CVE-2019-0197
11.06.2019, 22:29
A vulnerability was found in Apache HTTP Server 2.4.34 to 2.4.38. When HTTP/2 was enabled for a http: host or H2Upgrade was enabled for h2 on a https: host, an Upgrade request from http/1.1 to http/2 that was not the first request on a connection could lead to a misconfiguration and crash. Server that never enabled the h2 protocol or that only enabled it for https: and did not set "H2Upgrade on" are unaffected by this issue.
| Vendor | Product | Version |
|---|---|---|
| apache | http_server | 2.4.34 ≤ 𝑥 ≤ 2.4.38 |
| canonical | ubuntu_linux | 16.04 |
| canonical | ubuntu_linux | 18.04 |
| canonical | ubuntu_linux | 19.04 |
| opensuse | leap | 15.0 |
| opensuse | leap | 42.3 |
| redhat | jboss_core_services | 1.0 |
| oracle | communications_session_report_manager | 8.0.0 |
| oracle | communications_session_report_manager | 8.1.0 |
| oracle | communications_session_report_manager | 8.1.1 |
| oracle | communications_session_report_manager | 8.2.0 |
| oracle | communications_session_route_manager | 8.0.0 |
| oracle | communications_session_route_manager | 8.1.0 |
| oracle | communications_session_route_manager | 8.1.1 |
| oracle | communications_session_route_manager | 8.2.0 |
| oracle | enterprise_manager_ops_center | 12.3.3 |
| oracle | enterprise_manager_ops_center | 12.4.0 |
| oracle | http_server | 12.2.1.3.0 |
| oracle | instantis_enterprisetrack | 17.1 |
| oracle | instantis_enterprisetrack | 17.2 |
| oracle | instantis_enterprisetrack | 17.3 |
| oracle | retail_xstore_point_of_service | 7.0 |
| oracle | retail_xstore_point_of_service | 7.1 |
𝑥
= Vulnerable software versions
Debian Releases
Ubuntu Releases
References