Page 3 of 31 results (0.009 seconds)

CVSS: 7.8EPSS: 3%CPEs: 43EXPL: 0

Some HTTP/2 implementations are vulnerable to unconstrained interal data buffering, potentially leading to a denial of service. The attacker opens the HTTP/2 window so the peer can send without constraint; however, they leave the TCP window closed so the peer cannot actually write (many of) the bytes on the wire. The attacker then sends a stream of requests for a large response object. Depending on how the servers queue the responses, this can consume excess memory, CPU, or both. Algunas implementaciones HTTP / 2 son vulnerables al almacenamiento en búfer de datos interal sin restricciones, lo que puede conducir a una denegación de servicio. • http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00004.html http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00031.html http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00032.html http://www.openwall.com/lists/oss-security/2019/08/15/7 https://access.redhat.com/errata/RHSA-2019:2893 https://access.redhat.com/errata/RHSA-2019:2925 https://access.redhat.com/errata/RHSA-2019:2939 https://access.redhat.com/errata/RHSA-2019:2946 https:/ • CWE-400: Uncontrolled Resource Consumption CWE-770: Allocation of Resources Without Limits or Throttling •

CVSS: 7.8EPSS: 9%CPEs: 39EXPL: 0

Some HTTP/2 implementations are vulnerable to window size manipulation and stream prioritization manipulation, potentially leading to a denial of service. The attacker requests a large amount of data from a specified resource over multiple streams. They manipulate window size and stream priority to force the server to queue the data in 1-byte chunks. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both. Algunas implementaciones de HTTP / 2 son vulnerables a la manipulación del tamaño de la ventana y la manipulación de priorización de flujo, lo que puede conducir a una denegación de servicio. • http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00031.html http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00032.html http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00035.html http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00003.html http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00005.html http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00014.html https://access.redhat.com/errata/RHSA-2019:2692 https:/ • CWE-400: Uncontrolled Resource Consumption CWE-770: Allocation of Resources Without Limits or Throttling •

CVSS: 7.8EPSS: 82%CPEs: 55EXPL: 0

Some HTTP/2 implementations are vulnerable to a reset flood, potentially leading to a denial of service. The attacker opens a number of streams and sends an invalid request over each stream that should solicit a stream of RST_STREAM frames from the peer. Depending on how the peer queues the RST_STREAM frames, this can consume excess memory, CPU, or both. Algunas implementaciones de HTTP / 2 son vulnerables a una inundación de reinicio, lo que puede conducir a una denegación de servicio. El atacante abre una serie de secuencias y envía una solicitud no válida sobre cada secuencia que debería solicitar una secuencia de tramas RST_STREAM del par. • http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00076.html http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00002.html http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00011.html http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00021.html http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00031.html http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00032.html http://lists.opensuse.org/opensuse-security-announce/2019-09 • CWE-400: Uncontrolled Resource Consumption CWE-770: Allocation of Resources Without Limits or Throttling •

CVSS: 7.5EPSS: 1%CPEs: 5EXPL: 0

In Node.js including 6.x before 6.17.0, 8.x before 8.15.1, 10.x before 10.15.2, and 11.x before 11.10.1, an attacker can cause a Denial of Service (DoS) by establishing an HTTP or HTTPS connection in keep-alive mode and by sending headers very slowly. This keeps the connection and associated resources alive for a long period of time. Potential attacks are mitigated by the use of a load balancer or other proxy layer. This vulnerability is an extension of CVE-2018-12121, addressed in November and impacts all active Node.js release lines including 6.x before 6.17.0, 8.x before 8.15.1, 10.x before 10.15.2, and 11.x before 11.10.1. En Node.js, que incluye la versión 6.x en versiones anteriores a la 6.17.0, 8.x en versiones anteriores a la 8.15.1, 10.x en versiones anteriores a la 10.15.2 y 11.x en versiones anteriores a la 11.10.1, un atacante puede provocar una denegación de servicio (DoS) instalando una conexión HTTP o HTTPS en modo keep-alive y enviando encabezados muy lentamente. • http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00041.html http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00046.html http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00059.html https://access.redhat.com/errata/RHSA-2019:1821 https://nodejs.org/en/blog/vulnerability/february-2019-security-releases https://security.gentoo.org/glsa/202003-48 https://security.netapp.com/advisory/ntap-20190502-0008 https://access.redhat.com/security/cve/CVE-2019-5737 • CWE-400: Uncontrolled Resource Consumption CWE-770: Allocation of Resources Without Limits or Throttling •

CVSS: 7.5EPSS: 0%CPEs: 9EXPL: 0

Node.js: All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11.3.0: Slowloris HTTP Denial of Service: An attacker can cause a Denial of Service (DoS) by sending headers very slowly keeping HTTP or HTTPS connections and associated resources alive for a long period of time. Node.js: Todas las versiones anteriores a la 6.15.0, 8.14.0, 10.14.0 y 11.3.0: Denegación de servicio (DoS) HTTP mediante Slowloris. Un atacante puede provocar una denegación de servicio (DoS) enviando cabeceras muy lentamente, manteniendo las conexiones HTTP o HTTPS y los recursos asociados vivos durante un largo período de tiempo. It was found that Node.js HTTP server was vulnerable to a Slowloris type attack. An attacker could make long lived connections by sending bytes very slowly to the server, saturating its resource and possibly resulting in a denial of service. • http://www.securityfocus.com/bid/106043 https://access.redhat.com/errata/RHSA-2019:1821 https://nodejs.org/en/blog/vulnerability/november-2018-security-releases https://security.gentoo.org/glsa/202003-48 https://access.redhat.com/security/cve/CVE-2018-12122 https://bugzilla.redhat.com/show_bug.cgi?id=1661005 • CWE-400: Uncontrolled Resource Consumption •