CVE-2019-9513
Some HTTP/2 implementations are vulnerable to resource loops, potentially leading to a denial of service
Severity Score
7.5
*CVSS v3.1
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
0
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
-
*SSVC
Descriptions
Some HTTP/2 implementations are vulnerable to resource loops, potentially leading to a denial of service. The attacker creates multiple request streams and continually shuffles the priority of the streams in a way that causes substantial churn to the priority tree. This can consume excess CPU.
Algunas implementaciones de HTTP / 2 son vulnerables a los bucles de recursos, lo que puede conducir a una denegación de servicio. El atacante crea múltiples flujos de solicitud y baraja continuamente la prioridad de los flujos de una manera que provoca un cambio considerable en el árbol de prioridad. Esto puede consumir un exceso de CPU.
A flaw was found in HTTP/2. An attacker, using PRIORITY frames to flood the system, could cause excessive CPU usage and starvation of other clients. The largest threat from this vulnerability is to system availability.
Red Hat JBoss Core Services is a set of supplementary software for Red Hat JBoss middleware products. This software, such as Apache HTTP Server, is common to multiple JBoss middleware products, and is packaged under Red Hat JBoss Core Services to allow for faster distribution of updates, and for a more consistent update experience. This release adds the new Apache HTTP Server 2.4.37 packages that are part of the JBoss Core Services offering. This release serves as a replacement for Red Hat JBoss Core Services Pack Apache Server 2.4.29 and includes bug fixes and enhancements. Issues addressed include bypass and denial of service vulnerabilities.
*Credits:
Thanks to Jonathan Looney of Netflix for reporting this vulnerability.
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:-
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2019-03-01 CVE Reserved
- 2019-08-13 CVE Published
- 2024-08-04 CVE Updated
- 2025-03-30 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-400: Uncontrolled Resource Consumption
CAPEC
References (44)
| URL | Tag | Source |
|---|---|---|
| https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md | Third Party Advisory | |
| https://kb.cert.org/vuls/id/605641 | Third Party Advisory |
|
| https://kc.mcafee.com/corporate/index?page=content&id=SB10296 | Third Party Advisory | |
| https://seclists.org/bugtraq/2019/Aug/40 | Mailing List |
|
| https://seclists.org/bugtraq/2019/Sep/1 | Mailing List |
|
| https://security.netapp.com/advisory/ntap-20190823-0002 | Third Party Advisory |
|
| https://security.netapp.com/advisory/ntap-20190823-0005 | Third Party Advisory |
|
| https://support.f5.com/csp/article/K02591030 | Third Party Advisory | |
| https://support.f5.com/csp/article/K02591030?utm_source=f5support&%3Butm_medium=RSS | X_refsource_confirm | |
| https://www.oracle.com/security-alerts/cpujan2021.html | Third Party Advisory |
|
| https://www.oracle.com/security-alerts/cpuoct2020.html | Third Party Advisory |
|
| https://www.synology.com/security/advisory/Synology_SA_19_33 | Third Party Advisory |
|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Apple Search vendor "Apple" | Swiftnio Search vendor "Apple" for product "Swiftnio" | >= 1.0.0 <= 1.4.0 Search vendor "Apple" for product "Swiftnio" and version " >= 1.0.0 <= 1.4.0" | - |
Affected
| in | Apple Search vendor "Apple" | Mac Os X Search vendor "Apple" for product "Mac Os X" | >= 10.12 Search vendor "Apple" for product "Mac Os X" and version " >= 10.12" | - |
Safe
|
| Apple Search vendor "Apple" | Swiftnio Search vendor "Apple" for product "Swiftnio" | >= 1.0.0 <= 1.4.0 Search vendor "Apple" for product "Swiftnio" and version " >= 1.0.0 <= 1.4.0" | - |
Affected
| in | Canonical Search vendor "Canonical" | Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux" | >= 14.04 Search vendor "Canonical" for product "Ubuntu Linux" and version " >= 14.04" | - |
Safe
|
| Synology Search vendor "Synology" | Vs960hd Firmware Search vendor "Synology" for product "Vs960hd Firmware" | - | - |
Affected
| in | Synology Search vendor "Synology" | Vs960hd Search vendor "Synology" for product "Vs960hd" | - | - |
Safe
|
| Apache Search vendor "Apache" | Traffic Server Search vendor "Apache" for product "Traffic Server" | >= 6.0.0 <= 6.2.3 Search vendor "Apache" for product "Traffic Server" and version " >= 6.0.0 <= 6.2.3" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Traffic Server Search vendor "Apache" for product "Traffic Server" | >= 7.0.0 <= 7.1.6 Search vendor "Apache" for product "Traffic Server" and version " >= 7.0.0 <= 7.1.6" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Traffic Server Search vendor "Apache" for product "Traffic Server" | >= 8.0.0 <= 8.0.3 Search vendor "Apache" for product "Traffic Server" and version " >= 8.0.0 <= 8.0.3" | - |
Affected
| ||||||
| Canonical Search vendor "Canonical" | Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux" | 16.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "16.04" | lts |
Affected
| ||||||
| Canonical Search vendor "Canonical" | Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux" | 18.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "18.04" | lts |
Affected
| ||||||
| Canonical Search vendor "Canonical" | Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux" | 19.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "19.04" | - |
Affected
| ||||||
| Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 9.0 Search vendor "Debian" for product "Debian Linux" and version "9.0" | - |
Affected
| ||||||
| Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 10.0 Search vendor "Debian" for product "Debian Linux" and version "10.0" | - |
Affected
| ||||||
| Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | 30 Search vendor "Fedoraproject" for product "Fedora" and version "30" | - |
Affected
| ||||||
| Synology Search vendor "Synology" | Diskstation Manager Search vendor "Synology" for product "Diskstation Manager" | 6.2 Search vendor "Synology" for product "Diskstation Manager" and version "6.2" | - |
Affected
| ||||||
| Synology Search vendor "Synology" | Skynas Search vendor "Synology" for product "Skynas" | - | - |
Affected
| ||||||
| Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 9.0 Search vendor "Debian" for product "Debian Linux" and version "9.0" | - |
Affected
| ||||||
| Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 10.0 Search vendor "Debian" for product "Debian Linux" and version "10.0" | - |
Affected
| ||||||
| Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | 29 Search vendor "Fedoraproject" for product "Fedora" and version "29" | - |
Affected
| ||||||
| Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | 30 Search vendor "Fedoraproject" for product "Fedora" and version "30" | - |
Affected
| ||||||
| Opensuse Search vendor "Opensuse" | Leap Search vendor "Opensuse" for product "Leap" | 15.0 Search vendor "Opensuse" for product "Leap" and version "15.0" | - |
Affected
| ||||||
| Opensuse Search vendor "Opensuse" | Leap Search vendor "Opensuse" for product "Leap" | 15.1 Search vendor "Opensuse" for product "Leap" and version "15.1" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Jboss Core Services Search vendor "Redhat" for product "Jboss Core Services" | 1.0 Search vendor "Redhat" for product "Jboss Core Services" and version "1.0" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Jboss Enterprise Application Platform Search vendor "Redhat" for product "Jboss Enterprise Application Platform" | 7.2.0 Search vendor "Redhat" for product "Jboss Enterprise Application Platform" and version "7.2.0" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Jboss Enterprise Application Platform Search vendor "Redhat" for product "Jboss Enterprise Application Platform" | 7.3.0 Search vendor "Redhat" for product "Jboss Enterprise Application Platform" and version "7.3.0" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Openshift Service Mesh Search vendor "Redhat" for product "Openshift Service Mesh" | 1.0 Search vendor "Redhat" for product "Openshift Service Mesh" and version "1.0" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Quay Search vendor "Redhat" for product "Quay" | 3.0.0 Search vendor "Redhat" for product "Quay" and version "3.0.0" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Software Collections Search vendor "Redhat" for product "Software Collections" | 1.0 Search vendor "Redhat" for product "Software Collections" and version "1.0" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Enterprise Linux Search vendor "Redhat" for product "Enterprise Linux" | 8.0 Search vendor "Redhat" for product "Enterprise Linux" and version "8.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Graalvm Search vendor "Oracle" for product "Graalvm" | 19.2.0 Search vendor "Oracle" for product "Graalvm" and version "19.2.0" | enterprise |
Affected
| ||||||
| Mcafee Search vendor "Mcafee" | Web Gateway Search vendor "Mcafee" for product "Web Gateway" | >= 7.7.2.0 < 7.7.2.24 Search vendor "Mcafee" for product "Web Gateway" and version " >= 7.7.2.0 < 7.7.2.24" | - |
Affected
| ||||||
| Mcafee Search vendor "Mcafee" | Web Gateway Search vendor "Mcafee" for product "Web Gateway" | >= 7.8.2.0 < 7.8.2.13 Search vendor "Mcafee" for product "Web Gateway" and version " >= 7.8.2.0 < 7.8.2.13" | - |
Affected
| ||||||
| Mcafee Search vendor "Mcafee" | Web Gateway Search vendor "Mcafee" for product "Web Gateway" | >= 8.1.0 < 8.2.0 Search vendor "Mcafee" for product "Web Gateway" and version " >= 8.1.0 < 8.2.0" | - |
Affected
| ||||||
| F5 Search vendor "F5" | Nginx Search vendor "F5" for product "Nginx" | >= 1.9.5 < 1.16.1 Search vendor "F5" for product "Nginx" and version " >= 1.9.5 < 1.16.1" | - |
Affected
| ||||||
| F5 Search vendor "F5" | Nginx Search vendor "F5" for product "Nginx" | >= 1.17.0 <= 1.17.2 Search vendor "F5" for product "Nginx" and version " >= 1.17.0 <= 1.17.2" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Enterprise Communications Broker Search vendor "Oracle" for product "Enterprise Communications Broker" | 3.1.0 Search vendor "Oracle" for product "Enterprise Communications Broker" and version "3.1.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Enterprise Communications Broker Search vendor "Oracle" for product "Enterprise Communications Broker" | 3.2.0 Search vendor "Oracle" for product "Enterprise Communications Broker" and version "3.2.0" | - |
Affected
| ||||||
| Nodejs Search vendor "Nodejs" | Node.js Search vendor "Nodejs" for product "Node.js" | >= 8.0.0 <= 8.8.1 Search vendor "Nodejs" for product "Node.js" and version " >= 8.0.0 <= 8.8.1" | - |
Affected
| ||||||
| Nodejs Search vendor "Nodejs" | Node.js Search vendor "Nodejs" for product "Node.js" | >= 8.9.0 < 8.16.1 Search vendor "Nodejs" for product "Node.js" and version " >= 8.9.0 < 8.16.1" | lts |
Affected
| ||||||
| Nodejs Search vendor "Nodejs" | Node.js Search vendor "Nodejs" for product "Node.js" | >= 10.0.0 <= 10.12.0 Search vendor "Nodejs" for product "Node.js" and version " >= 10.0.0 <= 10.12.0" | - |
Affected
| ||||||
| Nodejs Search vendor "Nodejs" | Node.js Search vendor "Nodejs" for product "Node.js" | >= 10.13.0 < 10.16.3 Search vendor "Nodejs" for product "Node.js" and version " >= 10.13.0 < 10.16.3" | lts |
Affected
| ||||||
| Nodejs Search vendor "Nodejs" | Node.js Search vendor "Nodejs" for product "Node.js" | >= 12.0.0 < 12.8.1 Search vendor "Nodejs" for product "Node.js" and version " >= 12.0.0 < 12.8.1" | - |
Affected
| ||||||