Allocation of Resources Without Limits or Throttling
Affecting nginx package, versions <1.10.3-1+deb9u3
Report new vulnerabilities
Do your applications use this vulnerable package?
Test your applications
Overview
Some HTTP/2 implementations are vulnerable to window size manipulation and stream prioritization manipulation, potentially leading to a denial of service. The attacker requests a large amount of data from a specified resource over multiple streams. They manipulate window size and stream priority to force the server to queue the data in 1-byte chunks. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both.
References
- ADVISORY
- BUGTRAQ
- Bugtraq Mailing List
- CERT-VN
- CONFIRM
- CONFIRM
- CONFIRM
- CONFIRM
- DEBIAN
- DEBIAN
- Debian Security Advisory
- Debian Security Tracker
- FEDORA
- Fedora Security Update
- Fedora Security Update
- Fedora Security Update
- Fedora Security Update
- Fedora Security Update
- MISC
- MISC
- MISC
- MISC
- Netapp Security Advisory
- Netapp Security Advisory
- REDHAT
- REDHAT
- REDHAT
- REDHAT
- REDHAT
- REDHAT
- REDHAT
- REDHAT
- REDHAT
- REDHAT
- REDHAT
- REDHAT
- REDHAT
- REDHAT
- REDHAT
- REDHAT
- REDHAT
- REDHAT
- SUSE
- SUSE
- SUSE
- SUSE
- SUSE
- SUSE
- Ubuntu CVE Tracker
- Ubuntu Security Advisory
CVSS Score
7.5
high severity
-
Attack VectorNetwork
-
Attack ComplexityLow
-
Privileges RequiredNone
-
User InteractionNone
-
ScopeUnchanged
-
ConfidentialityNone
-
IntegrityNone
-
AvailabilityHigh
- CVE
- CVE-2019-9511
- CWE
- CWE-400 CWE-770
- Snyk ID
- SNYK-DEBIAN9-NGINX-459584
- Disclosed
- 13 Aug, 2019
- Published
- 13 Aug, 2019