CVE-2019-12854 – squid: Denial of service in cachemgr.cgi
https://notcve.org/view.php?id=CVE-2019-12854
Due to incorrect string termination, Squid cachemgr.cgi 4.0 through 4.7 may access unallocated memory. On systems with memory access protections, this can cause the CGI process to terminate unexpectedly, resulting in a denial of service for all clients using it. Debido a una terminación de cadena incorrecta, el archivo cachemgr.cgi de Squid versiones 4.0 hasta 4.7 puede acceder a la memoria no asignada. En sistemas con protecciones de acceso a memoria, esto puede causar que el proceso CGI finalice inesperadamente, resultando en una denegación de servicio para todos los clientes que lo usan. • http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00053.html http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00056.html http://www.squid-cache.org/Advisories/SQUID-2019_1.txt http://www.squid-cache.org/Versions/v4/changesets/squid-4-2981a957716c61ff7e21eee1d7d6eb5a237e466d.patch https://bugs.squid-cache.org/show_bug.cgi?id=4937 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SPXN2CLAGN5QSQBTOV5IGVLDOQSRFNTZ https://seclists.org/bugtraq/2019 • CWE-400: Uncontrolled Resource Consumption •
CVE-2019-9518 – Some HTTP/2 implementations are vulnerable to a flood of empty frames, potentially leading to a denial of service
https://notcve.org/view.php?id=CVE-2019-9518
Some HTTP/2 implementations are vulnerable to a flood of empty frames, potentially leading to a denial of service. The attacker sends a stream of frames with an empty payload and without the end-of-stream flag. These frames can be DATA, HEADERS, CONTINUATION and/or PUSH_PROMISE. The peer spends time processing each frame disproportionate to attack bandwidth. This can consume excess CPU. • http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00031.html http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00032.html http://seclists.org/fulldisclosure/2019/Aug/16 https://access.redhat.com/errata/RHSA-2019:2925 https://access.redhat.com/errata/RHSA-2019:2939 https://access.redhat.com/errata/RHSA-2019:2955 https://access.redhat.com/errata/RHSA-2019:3892 https://access.redhat.com/errata/RHSA-2019:4352 https://access.redhat.com/errata/RHSA-2020:0727 • CWE-400: Uncontrolled Resource Consumption CWE-770: Allocation of Resources Without Limits or Throttling •
CVE-2019-9516 – Some HTTP/2 implementations are vulnerable to a header leak, potentially leading to a denial of service
https://notcve.org/view.php?id=CVE-2019-9516
Some HTTP/2 implementations are vulnerable to a header leak, potentially leading to a denial of service. The attacker sends a stream of headers with a 0-length header name and 0-length header value, optionally Huffman encoded into 1-byte or greater headers. Some implementations allocate memory for these headers and keep the allocation alive until the session dies. This can consume excess memory. Algunas implementaciones de HTTP / 2 son vulnerables a una fuga de encabezado, lo que puede conducir a una denegación de servicio. • http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00031.html http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00032.html http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00035.html http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00014.html http://seclists.org/fulldisclosure/2019/Aug/16 https://access.redhat.com/errata/RHSA-2019:2745 https://access.redhat.com/errata/RHSA-2019:2746 https://access.redhat.com/errata/RHSA-2019:2775 https • CWE-400: Uncontrolled Resource Consumption CWE-770: Allocation of Resources Without Limits or Throttling •
CVE-2019-9513 – Some HTTP/2 implementations are vulnerable to resource loops, potentially leading to a denial of service
https://notcve.org/view.php?id=CVE-2019-9513
Some HTTP/2 implementations are vulnerable to resource loops, potentially leading to a denial of service. The attacker creates multiple request streams and continually shuffles the priority of the streams in a way that causes substantial churn to the priority tree. This can consume excess CPU. Algunas implementaciones de HTTP / 2 son vulnerables a los bucles de recursos, lo que puede conducir a una denegación de servicio. El atacante crea múltiples flujos de solicitud y baraja continuamente la prioridad de los flujos de una manera que provoca un cambio considerable en el árbol de prioridad. • http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00031.html http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00032.html http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00035.html http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00003.html http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00005.html http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00014.html https://access.redhat.com/errata/RHSA-2019:2692 https:/ • CWE-400: Uncontrolled Resource Consumption •
CVE-2019-9515 – Some HTTP/2 implementations are vulnerable to a settings flood, potentially leading to a denial of service
https://notcve.org/view.php?id=CVE-2019-9515
Some HTTP/2 implementations are vulnerable to a settings flood, potentially leading to a denial of service. The attacker sends a stream of SETTINGS frames to the peer. Since the RFC requires that the peer reply with one acknowledgement per SETTINGS frame, an empty SETTINGS frame is almost equivalent in behavior to a ping. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both. Algunas implementaciones de HTTP / 2 son vulnerables a una inundación de configuraciones, lo que puede conducir a una denegación de servicio. • http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00031.html http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00032.html http://seclists.org/fulldisclosure/2019/Aug/16 https://access.redhat.com/errata/RHSA-2019:2766 https://access.redhat.com/errata/RHSA-2019:2796 https://access.redhat.com/errata/RHSA-2019:2861 https://access.redhat.com/errata/RHSA-2019:2925 https://access.redhat.com/errata/RHSA-2019:2939 https://access.redhat.com/errata/RHSA-2019:2955 • CWE-400: Uncontrolled Resource Consumption CWE-770: Allocation of Resources Without Limits or Throttling •