0.0 and <= 1.4.0
apache traffic server>= 6.0.0 and <= 6.2.3
apache traffic server>= 7.0.0 and <= 7.1.6
apache traffic server>= 8.0.0 and <= 8.0.3
canonical ubuntu linuxall versions
debian linuxall versions
synology skynasall versions
synology diskstation managerall versions
Show all 35 affected productssynology vs960hd firmwareall versions
fedoraproject fedoraall versions
opensuse leapall versions
redhat jboss core servicesall versions
redhat jboss enterprise application platformall versions
redhat openshift container platformall versions
redhat openshift service meshall versions
redhat openstackall versions
redhat quayall versions
redhat single sign-onall versions
redhat software collectionsall versions
redhat enterprise linuxall versions
oracle graalvmall versions
mcafee web gateway>= 7.7.2.0 and < 7.7.2.24
mcafee web gateway>= 7.8.2.0 and < 7.8.2.13
mcafee web gateway>= 8.1.0 and < 8.2.0
f5 big-ip local traffic manager>= 11.6.1 and < 11.6.5.1
f5 big-ip local traffic manager>= 12.1.0 and < 12.1.5.1
f5 big-ip local traffic manager>= 13.1.0 and < 13.1.3.2
f5 big-ip local traffic manager>= 14.0.0 and < 14.0.1.1
f5 big-ip local traffic manager>= 14.1.0 and < 14.1.2.1
f5 big-ip local traffic manager>= 15.0.0 and < 15.0.1.1
nodejs node.js>= 8.0.0 and <= 8.8.1
nodejs node.js>= 8.9.0 and < 8.16.1
nodejs node.js>= 10.0.0 and <= 10.12.0
nodejs node.js>= 10.13.0 and < 10.16.3
nodejs node.js>= 12.0.0 and < 12.8.1

▣

Scoring & Timeline

7.5

HIGH · CVSS v3.1 · cret@cert.org

View on NVD

Attack Vector

Network Adjacent Local Physical

Attack Complexity

Low High

Privileges Required

None Low High

User Interaction

None Required

Scope

Unchanged Changed

Confidentiality

None Low High

Integrity

None Low High

Availability

None Low High

Published to NVD13 Aug 2019 · 09:15 PM

CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

⚑

Vendor Advisories

rhsaRHSA-2024:5856Moderate
usnUSN-4866-1
rhsaRHSA-2020:3197Important
rhsaRHSA-2020:3196Important
rhsaRHSA-2020:2565Important
Show all 30 vendor advisoriesrhsaRHSA-2020:2067Important
usnUSN-4308-1
rhsaRHSA-2020:0922Important
rhsaRHSA-2020:1445Important
suse-csafSUSE-SU-2019:14246-1
rhsaRHSA-2020:0983Important
suse-csafSUSE-SU-2020:0059-1
rhsaRHSA-2019:4042Important
rhsaRHSA-2019:4045Important
rhsaRHSA-2019:4040Important
rhsaRHSA-2019:4041Important
rhsaRHSA-2020:0727Important
rhsaRHSA-2019:3892Important
rhsaRHSA-2019:4018Moderate
rhsaRHSA-2019:4019Moderate
rhsaRHSA-2019:4020Moderate
rhsaRHSA-2019:4021Moderate
suse-csafopenSUSE-SU-2019:2114-1
suse-csafopenSUSE-SU-2019:2115-1
suse-csafSUSE-SU-2019:2259-1
suse-csafSUSE-SU-2019:2260-1
suse-csafSUSE-SU-2019:2254-1
rhsaRHSA-2019:2861Important
rhsaRHSA-2019:2766Important
rhsaRHSA-2019:2925Important