// For flags

CVE-2019-9516

Some HTTP/2 implementations are vulnerable to a header leak, potentially leading to a denial of service

Severity Score

6.5
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

Some HTTP/2 implementations are vulnerable to a header leak, potentially leading to a denial of service. The attacker sends a stream of headers with a 0-length header name and 0-length header value, optionally Huffman encoded into 1-byte or greater headers. Some implementations allocate memory for these headers and keep the allocation alive until the session dies. This can consume excess memory.

Algunas implementaciones de HTTP / 2 son vulnerables a una fuga de encabezado, lo que puede conducir a una denegación de servicio. El atacante envía una secuencia de encabezados con un nombre de encabezado de longitud 0 y un valor de encabezado de longitud 0, opcionalmente Huffman codificado en encabezados de 1 byte o más. Algunas implementaciones asignan memoria para estos encabezados y mantienen viva la asignación hasta que la sesión muere. Esto puede consumir un exceso de memoria.

A flaw was found in HTTP/2. An attacker, sending a stream of header with a 0-length header name and a 0-length header value, could cause some implementations to allocate memory for these headers and keep the allocations alive until the session dies. The can consume excess memory, potentially leading to a denial of service. The highest threat from this vulnerability is to system availability.

*Credits: Thanks to Jonathan Looney of Netflix for reporting this vulnerability.
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High
Attack Vector
Network
Attack Complexity
Low
Authentication
Single
Confidentiality
None
Integrity
None
Availability
Complete
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2019-03-01 CVE Reserved
  • 2019-08-13 CVE Published
  • 2024-08-04 CVE Updated
  • 2024-08-06 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-400: Uncontrolled Resource Consumption
  • CWE-770: Allocation of Resources Without Limits or Throttling
CAPEC
References (39)
URL Date SRC
URL Date SRC
URL Date SRC
http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00031.html 2023-11-07
http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00032.html 2023-11-07
http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00035.html 2023-11-07
http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00014.html 2023-11-07
https://access.redhat.com/errata/RHSA-2019:2745 2023-11-07
https://access.redhat.com/errata/RHSA-2019:2746 2023-11-07
https://access.redhat.com/errata/RHSA-2019:2775 2023-11-07
https://access.redhat.com/errata/RHSA-2019:2799 2023-11-07
https://access.redhat.com/errata/RHSA-2019:2925 2023-11-07
https://access.redhat.com/errata/RHSA-2019:2939 2023-11-07
https://access.redhat.com/errata/RHSA-2019:2946 2023-11-07
https://access.redhat.com/errata/RHSA-2019:2950 2023-11-07
https://access.redhat.com/errata/RHSA-2019:2955 2023-11-07
https://access.redhat.com/errata/RHSA-2019:2966 2023-11-07
https://access.redhat.com/errata/RHSA-2019:3932 2023-11-07
https://access.redhat.com/errata/RHSA-2019:3933 2023-11-07
https://access.redhat.com/errata/RHSA-2019:3935 2023-11-07
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4ZQGHE3WTYLYAYJEIDJVF2FIGQTAYPMC 2023-11-07
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BP556LEG3WENHZI5TAQ6ZEBFTJB4E2IS 2023-11-07
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CMNFX5MNYRWWIMO4BTKYQCGUDMHO3AXP 2023-11-07
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H472D5HPXN6RRXCNFML3BK5OYC52CXF2 2023-11-07
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/POPAEC4FWL4UU4LDEGPY5NPALU24FFQD 2023-11-07
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TAZZEVTCN2B4WT6AIBJ7XGYJMBTORJU5 2023-11-07
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XHTKU7YQ5EEP2XNSAV4M4VJ7QCBOJMOD 2023-11-07
https://usn.ubuntu.com/4099-1 2023-11-07
https://www.debian.org/security/2019/dsa-4505 2023-11-07
https://access.redhat.com/security/cve/CVE-2019-9516 2020-04-14
https://bugzilla.redhat.com/show_bug.cgi?id=1741864 2020-04-14
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Apple
Search vendor "Apple"
Swiftnio
Search vendor "Apple" for product "Swiftnio"
>= 1.0.0 <= 1.4.0
Search vendor "Apple" for product "Swiftnio" and version " >= 1.0.0 <= 1.4.0"
-
Affected
in Apple
Search vendor "Apple"
Mac Os X
Search vendor "Apple" for product "Mac Os X"
>= 10.12
Search vendor "Apple" for product "Mac Os X" and version " >= 10.12"
-
Safe
Apple
Search vendor "Apple"
Swiftnio
Search vendor "Apple" for product "Swiftnio"
>= 1.0.0 <= 1.4.0
Search vendor "Apple" for product "Swiftnio" and version " >= 1.0.0 <= 1.4.0"
-
Affected
in Canonical
Search vendor "Canonical"
Ubuntu Linux
Search vendor "Canonical" for product "Ubuntu Linux"
>= 14.04
Search vendor "Canonical" for product "Ubuntu Linux" and version " >= 14.04"
-
Safe
Synology
Search vendor "Synology"
Vs960hd Firmware
Search vendor "Synology" for product "Vs960hd Firmware"
--
Affected
in Synology
Search vendor "Synology"
Vs960hd
Search vendor "Synology" for product "Vs960hd"
--
Safe
Apache
Search vendor "Apache"
Traffic Server
Search vendor "Apache" for product "Traffic Server"
>= 6.0.0 <= 6.2.3
Search vendor "Apache" for product "Traffic Server" and version " >= 6.0.0 <= 6.2.3"
-
Affected
Apache
Search vendor "Apache"
Traffic Server
Search vendor "Apache" for product "Traffic Server"
>= 7.0.0 <= 7.1.6
Search vendor "Apache" for product "Traffic Server" and version " >= 7.0.0 <= 7.1.6"
-
Affected
Apache
Search vendor "Apache"
Traffic Server
Search vendor "Apache" for product "Traffic Server"
>= 8.0.0 <= 8.0.3
Search vendor "Apache" for product "Traffic Server" and version " >= 8.0.0 <= 8.0.3"
-
Affected
Canonical
Search vendor "Canonical"
Ubuntu Linux
Search vendor "Canonical" for product "Ubuntu Linux"
16.04
Search vendor "Canonical" for product "Ubuntu Linux" and version "16.04"
lts
Affected
Canonical
Search vendor "Canonical"
Ubuntu Linux
Search vendor "Canonical" for product "Ubuntu Linux"
18.04
Search vendor "Canonical" for product "Ubuntu Linux" and version "18.04"
lts
Affected
Canonical
Search vendor "Canonical"
Ubuntu Linux
Search vendor "Canonical" for product "Ubuntu Linux"
19.04
Search vendor "Canonical" for product "Ubuntu Linux" and version "19.04"
-
Affected
Debian
Search vendor "Debian"
Debian Linux
Search vendor "Debian" for product "Debian Linux"
9.0
Search vendor "Debian" for product "Debian Linux" and version "9.0"
-
Affected
Debian
Search vendor "Debian"
Debian Linux
Search vendor "Debian" for product "Debian Linux"
10.0
Search vendor "Debian" for product "Debian Linux" and version "10.0"
-
Affected
Fedoraproject
Search vendor "Fedoraproject"
Fedora
Search vendor "Fedoraproject" for product "Fedora"
30
Search vendor "Fedoraproject" for product "Fedora" and version "30"
-
Affected
Synology
Search vendor "Synology"
Diskstation Manager
Search vendor "Synology" for product "Diskstation Manager"
6.2
Search vendor "Synology" for product "Diskstation Manager" and version "6.2"
-
Affected
Synology
Search vendor "Synology"
Skynas
Search vendor "Synology" for product "Skynas"
--
Affected
Debian
Search vendor "Debian"
Debian Linux
Search vendor "Debian" for product "Debian Linux"
9.0
Search vendor "Debian" for product "Debian Linux" and version "9.0"
-
Affected
Debian
Search vendor "Debian"
Debian Linux
Search vendor "Debian" for product "Debian Linux"
10.0
Search vendor "Debian" for product "Debian Linux" and version "10.0"
-
Affected
Fedoraproject
Search vendor "Fedoraproject"
Fedora
Search vendor "Fedoraproject" for product "Fedora"
29
Search vendor "Fedoraproject" for product "Fedora" and version "29"
-
Affected
Fedoraproject
Search vendor "Fedoraproject"
Fedora
Search vendor "Fedoraproject" for product "Fedora"
30
Search vendor "Fedoraproject" for product "Fedora" and version "30"
-
Affected
Fedoraproject
Search vendor "Fedoraproject"
Fedora
Search vendor "Fedoraproject" for product "Fedora"
32
Search vendor "Fedoraproject" for product "Fedora" and version "32"
-
Affected
Opensuse
Search vendor "Opensuse"
Leap
Search vendor "Opensuse" for product "Leap"
15.0
Search vendor "Opensuse" for product "Leap" and version "15.0"
-
Affected
Opensuse
Search vendor "Opensuse"
Leap
Search vendor "Opensuse" for product "Leap"
15.1
Search vendor "Opensuse" for product "Leap" and version "15.1"
-
Affected
Redhat
Search vendor "Redhat"
Jboss Core Services
Search vendor "Redhat" for product "Jboss Core Services"
1.0
Search vendor "Redhat" for product "Jboss Core Services" and version "1.0"
-
Affected
Redhat
Search vendor "Redhat"
Jboss Enterprise Application Platform
Search vendor "Redhat" for product "Jboss Enterprise Application Platform"
7.2.0
Search vendor "Redhat" for product "Jboss Enterprise Application Platform" and version "7.2.0"
-
Affected
Redhat
Search vendor "Redhat"
Jboss Enterprise Application Platform
Search vendor "Redhat" for product "Jboss Enterprise Application Platform"
7.3.0
Search vendor "Redhat" for product "Jboss Enterprise Application Platform" and version "7.3.0"
-
Affected
Redhat
Search vendor "Redhat"
Openshift Service Mesh
Search vendor "Redhat" for product "Openshift Service Mesh"
1.0
Search vendor "Redhat" for product "Openshift Service Mesh" and version "1.0"
-
Affected
Redhat
Search vendor "Redhat"
Quay
Search vendor "Redhat" for product "Quay"
3.0.0
Search vendor "Redhat" for product "Quay" and version "3.0.0"
-
Affected
Redhat
Search vendor "Redhat"
Software Collections
Search vendor "Redhat" for product "Software Collections"
1.0
Search vendor "Redhat" for product "Software Collections" and version "1.0"
-
Affected
Redhat
Search vendor "Redhat"
Enterprise Linux
Search vendor "Redhat" for product "Enterprise Linux"
8.0
Search vendor "Redhat" for product "Enterprise Linux" and version "8.0"
-
Affected
Oracle
Search vendor "Oracle"
Graalvm
Search vendor "Oracle" for product "Graalvm"
19.2.0
Search vendor "Oracle" for product "Graalvm" and version "19.2.0"
enterprise
Affected
Mcafee
Search vendor "Mcafee"
Web Gateway
Search vendor "Mcafee" for product "Web Gateway"
>= 7.7.2.0 < 7.7.2.24
Search vendor "Mcafee" for product "Web Gateway" and version " >= 7.7.2.0 < 7.7.2.24"
-
Affected
Mcafee
Search vendor "Mcafee"
Web Gateway
Search vendor "Mcafee" for product "Web Gateway"
>= 7.8.2.0 < 7.8.2.13
Search vendor "Mcafee" for product "Web Gateway" and version " >= 7.8.2.0 < 7.8.2.13"
-
Affected
Mcafee
Search vendor "Mcafee"
Web Gateway
Search vendor "Mcafee" for product "Web Gateway"
>= 8.1.0 < 8.2.0
Search vendor "Mcafee" for product "Web Gateway" and version " >= 8.1.0 < 8.2.0"
-
Affected
F5
Search vendor "F5"
Nginx
Search vendor "F5" for product "Nginx"
>= 1.9.5 < 1.16.1
Search vendor "F5" for product "Nginx" and version " >= 1.9.5 < 1.16.1"
-
Affected
F5
Search vendor "F5"
Nginx
Search vendor "F5" for product "Nginx"
>= 1.17.0 <= 1.17.2
Search vendor "F5" for product "Nginx" and version " >= 1.17.0 <= 1.17.2"
-
Affected
Nodejs
Search vendor "Nodejs"
Node.js
Search vendor "Nodejs" for product "Node.js"
>= 8.0.0 < 8.16.1
Search vendor "Nodejs" for product "Node.js" and version " >= 8.0.0 < 8.16.1"
lts
Affected
Nodejs
Search vendor "Nodejs"
Node.js
Search vendor "Nodejs" for product "Node.js"
>= 10.0.0 < 10.16.3
Search vendor "Nodejs" for product "Node.js" and version " >= 10.0.0 < 10.16.3"
lts
Affected
Nodejs
Search vendor "Nodejs"
Node.js
Search vendor "Nodejs" for product "Node.js"
>= 12.0.0 < 12.8.1
Search vendor "Nodejs" for product "Node.js" and version " >= 12.0.0 < 12.8.1"
-
Affected