Published: 10/01/2017 Updated: 27/01/2017

CVSS v2 Base Score: 7.8 | Impact Score: 6.9 | Exploitability Score: 10

CVSS v3 Base Score: 7.5 | Impact Score: 3.6 | Exploitability Score: 3.9

VMScore: 694

Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C

A HTTP/2 implementation built using any version of the Python HPACK library between v1.0.0 and v2.2.0 could be targeted for a denial of service attack, specifically a so-called "HPACK Bomb" attack. This attack occurs when an attacker inserts a header field that is exactly the size of the HPACK dynamic header table into the dynamic header table. The attacker can then send a header block that is simply repeated requests to expand that field in the dynamic table. This can lead to a gigantic compression ratio of 4,096 or better, meaning that 16kB of data can decompress to 64MB of data on the target machine.

Vulnerable Product	Search on Vulmon	Subscribe to Product
python hyper 0.4
python hyper 0.6
python hpack 1.0
python hpack 2.0
python hpack 2.1.1
python hpack 2.0.1
python hpack 2.2

Debian Bug report logs - #833467 python-hpack: CVE-2016-6581 Package: src:python-hpack; Maintainer for src:python-hpack is Sebastien Delafond <seb@debianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Thu, 4 Aug 2016 18:09:01 UTC Severity: important Tags: fixed-upstream, patch, security, upstream ...

CWE-399 https://python-hyper.org/hpack/en/latest/security/CVE-2016-6581.html http://www.securityfocus.com/bid/92315 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=833467 https://nvd.nist.gov

Get Started

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Twitter Reddit Linkedin Facebook

CVE-2016-6581

Vulnerability Summary

Vendor Advisories

References

Vulmon Search

About

Products

Connect