Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2019-9513

Some HTTP/2 implementations are vulnerable to resource loops, potentially leading to a denial of service. The attacker creates multiple request streams and continually shuffles the priority of the streams in a way that causes substantial churn to the priority tree. This can consume excess CPU.

Security Impact Summary

This vulnerability carries a HIGH severity rating with a CVSS v3.1 score of 7.5, indicating it can be exploited remotely over the network with relatively low complexity without requiring user interaction and does not require pre-existing privileges . The vulnerability impacts and availability (service disruption) for affected systems. Impacting 22 products from apple, from apple, from canonical and 19 others, organizations running these solutions should prioritize assessment and patching.

Historical Context

First disclosed in 2019, this vulnerability was reported during a period defined by widespread IoT adoption challenges, mobile security concerns, and the emergence of advanced persistent threat (APT) techniques. Contemporary mitigation strategies focused on secure development practices and third-party component vetting.

Published

2019-08-13T21:15:12.380

Last Modified

2025-01-14T19:29:55.853

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 7.5 (HIGH)

CVSSv2 Vector

AV:N/AC:L/Au:N/C:N/I:N/A:C

Access Vector: NETWORK
Access Complexity: LOW
Authentication: NONE
Confidentiality Impact: NONE
Integrity Impact: NONE
Availability Impact: COMPLETE

Exploitability Score

10.0

Impact Score

6.9

Weaknesses

Type: Secondary
CWE-400
Type: Primary
NVD-CWE-Other

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	apple	swiftnio	≤ 1.4.0	Yes
Operating System	apple	mac_os_x	≥ 10.12	No
Operating System	canonical	ubuntu_linux	≥ 14.04	No
Application	apache	traffic_server	≤ 6.2.3	Yes
Application	apache	traffic_server	≤ 7.1.6	Yes
Application	apache	traffic_server	≤ 8.0.3	Yes
Operating System	canonical	ubuntu_linux	16.04	Yes
Operating System	canonical	ubuntu_linux	18.04	Yes
Operating System	canonical	ubuntu_linux	19.04	Yes
Operating System	debian	debian_linux	9.0	Yes
Operating System	debian	debian_linux	10.0	Yes
Operating System	fedoraproject	fedora	30	Yes
Application	synology	skynas	-	Yes
Operating System	synology	diskstation_manager	6.2	Yes
Operating System	synology	vs960hd_firmware	-	Yes
Hardware	synology	vs960hd	-	No
Operating System	debian	debian_linux	9.0	Yes
Operating System	debian	debian_linux	10.0	Yes
Operating System	fedoraproject	fedora	29	Yes
Operating System	fedoraproject	fedora	30	Yes
Operating System	opensuse	leap	15.0	Yes
Operating System	opensuse	leap	15.1	Yes
Application	redhat	jboss_core_services	1.0	Yes
Application	redhat	jboss_enterprise_application_platform	7.2.0	Yes
Application	redhat	jboss_enterprise_application_platform	7.3.0	Yes
Application	redhat	openshift_service_mesh	1.0	Yes
Application	redhat	quay	3.0.0	Yes
Application	redhat	software_collections	1.0	Yes
Operating System	redhat	enterprise_linux	8.0	Yes
Application	oracle	graalvm	19.2.0	Yes
Application	mcafee	web_gateway	< 7.7.2.24	Yes
Application	mcafee	web_gateway	< 7.8.2.13	Yes
Application	mcafee	web_gateway	< 8.2.0	Yes
Application	f5	nginx	< 1.16.1	Yes
Application	f5	nginx	≤ 1.17.2	Yes
Application	oracle	enterprise_communications_broker	3.1.0	Yes
Application	oracle	enterprise_communications_broker	3.2.0	Yes
Application	nodejs	node.js	≤ 8.8.1	Yes
Application	nodejs	node.js	< 8.16.1	Yes
Application	nodejs	node.js	≤ 10.12.0	Yes
Application	nodejs	node.js	< 10.16.3	Yes
Application	nodejs	node.js	< 12.8.1	Yes

References

http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00031.html Mailing List, Third Party Advisory ([email protected])
http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00032.html Mailing List, Third Party Advisory ([email protected])
http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00035.html Mailing List, Third Party Advisory ([email protected])
http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00003.html Mailing List, Third Party Advisory ([email protected])
http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00005.html Mailing List, Third Party Advisory ([email protected])
http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00014.html Mailing List, Third Party Advisory ([email protected])
https://access.redhat.com/errata/RHSA-2019:2692 Third Party Advisory ([email protected])
https://access.redhat.com/errata/RHSA-2019:2745 Third Party Advisory ([email protected])
https://access.redhat.com/errata/RHSA-2019:2746 Third Party Advisory ([email protected])
https://access.redhat.com/errata/RHSA-2019:2775 Third Party Advisory ([email protected])
https://access.redhat.com/errata/RHSA-2019:2799 Third Party Advisory ([email protected])
https://access.redhat.com/errata/RHSA-2019:2925 Third Party Advisory ([email protected])
https://access.redhat.com/errata/RHSA-2019:2939 Third Party Advisory ([email protected])
https://access.redhat.com/errata/RHSA-2019:2949 Third Party Advisory ([email protected])
https://access.redhat.com/errata/RHSA-2019:2955 Third Party Advisory ([email protected])
https://access.redhat.com/errata/RHSA-2019:2966 Third Party Advisory ([email protected])
https://access.redhat.com/errata/RHSA-2019:3041 Third Party Advisory ([email protected])
https://access.redhat.com/errata/RHSA-2019:3932 Third Party Advisory ([email protected])
https://access.redhat.com/errata/RHSA-2019:3933 Third Party Advisory ([email protected])
https://access.redhat.com/errata/RHSA-2019:3935 Third Party Advisory ([email protected])
https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md Third Party Advisory ([email protected])
https://kb.cert.org/vuls/id/605641/ Third Party Advisory, US Government Resource ([email protected])
https://kc.mcafee.com/corporate/index?page=content&id=SB10296 Third Party Advisory ([email protected])
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4ZQGHE3WTYLYAYJEIDJVF2FIGQTAYPMC/ ([email protected])
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CMNFX5MNYRWWIMO4BTKYQCGUDMHO3AXP/ ([email protected])
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JUBYAF6ED3O4XCHQ5C2HYENJLXYXZC4M/ ([email protected])
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LZLUYPYY3RX4ZJDWZRJIKSULYRJ4PXW7/ ([email protected])
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/POPAEC4FWL4UU4LDEGPY5NPALU24FFQD/ ([email protected])
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TAZZEVTCN2B4WT6AIBJ7XGYJMBTORJU5/ ([email protected])
https://seclists.org/bugtraq/2019/Aug/40 Mailing List, Third Party Advisory ([email protected])
https://seclists.org/bugtraq/2019/Sep/1 Mailing List, Third Party Advisory ([email protected])
https://security.netapp.com/advisory/ntap-20190823-0002/ Third Party Advisory ([email protected])
https://security.netapp.com/advisory/ntap-20190823-0005/ Third Party Advisory ([email protected])
https://support.f5.com/csp/article/K02591030 Third Party Advisory ([email protected])
https://support.f5.com/csp/article/K02591030?utm_source=f5support&amp%3Butm_medium=RSS ([email protected])
https://usn.ubuntu.com/4099-1/ Third Party Advisory ([email protected])
https://www.debian.org/security/2019/dsa-4505 Third Party Advisory ([email protected])
https://www.debian.org/security/2019/dsa-4511 Third Party Advisory ([email protected])
https://www.debian.org/security/2020/dsa-4669 Third Party Advisory ([email protected])
https://www.oracle.com/security-alerts/cpujan2021.html Third Party Advisory ([email protected])
https://www.oracle.com/security-alerts/cpuoct2020.html Third Party Advisory ([email protected])
https://www.synology.com/security/advisory/Synology_SA_19_33 Third Party Advisory ([email protected])
http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00031.html Mailing List, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00032.html Mailing List, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00035.html Mailing List, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00003.html Mailing List, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00005.html Mailing List, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00014.html Mailing List, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://access.redhat.com/errata/RHSA-2019:2692 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://access.redhat.com/errata/RHSA-2019:2745 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://access.redhat.com/errata/RHSA-2019:2746 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://access.redhat.com/errata/RHSA-2019:2775 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://access.redhat.com/errata/RHSA-2019:2799 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://access.redhat.com/errata/RHSA-2019:2925 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://access.redhat.com/errata/RHSA-2019:2939 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://access.redhat.com/errata/RHSA-2019:2949 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://access.redhat.com/errata/RHSA-2019:2955 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://access.redhat.com/errata/RHSA-2019:2966 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://access.redhat.com/errata/RHSA-2019:3041 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://access.redhat.com/errata/RHSA-2019:3932 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://access.redhat.com/errata/RHSA-2019:3933 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://access.redhat.com/errata/RHSA-2019:3935 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://kb.cert.org/vuls/id/605641/ Third Party Advisory, US Government Resource (af854a3a-2127-422b-91ae-364da2661108)
https://kc.mcafee.com/corporate/index?page=content&id=SB10296 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4ZQGHE3WTYLYAYJEIDJVF2FIGQTAYPMC/ (af854a3a-2127-422b-91ae-364da2661108)
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CMNFX5MNYRWWIMO4BTKYQCGUDMHO3AXP/ (af854a3a-2127-422b-91ae-364da2661108)
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JUBYAF6ED3O4XCHQ5C2HYENJLXYXZC4M/ (af854a3a-2127-422b-91ae-364da2661108)
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LZLUYPYY3RX4ZJDWZRJIKSULYRJ4PXW7/ (af854a3a-2127-422b-91ae-364da2661108)
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/POPAEC4FWL4UU4LDEGPY5NPALU24FFQD/ (af854a3a-2127-422b-91ae-364da2661108)
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TAZZEVTCN2B4WT6AIBJ7XGYJMBTORJU5/ (af854a3a-2127-422b-91ae-364da2661108)
https://seclists.org/bugtraq/2019/Aug/40 Mailing List, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://seclists.org/bugtraq/2019/Sep/1 Mailing List, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://security.netapp.com/advisory/ntap-20190823-0002/ Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://security.netapp.com/advisory/ntap-20190823-0005/ Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://support.f5.com/csp/article/K02591030 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://support.f5.com/csp/article/K02591030?utm_source=f5support&amp%3Butm_medium=RSS (af854a3a-2127-422b-91ae-364da2661108)
https://usn.ubuntu.com/4099-1/ Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.debian.org/security/2019/dsa-4505 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.debian.org/security/2019/dsa-4511 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.debian.org/security/2020/dsa-4669 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.oracle.com/security-alerts/cpujan2021.html Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.oracle.com/security-alerts/cpuoct2020.html Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.synology.com/security/advisory/Synology_SA_19_33 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)

How SecUtils Interprets This CVE

SecUtils normalizes and enriches National Vulnerability Database (NVD) records by standardizing vendor and product identifiers, aggregating vulnerability metadata from both NVD and MITRE sources, and providing structured context for security teams. For apple's affected products, we extract Common Platform Enumeration (CPE) data, Common Weakness Enumeration (CWE) classifications, CVSS severity metrics, and reference data to enable rapid vulnerability prioritization and asset correlation. This record contains no exploit code, proof-of-concept instructions, or attack methodologies—only defensive intelligence necessary for patch management, risk assessment, and security operations.