CVE-2019-9518
Some HTTP/2 implementations are vulnerable to a flood of empty frames, potentially leading to a denial of service
Severity Score
7.5
*CVSS v3.1
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
0
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
-
*SSVC
Descriptions
Some HTTP/2 implementations are vulnerable to a flood of empty frames, potentially leading to a denial of service. The attacker sends a stream of frames with an empty payload and without the end-of-stream flag. These frames can be DATA, HEADERS, CONTINUATION and/or PUSH_PROMISE. The peer spends time processing each frame disproportionate to attack bandwidth. This can consume excess CPU.
Algunas implementaciones de HTTP / 2 son vulnerables a una avalancha de tramas vacías, lo que puede conducir a una denegación de servicio. El atacante envía una secuencia de tramas con una carga útil vacía y sin el indicador de fin de secuencia. Estos marcos pueden ser DATA, HEADERS, CONTINUATION y / o PUSH_PROMISE. El par pasa tiempo procesando cada cuadro desproporcionado para atacar el ancho de banda. Esto puede consumir un exceso de CPU.
A flaw was found in HTTP/2. Using frames with an empty payload, a flood could occur that results in excessive CPU usage and starvation of other clients. The highest threat from this vulnerability is to system availability.
*Credits:
Thanks to Piotr Sikora of Google for reporting this vulnerability.
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:-
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2019-03-01 CVE Reserved
- 2019-08-13 CVE Published
- 2024-08-04 CVE Updated
- 2024-08-06 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-400: Uncontrolled Resource Consumption
- CWE-770: Allocation of Resources Without Limits or Throttling
CAPEC
References (29)
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Apple Search vendor "Apple" | Swiftnio Search vendor "Apple" for product "Swiftnio" | >= 1.0.0 <= 1.4.0 Search vendor "Apple" for product "Swiftnio" and version " >= 1.0.0 <= 1.4.0" | - |
Affected
| in | Apple Search vendor "Apple" | Mac Os X Search vendor "Apple" for product "Mac Os X" | >= 10.12 Search vendor "Apple" for product "Mac Os X" and version " >= 10.12" | - |
Safe
|
| Apple Search vendor "Apple" | Swiftnio Search vendor "Apple" for product "Swiftnio" | >= 1.0.0 <= 1.4.0 Search vendor "Apple" for product "Swiftnio" and version " >= 1.0.0 <= 1.4.0" | - |
Affected
| in | Canonical Search vendor "Canonical" | Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux" | >= 14.04 Search vendor "Canonical" for product "Ubuntu Linux" and version " >= 14.04" | - |
Safe
|
| Synology Search vendor "Synology" | Vs960hd Firmware Search vendor "Synology" for product "Vs960hd Firmware" | - | - |
Affected
| in | Synology Search vendor "Synology" | Vs960hd Search vendor "Synology" for product "Vs960hd" | - | - |
Safe
|
| Apache Search vendor "Apache" | Traffic Server Search vendor "Apache" for product "Traffic Server" | >= 6.0.0 <= 6.2.3 Search vendor "Apache" for product "Traffic Server" and version " >= 6.0.0 <= 6.2.3" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Traffic Server Search vendor "Apache" for product "Traffic Server" | >= 7.0.0 <= 7.1.6 Search vendor "Apache" for product "Traffic Server" and version " >= 7.0.0 <= 7.1.6" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Traffic Server Search vendor "Apache" for product "Traffic Server" | >= 8.0.0 <= 8.0.3 Search vendor "Apache" for product "Traffic Server" and version " >= 8.0.0 <= 8.0.3" | - |
Affected
| ||||||
| Canonical Search vendor "Canonical" | Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux" | 16.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "16.04" | lts |
Affected
| ||||||
| Canonical Search vendor "Canonical" | Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux" | 18.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "18.04" | lts |
Affected
| ||||||
| Canonical Search vendor "Canonical" | Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux" | 19.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "19.04" | - |
Affected
| ||||||
| Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 9.0 Search vendor "Debian" for product "Debian Linux" and version "9.0" | - |
Affected
| ||||||
| Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 10.0 Search vendor "Debian" for product "Debian Linux" and version "10.0" | - |
Affected
| ||||||
| Synology Search vendor "Synology" | Diskstation Manager Search vendor "Synology" for product "Diskstation Manager" | 6.2 Search vendor "Synology" for product "Diskstation Manager" and version "6.2" | - |
Affected
| ||||||
| Synology Search vendor "Synology" | Skynas Search vendor "Synology" for product "Skynas" | - | - |
Affected
| ||||||
| Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | 29 Search vendor "Fedoraproject" for product "Fedora" and version "29" | - |
Affected
| ||||||
| Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | 30 Search vendor "Fedoraproject" for product "Fedora" and version "30" | - |
Affected
| ||||||
| Opensuse Search vendor "Opensuse" | Leap Search vendor "Opensuse" for product "Leap" | 15.0 Search vendor "Opensuse" for product "Leap" and version "15.0" | - |
Affected
| ||||||
| Opensuse Search vendor "Opensuse" | Leap Search vendor "Opensuse" for product "Leap" | 15.1 Search vendor "Opensuse" for product "Leap" and version "15.1" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Jboss Core Services Search vendor "Redhat" for product "Jboss Core Services" | 1.0 Search vendor "Redhat" for product "Jboss Core Services" and version "1.0" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Jboss Enterprise Application Platform Search vendor "Redhat" for product "Jboss Enterprise Application Platform" | 7.2.0 Search vendor "Redhat" for product "Jboss Enterprise Application Platform" and version "7.2.0" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Jboss Enterprise Application Platform Search vendor "Redhat" for product "Jboss Enterprise Application Platform" | 7.3.0 Search vendor "Redhat" for product "Jboss Enterprise Application Platform" and version "7.3.0" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Openshift Service Mesh Search vendor "Redhat" for product "Openshift Service Mesh" | 1.0 Search vendor "Redhat" for product "Openshift Service Mesh" and version "1.0" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Quay Search vendor "Redhat" for product "Quay" | 3.0.0 Search vendor "Redhat" for product "Quay" and version "3.0.0" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Software Collections Search vendor "Redhat" for product "Software Collections" | 1.0 Search vendor "Redhat" for product "Software Collections" and version "1.0" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Enterprise Linux Search vendor "Redhat" for product "Enterprise Linux" | 8.0 Search vendor "Redhat" for product "Enterprise Linux" and version "8.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Graalvm Search vendor "Oracle" for product "Graalvm" | 19.2.0 Search vendor "Oracle" for product "Graalvm" and version "19.2.0" | enterprise |
Affected
| ||||||
| Mcafee Search vendor "Mcafee" | Web Gateway Search vendor "Mcafee" for product "Web Gateway" | >= 7.7.2.0 < 7.7.2.24 Search vendor "Mcafee" for product "Web Gateway" and version " >= 7.7.2.0 < 7.7.2.24" | - |
Affected
| ||||||
| Mcafee Search vendor "Mcafee" | Web Gateway Search vendor "Mcafee" for product "Web Gateway" | >= 7.8.2.0 < 7.8.2.13 Search vendor "Mcafee" for product "Web Gateway" and version " >= 7.8.2.0 < 7.8.2.13" | - |
Affected
| ||||||
| Mcafee Search vendor "Mcafee" | Web Gateway Search vendor "Mcafee" for product "Web Gateway" | >= 8.1.0 < 8.2.0 Search vendor "Mcafee" for product "Web Gateway" and version " >= 8.1.0 < 8.2.0" | - |
Affected
| ||||||
| Nodejs Search vendor "Nodejs" | Node.js Search vendor "Nodejs" for product "Node.js" | >= 8.0.0 <= 8.8.1 Search vendor "Nodejs" for product "Node.js" and version " >= 8.0.0 <= 8.8.1" | - |
Affected
| ||||||
| Nodejs Search vendor "Nodejs" | Node.js Search vendor "Nodejs" for product "Node.js" | >= 8.9.0 < 8.16.1 Search vendor "Nodejs" for product "Node.js" and version " >= 8.9.0 < 8.16.1" | lts |
Affected
| ||||||
| Nodejs Search vendor "Nodejs" | Node.js Search vendor "Nodejs" for product "Node.js" | >= 10.0.0 <= 10.12.0 Search vendor "Nodejs" for product "Node.js" and version " >= 10.0.0 <= 10.12.0" | - |
Affected
| ||||||
| Nodejs Search vendor "Nodejs" | Node.js Search vendor "Nodejs" for product "Node.js" | >= 10.13.0 < 10.16.3 Search vendor "Nodejs" for product "Node.js" and version " >= 10.13.0 < 10.16.3" | lts |
Affected
| ||||||
| Nodejs Search vendor "Nodejs" | Node.js Search vendor "Nodejs" for product "Node.js" | >= 12.0.0 < 12.8.1 Search vendor "Nodejs" for product "Node.js" and version " >= 12.0.0 < 12.8.1" | - |
Affected
| ||||||