Allocation of Resources Without Limits or Throttling
Affecting nginx package, versions <1.10.3-1+deb9u3
Report new vulnerabilities
Do your applications use this vulnerable package?
Test your applications
Overview
Some HTTP/2 implementations are vulnerable to a header leak, potentially leading to a denial of service. The attacker sends a stream of headers with a 0-length header name and 0-length header value, optionally Huffman encoded into 1-byte or greater headers. Some implementations allocate memory for these headers and keep the allocation alive until the session dies. This can consume excess memory.
References
- ADVISORY
- Bugtraq Mailing List
- Bugtraq Mailing List
- CERT-VN
- CONFIRM
- CONFIRM
- CONFIRM
- CONFIRM
- Debian Security Advisory
- Debian Security Tracker
- FEDORA
- FEDORA
- Fedora Security Update
- Fedora Security Update
- Fedora Security Update
- Fedora Security Update
- Fedora Security Update
- MISC
- Netapp Security Advisory
- Netapp Security Advisory
- REDHAT
- REDHAT
- REDHAT
- REDHAT
- REDHAT
- REDHAT
- REDHAT
- REDHAT
- REDHAT
- REDHAT
- REDHAT
- REDHAT
- REDHAT
- SUSE
- SUSE
- SUSE
- SUSE
- Seclists Full Disclosure
- Ubuntu CVE Tracker
- Ubuntu Security Advisory
CVSS Score
6.5
medium severity
-
Attack VectorNetwork
-
Attack ComplexityLow
-
Privileges RequiredLow
-
User InteractionNone
-
ScopeUnchanged
-
ConfidentialityNone
-
IntegrityNone
-
AvailabilityHigh
- CVE
- CVE-2019-9516
- CWE
- CWE-400 CWE-770
- Snyk ID
- SNYK-DEBIAN9-NGINX-459560
- Disclosed
- 13 Aug, 2019
- Published
- 13 Aug, 2019