CVE-2019-9511

EUVD-2019-18885
Some HTTP/2 implementations are vulnerable to window size manipulation and stream prioritization manipulation, potentially leading to a denial of service. The attacker requests a large amount of data from a specified resource over multiple streams. They manipulate window size and stream priority to force the server to queue the data in 1-byte chunks. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
certccCNA
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 94%
Affected Products (NVD)
VendorProductVersion
appleswiftnio
1.0.0 ≤
𝑥
≤ 1.4.0
apachetraffic_server
6.0.0 ≤
𝑥
≤ 6.2.3
apachetraffic_server
7.0.0 ≤
𝑥
≤ 7.1.6
apachetraffic_server
8.0.0 ≤
𝑥
≤ 8.0.3
canonicalubuntu_linux
16.04
canonicalubuntu_linux
18.04
canonicalubuntu_linux
19.04
debiandebian_linux
9.0
debiandebian_linux
10.0
synologyskynas
-
synologydiskstation_manager
6.2
synologyvs960hd_firmware
-
opensuseleap
15.0
opensuseleap
15.1
redhatjboss_core_services
1.0
redhatjboss_enterprise_application_platform
7.2.0
redhatjboss_enterprise_application_platform
7.3.0
redhatopenshift_service_mesh
1.0
redhatquay
3.0.0
redhatsoftware_collections
1.0
redhatenterprise_linux
8.0
oraclegraalvm
19.2.0
mcafeeweb_gateway
7.7.2.0 ≤
𝑥
< 7.7.2.24
mcafeeweb_gateway
7.8.2.0 ≤
𝑥
< 7.8.2.13
mcafeeweb_gateway
8.1.0 ≤
𝑥
< 8.2.0
f5nginx
1.9.5 ≤
𝑥
< 1.16.1
f5nginx
1.17.0 ≤
𝑥
≤ 1.17.2
oracleenterprise_communications_broker
3.1.0
oracleenterprise_communications_broker
3.2.0
nodejsnode.js
8.0.0 ≤
𝑥
≤ 8.8.1
nodejsnode.js
8.9.0 ≤
𝑥
< 8.16.1
nodejsnode.js
10.0.0 ≤
𝑥
≤ 10.12.0
nodejsnode.js
10.13.0 ≤
𝑥
< 10.16.3
nodejsnode.js
12.0.0 ≤
𝑥
< 12.8.1
𝑥
= Vulnerable software versions
Windows Releases
Platform
Version
Windows 10
(x64, x86)
KB4512497
1607 (x64, x86)
KB4512517
1703 (x64, x86)
KB4512507
1709 (arm64, x64, x86)
KB4512516
1803 (arm64, x64, x86)
KB4512501
1809 (arm64, x64, x86)
KB4511553
1903 (arm64, x64, x86)
KB4512508
Windows Server
1803 Server Core
KB4512501
1903 Server Core
KB4512508
Windows Server 2016
Server Core
KB4512517
Standard
KB4512517
Windows Server 2019
Server Core
KB4511553
Standard
KB4511553
Debian logo
Debian Releases
Debian Product
Codename
nghttp2
bookworm
1.52.0-1+deb12u1
fixed
bookworm (security)
1.52.0-1+deb12u1
fixed
bullseye
1.43.0-1+deb11u1
fixed
bullseye (security)
1.43.0-1+deb11u2
fixed
jessie
not-affected
sid
1.64.0-1
fixed
stretch
not-affected
trixie
1.64.0-1
fixed
nginx
bookworm
1.22.1-9
fixed
bullseye
1.18.0-6.1+deb11u3
fixed
bullseye (security)
1.18.0-6.1+deb11u3
fixed
jessie
not-affected
sid
1.26.0-3
fixed
stretch
not-affected
trixie
1.26.0-3
fixed
nodejs
bookworm
18.19.0+dfsg-6~deb12u2
fixed
bookworm (security)
18.19.0+dfsg-6~deb12u1
fixed
bullseye
12.22.12~dfsg-1~deb11u4
fixed
bullseye (security)
12.22.12~dfsg-1~deb11u5
fixed
jessie
not-affected
sid
20.17.0+dfsg-2
fixed
stretch
not-affected
trixie
20.17.0+dfsg-2
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
nghttp2
bionic
Fixed 1.30.0-1ubuntu1+esm2
released
cosmic
ignored
disco
ignored
eoan
not-affected
focal
not-affected
groovy
not-affected
hirsute
not-affected
impish
not-affected
jammy
not-affected
kinetic
not-affected
lunar
not-affected
mantic
not-affected
noble
not-affected
trusty
dne
xenial
Fixed 1.7.1-1ubuntu0.1~esm2
released
nginx
bionic
Fixed 1.14.0-0ubuntu1.4
released
cosmic
ignored
disco
Fixed 1.15.9-0ubuntu1.1
released
eoan
Fixed 1.16.1-0ubuntu1
released
focal
Fixed 1.16.1-0ubuntu1
released
groovy
Fixed 1.16.1-0ubuntu1
released
hirsute
Fixed 1.16.1-0ubuntu1
released
impish
Fixed 1.16.1-0ubuntu1
released
jammy
Fixed 1.16.1-0ubuntu1
released
kinetic
Fixed 1.16.1-0ubuntu1
released
lunar
Fixed 1.16.1-0ubuntu1
released
mantic
Fixed 1.16.1-0ubuntu1
released
noble
Fixed 1.16.1-0ubuntu1
released
trusty
not-affected
xenial
Fixed 1.10.3-0ubuntu0.16.04.4
released
nodejs
bionic
ignored
focal
not-affected
groovy
ignored
hirsute
ignored
impish
ignored
jammy
not-affected
kinetic
ignored
lunar
not-affected
mantic
not-affected
noble
not-affected
trusty
ignored
xenial
ignored
Common Weakness Enumeration
References
http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00031.html
http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00032.html
http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00035.html
http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00003.html
http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00005.html
http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00014.html
https://access.redhat.com/errata/RHSA-2019:2692
https://access.redhat.com/errata/RHSA-2019:2745
https://access.redhat.com/errata/RHSA-2019:2746
https://access.redhat.com/errata/RHSA-2019:2775
https://access.redhat.com/errata/RHSA-2019:2799
https://access.redhat.com/errata/RHSA-2019:2925
https://access.redhat.com/errata/RHSA-2019:2939
https://access.redhat.com/errata/RHSA-2019:2949
https://access.redhat.com/errata/RHSA-2019:2955
https://access.redhat.com/errata/RHSA-2019:2966
https://access.redhat.com/errata/RHSA-2019:3041
https://access.redhat.com/errata/RHSA-2019:3932
https://access.redhat.com/errata/RHSA-2019:3933
https://access.redhat.com/errata/RHSA-2019:3935
https://access.redhat.com/errata/RHSA-2019:4018
https://access.redhat.com/errata/RHSA-2019:4019
https://access.redhat.com/errata/RHSA-2019:4020
https://access.redhat.com/errata/RHSA-2019:4021
https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md
https://kb.cert.org/vuls/id/605641/
https://kc.mcafee.com/corporate/index?page=content&id=SB10296
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BP556LEG3WENHZI5TAQ6ZEBFTJB4E2IS/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JUBYAF6ED3O4XCHQ5C2HYENJLXYXZC4M/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LZLUYPYY3RX4ZJDWZRJIKSULYRJ4PXW7/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/POPAEC4FWL4UU4LDEGPY5NPALU24FFQD/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TAZZEVTCN2B4WT6AIBJ7XGYJMBTORJU5/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XHTKU7YQ5EEP2XNSAV4M4VJ7QCBOJMOD/
https://seclists.org/bugtraq/2019/Aug/40
https://seclists.org/bugtraq/2019/Sep/1
https://security.netapp.com/advisory/ntap-20190823-0002/
https://security.netapp.com/advisory/ntap-20190823-0005/
https://support.f5.com/csp/article/K02591030
https://support.f5.com/csp/article/K02591030?utm_source=f5support&amp%3Butm_medium=RSS
https://usn.ubuntu.com/4099-1/
https://www.debian.org/security/2019/dsa-4505
https://www.debian.org/security/2019/dsa-4511
https://www.debian.org/security/2020/dsa-4669
https://www.oracle.com/security-alerts/cpujan2021.html
https://www.oracle.com/security-alerts/cpuoct2020.html
https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
https://www.synology.com/security/advisory/Synology_SA_19_33
http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00031.html
http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00032.html
http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00035.html
http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00003.html
http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00005.html
http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00014.html
https://access.redhat.com/errata/RHSA-2019:2692
https://access.redhat.com/errata/RHSA-2019:2745
https://access.redhat.com/errata/RHSA-2019:2746
https://access.redhat.com/errata/RHSA-2019:2775
https://access.redhat.com/errata/RHSA-2019:2799
https://access.redhat.com/errata/RHSA-2019:2925
https://access.redhat.com/errata/RHSA-2019:2939
https://access.redhat.com/errata/RHSA-2019:2949
https://access.redhat.com/errata/RHSA-2019:2955
https://access.redhat.com/errata/RHSA-2019:2966
https://access.redhat.com/errata/RHSA-2019:3041
https://access.redhat.com/errata/RHSA-2019:3932
https://access.redhat.com/errata/RHSA-2019:3933
https://access.redhat.com/errata/RHSA-2019:3935
https://access.redhat.com/errata/RHSA-2019:4018
https://access.redhat.com/errata/RHSA-2019:4019
https://access.redhat.com/errata/RHSA-2019:4020
https://access.redhat.com/errata/RHSA-2019:4021
https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md
https://kb.cert.org/vuls/id/605641/
https://kc.mcafee.com/corporate/index?page=content&id=SB10296
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BP556LEG3WENHZI5TAQ6ZEBFTJB4E2IS/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JUBYAF6ED3O4XCHQ5C2HYENJLXYXZC4M/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LZLUYPYY3RX4ZJDWZRJIKSULYRJ4PXW7/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/POPAEC4FWL4UU4LDEGPY5NPALU24FFQD/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TAZZEVTCN2B4WT6AIBJ7XGYJMBTORJU5/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XHTKU7YQ5EEP2XNSAV4M4VJ7QCBOJMOD/
https://seclists.org/bugtraq/2019/Aug/40
https://seclists.org/bugtraq/2019/Sep/1
https://security.netapp.com/advisory/ntap-20190823-0002/
https://security.netapp.com/advisory/ntap-20190823-0005/
https://support.f5.com/csp/article/K02591030
https://support.f5.com/csp/article/K02591030?utm_source=f5support&amp%3Butm_medium=RSS
https://usn.ubuntu.com/4099-1/
https://www.debian.org/security/2019/dsa-4505
https://www.debian.org/security/2019/dsa-4511
https://www.debian.org/security/2020/dsa-4669
https://www.oracle.com/security-alerts/cpujan2021.html
https://www.oracle.com/security-alerts/cpuoct2020.html
https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
https://www.synology.com/security/advisory/Synology_SA_19_33