// For flags

CVE-2019-9515

Some HTTP/2 implementations are vulnerable to a settings flood, potentially leading to a denial of service

Severity Score

7.5
*CVSS v3.1

Exploit Likelihood

2.7%
*EPSS

Affected Versions

42
*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

Some HTTP/2 implementations are vulnerable to a settings flood, potentially leading to a denial of service. The attacker sends a stream of SETTINGS frames to the peer. Since the RFC requires that the peer reply with one acknowledgement per SETTINGS frame, an empty SETTINGS frame is almost equivalent in behavior to a ping. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both.

Algunas implementaciones de HTTP / 2 son vulnerables a una inundación de configuraciones, lo que puede conducir a una denegación de servicio. El atacante envía una secuencia de marcos de CONFIGURACIÓN al par. Como el RFC requiere que el igual responda con un acuse de recibo por cuadro de CONFIGURACIÓN, un cuadro de CONFIGURACIÓN vacío es casi equivalente en comportamiento a un ping. Dependiendo de cuán eficientemente se pongan en cola estos datos, esto puede consumir un exceso de CPU, memoria o ambos.

A flaw was found in HTTP/2. Using SETTINGS frames and queuing of SETTINGS ACK frames, a flood could occur resulting in unbounded memory growth. The highest threat from this vulnerability is to system availability.

Red Hat Decision Manager is an open source decision management platform that combines business rules management, complex event processing, Decision Model & Notation execution, and Business Optimizer for solving planning problems. It automates business decisions and makes that logic available to the entire business. This release of Red Hat Decision Manager 7.8.0 serves as an update to Red Hat Decision Manager 7.7.1, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References. Issues addressed include HTTP request smuggling and cross site scripting vulnerabilities.

*Credits: Thanks to Jonathan Looney of Netflix for reporting this vulnerability.
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High
Attack Vector
Network
Attack Complexity
Low
Authentication
None
Confidentiality
None
Integrity
None
Availability
Complete
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2019-03-01 CVE Reserved
  • 2019-08-13 CVE Published
  • 2024-08-04 CVE Updated
  • 2025-03-30 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-400: Uncontrolled Resource Consumption
  • CWE-770: Allocation of Resources Without Limits or Throttling
CAPEC
References (40)
URL Date SRC
URL Date SRC
Affected Vendors, Products, and Versions (42)