CVE-2019-9513

EPSS 4.36%
Published 13.08.2019 21:15:12
Last modified 14.01.2025 19:29:55
Source cret@cert.org
Teams watchlist Login
Open Login

Some HTTP/2 implementations are vulnerable to resource loops, potentially leading to a denial of service. The attacker creates multiple request streams and continually shuffles the priority of the streams in a way that causes substantial churn to the priority tree. This can consume excess CPU.

Affected products Warnungen 0 Metrics 4 CWE 1 References 45

Data is provided by the National Vulnerability Database (NVD)

Apple ≫ Swiftnio Version >= 1.0.0 <= 1.4.0

Apple ≫ macOS X Version >= 10.12
Canonical ≫ Ubuntu Linux Version >= 14.04

Apache ≫ Traffic Server Version >= 6.0.0 <= 6.2.3

Apache ≫ Traffic Server Version >= 7.0.0 <= 7.1.6

Apache ≫ Traffic Server Version >= 8.0.0 <= 8.0.3

Canonical ≫ Ubuntu Linux Version16.04 SwEditionlts

Canonical ≫ Ubuntu Linux Version18.04 SwEditionlts

Canonical ≫ Ubuntu Linux Version19.04

Debian ≫ Debian Linux Version9.0

Debian ≫ Debian Linux Version10.0

Fedoraproject ≫ Fedora Version30

Synology ≫ Skynas Version-

Synology ≫ Diskstation Manager Version6.2

Synology ≫ Vs960hd Firmware Version-

Synology ≫ Vs960hd Version-

Debian ≫ Debian Linux Version9.0

Debian ≫ Debian Linux Version10.0

Fedoraproject ≫ Fedora Version29

Fedoraproject ≫ Fedora Version30

Opensuse ≫ Leap Version15.0

Opensuse ≫ Leap Version15.1

Redhat ≫ Jboss Core Services Version1.0

Redhat ≫ Jboss Enterprise Application Platform Version7.2.0

Redhat ≫ Jboss Enterprise Application Platform Version7.3.0

Redhat ≫ Openshift Service Mesh Version1.0

Redhat ≫ Quay Version3.0.0

Redhat ≫ Software Collections Version1.0

Redhat ≫ Enterprise Linux Version8.0

Oracle ≫ Graalvm Version19.2.0 SwEditionenterprise

Mcafee ≫ Web Gateway Version >= 7.7.2.0 < 7.7.2.24

Mcafee ≫ Web Gateway Version >= 7.8.2.0 < 7.8.2.13

Mcafee ≫ Web Gateway Version >= 8.1.0 < 8.2.0

F5 ≫ Nginx Version >= 1.9.5 < 1.16.1

F5 ≫ Nginx Version >= 1.17.0 <= 1.17.2

Oracle ≫ Enterprise Communications Broker Version3.1.0

Oracle ≫ Enterprise Communications Broker Version3.2.0

Nodejs ≫ Node.Js SwEdition- Version >= 8.0.0 <= 8.8.1

Nodejs ≫ Node.Js SwEditionlts Version >= 8.9.0 < 8.16.1

Nodejs ≫ Node.Js SwEdition- Version >= 10.0.0 <= 10.12.0

Nodejs ≫ Node.Js SwEditionlts Version >= 10.13.0 < 10.16.3

Nodejs ≫ Node.Js SwEdition- Version >= 12.0.0 < 12.8.1

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	4.36%	0.885

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
nvd@nist.gov	7.8	10	6.9	AV:N/AC:L/Au:N/C:N/I:N/A:C
cret@cert.org	7.5	3.9	3.6	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-400 Uncontrolled Resource Consumption

The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.

https://www.oracle.com/security-alerts/cpujan2021.html

Third Party Advisory

https://www.oracle.com/security-alerts/cpuoct2020.html

Third Party Advisory

https://access.redhat.com/errata/RHSA-2019:3932

Third Party Advisory

https://access.redhat.com/errata/RHSA-2019:3933

Third Party Advisory

https://access.redhat.com/errata/RHSA-2019:3935

Third Party Advisory

http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00035.html

Third Party Advisory