Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2019-9516

Some HTTP/2 implementations are vulnerable to a header leak, potentially leading to a denial of service. The attacker sends a stream of headers with a 0-length header name and 0-length header value, optionally Huffman encoded into 1-byte or greater headers. Some implementations allocate memory for these headers and keep the allocation alive until the session dies. This can consume excess memory.

Published

2019-08-13T21:15:12.583

Last Modified

2025-01-14T19:29:55.853

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 6.5 (MEDIUM)

CVSSv2 Vector

AV:N/AC:L/Au:S/C:N/I:N/A:C

Access Vector: NETWORK
Access Complexity: LOW
Authentication: SINGLE
Confidentiality Impact: NONE
Integrity Impact: NONE
Availability Impact: COMPLETE

Exploitability Score

8.0

Impact Score

6.9

Weaknesses

Type: Secondary
CWE-400
Type: Primary
CWE-770

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	apple	swiftnio	≤ 1.4.0	Yes
Operating System	apple	mac_os_x	≥ 10.12	No
Operating System	canonical	ubuntu_linux	≥ 14.04	No
Application	apache	traffic_server	≤ 6.2.3	Yes
Application	apache	traffic_server	≤ 7.1.6	Yes
Application	apache	traffic_server	≤ 8.0.3	Yes
Operating System	canonical	ubuntu_linux	16.04	Yes
Operating System	canonical	ubuntu_linux	18.04	Yes
Operating System	canonical	ubuntu_linux	19.04	Yes
Operating System	debian	debian_linux	9.0	Yes
Operating System	debian	debian_linux	10.0	Yes
Operating System	fedoraproject	fedora	30	Yes
Application	synology	skynas	-	Yes
Operating System	synology	diskstation_manager	6.2	Yes
Operating System	synology	vs960hd_firmware	-	Yes
Hardware	synology	vs960hd	-	No
Operating System	debian	debian_linux	9.0	Yes
Operating System	debian	debian_linux	10.0	Yes
Operating System	fedoraproject	fedora	29	Yes
Operating System	fedoraproject	fedora	30	Yes
Operating System	fedoraproject	fedora	32	Yes
Operating System	opensuse	leap	15.0	Yes
Operating System	opensuse	leap	15.1	Yes
Application	redhat	jboss_core_services	1.0	Yes
Application	redhat	jboss_enterprise_application_platform	7.2.0	Yes
Application	redhat	jboss_enterprise_application_platform	7.3.0	Yes
Application	redhat	openshift_service_mesh	1.0	Yes
Application	redhat	quay	3.0.0	Yes
Application	redhat	software_collections	1.0	Yes
Operating System	redhat	enterprise_linux	8.0	Yes
Application	oracle	graalvm	19.2.0	Yes
Application	mcafee	web_gateway	< 7.7.2.24	Yes
Application	mcafee	web_gateway	< 7.8.2.13	Yes
Application	mcafee	web_gateway	< 8.2.0	Yes
Application	f5	nginx	< 1.16.1	Yes
Application	f5	nginx	≤ 1.17.2	Yes
Application	nodejs	node.js	< 8.16.1	Yes
Application	nodejs	node.js	< 10.16.3	Yes
Application	nodejs	node.js	< 12.8.1	Yes

References

http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00031.html Mailing List, Third Party Advisory ([email protected])
http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00032.html Mailing List, Third Party Advisory ([email protected])
http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00035.html Mailing List, Third Party Advisory ([email protected])
http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00014.html Mailing List, Third Party Advisory ([email protected])
http://seclists.org/fulldisclosure/2019/Aug/16 Mailing List, Third Party Advisory ([email protected])
https://access.redhat.com/errata/RHSA-2019:2745 Third Party Advisory ([email protected])
https://access.redhat.com/errata/RHSA-2019:2746 Third Party Advisory ([email protected])
https://access.redhat.com/errata/RHSA-2019:2775 Third Party Advisory ([email protected])
https://access.redhat.com/errata/RHSA-2019:2799 Third Party Advisory ([email protected])
https://access.redhat.com/errata/RHSA-2019:2925 Third Party Advisory ([email protected])
https://access.redhat.com/errata/RHSA-2019:2939 Third Party Advisory ([email protected])
https://access.redhat.com/errata/RHSA-2019:2946 Third Party Advisory ([email protected])
https://access.redhat.com/errata/RHSA-2019:2950 Third Party Advisory ([email protected])
https://access.redhat.com/errata/RHSA-2019:2955 Third Party Advisory ([email protected])
https://access.redhat.com/errata/RHSA-2019:2966 Third Party Advisory ([email protected])
https://access.redhat.com/errata/RHSA-2019:3932 Third Party Advisory ([email protected])
https://access.redhat.com/errata/RHSA-2019:3933 Third Party Advisory ([email protected])
https://access.redhat.com/errata/RHSA-2019:3935 Third Party Advisory ([email protected])
https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md Third Party Advisory ([email protected])
https://kb.cert.org/vuls/id/605641/ Third Party Advisory, US Government Resource ([email protected])
https://kc.mcafee.com/corporate/index?page=content&id=SB10296 Third Party Advisory ([email protected])
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4ZQGHE3WTYLYAYJEIDJVF2FIGQTAYPMC/ ([email protected])
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BP556LEG3WENHZI5TAQ6ZEBFTJB4E2IS/ ([email protected])
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CMNFX5MNYRWWIMO4BTKYQCGUDMHO3AXP/ ([email protected])
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H472D5HPXN6RRXCNFML3BK5OYC52CXF2/ ([email protected])
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/POPAEC4FWL4UU4LDEGPY5NPALU24FFQD/ ([email protected])
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TAZZEVTCN2B4WT6AIBJ7XGYJMBTORJU5/ ([email protected])
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XHTKU7YQ5EEP2XNSAV4M4VJ7QCBOJMOD/ ([email protected])
https://seclists.org/bugtraq/2019/Aug/24 Mailing List, Third Party Advisory ([email protected])
https://seclists.org/bugtraq/2019/Aug/40 Mailing List, Third Party Advisory ([email protected])
https://security.netapp.com/advisory/ntap-20190823-0002/ Third Party Advisory ([email protected])
https://security.netapp.com/advisory/ntap-20190823-0005/ Third Party Advisory ([email protected])
https://support.f5.com/csp/article/K02591030 Third Party Advisory ([email protected])
https://support.f5.com/csp/article/K02591030?utm_source=f5support&amp%3Butm_medium=RSS ([email protected])
https://usn.ubuntu.com/4099-1/ Third Party Advisory ([email protected])
https://www.debian.org/security/2019/dsa-4505 Third Party Advisory ([email protected])
https://www.synology.com/security/advisory/Synology_SA_19_33 Third Party Advisory ([email protected])
http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00031.html Mailing List, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00032.html Mailing List, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00035.html Mailing List, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00014.html Mailing List, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://seclists.org/fulldisclosure/2019/Aug/16 Mailing List, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://access.redhat.com/errata/RHSA-2019:2745 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://access.redhat.com/errata/RHSA-2019:2746 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://access.redhat.com/errata/RHSA-2019:2775 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://access.redhat.com/errata/RHSA-2019:2799 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://access.redhat.com/errata/RHSA-2019:2925 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://access.redhat.com/errata/RHSA-2019:2939 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://access.redhat.com/errata/RHSA-2019:2946 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://access.redhat.com/errata/RHSA-2019:2950 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://access.redhat.com/errata/RHSA-2019:2955 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://access.redhat.com/errata/RHSA-2019:2966 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://access.redhat.com/errata/RHSA-2019:3932 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://access.redhat.com/errata/RHSA-2019:3933 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://access.redhat.com/errata/RHSA-2019:3935 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://kb.cert.org/vuls/id/605641/ Third Party Advisory, US Government Resource (af854a3a-2127-422b-91ae-364da2661108)
https://kc.mcafee.com/corporate/index?page=content&id=SB10296 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4ZQGHE3WTYLYAYJEIDJVF2FIGQTAYPMC/ (af854a3a-2127-422b-91ae-364da2661108)
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BP556LEG3WENHZI5TAQ6ZEBFTJB4E2IS/ (af854a3a-2127-422b-91ae-364da2661108)
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CMNFX5MNYRWWIMO4BTKYQCGUDMHO3AXP/ (af854a3a-2127-422b-91ae-364da2661108)
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H472D5HPXN6RRXCNFML3BK5OYC52CXF2/ (af854a3a-2127-422b-91ae-364da2661108)
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/POPAEC4FWL4UU4LDEGPY5NPALU24FFQD/ (af854a3a-2127-422b-91ae-364da2661108)
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TAZZEVTCN2B4WT6AIBJ7XGYJMBTORJU5/ (af854a3a-2127-422b-91ae-364da2661108)
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XHTKU7YQ5EEP2XNSAV4M4VJ7QCBOJMOD/ (af854a3a-2127-422b-91ae-364da2661108)
https://seclists.org/bugtraq/2019/Aug/24 Mailing List, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://seclists.org/bugtraq/2019/Aug/40 Mailing List, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://security.netapp.com/advisory/ntap-20190823-0002/ Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://security.netapp.com/advisory/ntap-20190823-0005/ Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://support.f5.com/csp/article/K02591030 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://support.f5.com/csp/article/K02591030?utm_source=f5support&amp%3Butm_medium=RSS (af854a3a-2127-422b-91ae-364da2661108)
https://usn.ubuntu.com/4099-1/ Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.debian.org/security/2019/dsa-4505 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.synology.com/security/advisory/Synology_SA_19_33 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)