Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
5.9
CVSSv3

CVE-2018-11763

Published: 25/09/2018 Updated: 07/11/2023
CVSS v2 Base Score: 4.3 | Impact Score: 2.9 | Exploitability Score: 8.6
CVSS v3 Base Score: 5.9 | Impact Score: 3.6 | Exploitability Score: 2.2
VMScore: 386
Vector: AV:N/AC:M/Au:N/C:N/I:N/A:P
Subscribe to Apache

Vulnerability Summary

In Apache HTTP Server 2.4.17 to 2.4.34, by sending continuous, large SETTINGS frames a client can occupy a connection, server thread and CPU time without any connection timeout coming to effect. This affects only HTTP/2 connections. A possible mitigation is to not enable the h2 protocol.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

apache http server

canonical ubuntu linux 18.04

redhat enterprise linux 7.4

redhat enterprise linux 7.0

redhat enterprise linux 6.0

redhat enterprise linux 7.5

redhat enterprise linux 7.6

oracle retail xstore point of service 7.1

oracle retail xstore point of service 7.0

oracle hospitality guest access 4.2.0

oracle hospitality guest access 4.2.1

oracle enterprise manager ops center 12.3.3

oracle secure global desktop 5.4

oracle instantis enterprisetrack 17.1

oracle instantis enterprisetrack 17.2

oracle instantis enterprisetrack 17.3

netapp storage automation store -

Vendor Advisories

Debian CVElist Bug Report Logs: apache2: CVE-2018-11763: mod_http2, DoS via continuous SETTINGS frames
Debian Bug report logs - #909591 apache2: CVE-2018-11763: mod_http2, DoS via continuous SETTINGS frames Package: src:apache2; Maintainer for src:apache2 is Debian Apache Maintainers <debian-apache@listsdebianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Tue, 25 Sep 2018 19:00:02 UTC Severity: im ...
Ubuntu Security Notice: apache2 vulnerabilities
Several security issues were fixed in the Apache HTTP Server ...
Red Hat: Important: Red Hat JBoss Core Services Apache HTTP Server 2.4.29 security update
Synopsis Important: Red Hat JBoss Core Services Apache HTTP Server 2429 security update Type/Severity Security Advisory: Important Topic An update is now available for JBoss Core Services on RHEL 6 and RHEL 7Red Hat Product Security has rated this update as having a security impact of Important A Common ...
Red Hat: Important: Red Hat JBoss Core Services Apache HTTP Server 2.4.29 SP1 security update
Synopsis Important: Red Hat JBoss Core Services Apache HTTP Server 2429 SP1 security update Type/Severity Security Advisory: Important Topic Red Hat JBoss Core Services Pack Apache Server 2429 Service Pack 1 packages for Microsoft Windows and Oracle Solaris are now availableRed Hat Product Security has ...
Red Hat: Moderate: httpd24 security, bug fix, and enhancement update
Synopsis Moderate: httpd24 security, bug fix, and enhancement update Type/Severity Security Advisory: Moderate Topic An update for httpd24-httpd, httpd24-nghttp2, and httpd24-curl is now available for Red Hat Software CollectionsRed Hat Product Security has rated this update as having a security impact of ...
Amazon Linux AMI: ALAS-2018-1104
In Apache HTTP Server 2417 to 2434, by sending continuous, large SETTINGS frames a client can occupy a connection, server thread and CPU time without any connection timeout coming to effect This affects only HTTP/2 connections A possible mitigation is to not enable the h2 protocol (CVE-2018-11763) ...
Amazon Linux 2: ALAS2-2019-1155
In Apache HTTP Server 2417 to 2434, by sending continuous, large SETTINGS frames a client can occupy a connection, server thread and CPU time without any connection timeout coming to effect This affects only HTTP/2 connections A possible mitigation is to not enable the h2 protocol(CVE-2018-11763) ...
Amazon Linux 2: ALAS2-2018-1104
In Apache HTTP Server, by sending continuous, large SETTINGS frames a client can occupy a connection, server thread and CPU time without any connection timeout coming to effect This affects only HTTP/2 connections A possible mitigation is to not enable the h2 protocol(CVE-2018-11763) ...
Red Hat: CVE-2018-11763
In Apache HTTP Server 2417 to 2434, by sending continuous, large SETTINGS frames a client can occupy a connection, server thread and CPU time without any connection timeout coming to effect This affects only HTTP/2 connections A possible mitigation is to not enable the h2 protocol ...
Tenable Security Advisories: [R1] Tenable.sc 5.13.0 Fixes Multiple Third-Party Vulnerabilities
Tenablesc leverages third-party software to help provide underlying functionality Three separate third-party components (OpenSSL, Apache HTTP Server, SimpleSAMLphp) were found to contain vulnerabilities, and updated versions have been made available by the providers Out of caution and in line with good practice, Tenable opted to upgrade the bun ...

References

NVD-CWE-noinfohttps://httpd.apache.org/security/vulnerabilities_24.htmlhttp://www.securitytracker.com/id/1041713http://www.securityfocus.com/bid/105414https://usn.ubuntu.com/3783-1/https://access.redhat.com/errata/RHSA-2018:3558https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.htmlhttps://security.netapp.com/advisory/ntap-20190204-0004/https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbux03909en_ushttps://access.redhat.com/errata/RHSA-2019:0367https://access.redhat.com/errata/RHSA-2019:0366https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.htmlhttp://lists.opensuse.org/opensuse-security-announce/2019-06/msg00030.htmlhttp://lists.opensuse.org/opensuse-security-announce/2019-07/msg00056.htmlhttps://www.tenable.com/security/tns-2019-09https://lists.apache.org/thread.html/56c2e7cc9deb1c12a843d0dc251ea7fd3e7e80293cde02fcd65286ba%40%3Ccvs.httpd.apache.org%3Ehttps://lists.apache.org/thread.html/84a3714f0878781f6ed84473d1a503d2cc382277e100450209231830%40%3Ccvs.httpd.apache.org%3Ehttps://lists.apache.org/thread.html/rd18c3c43602e66f9cdcf09f1de233804975b9572b0456cc582390b6f%40%3Ccvs.httpd.apache.org%3Ehttps://lists.apache.org/thread.html/re3d27b6250aa8548b8845d314bb8a350b3df326cacbbfdfe4d455234%40%3Ccvs.httpd.apache.org%3Ehttps://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9%40%3Ccvs.httpd.apache.org%3Ehttps://lists.apache.org/thread.html/r06f0d87ebb6d59ed8379633f36f72f5b1f79cadfda72ede0830b42cf%40%3Ccvs.httpd.apache.org%3Ehttps://lists.apache.org/thread.html/rc998b18880df98bafaade071346690c2bc1444adaa1a1ea464b93f0a%40%3Ccvs.httpd.apache.org%3Ehttps://lists.apache.org/thread.html/r15f9aa4427581a1aecb4063f1b4b983511ae1c9935e2a0a6876dad3c%40%3Ccvs.httpd.apache.org%3Ehttps://lists.apache.org/thread.html/rfcf929bd33a6833e3f0c35eebdad70d5060665f9c4e17ea467c66770%40%3Ccvs.httpd.apache.org%3Ehttps://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920%40%3Ccvs.httpd.apache.org%3Ehttps://lists.apache.org/thread.html/r6521a7f62276340eabdb3339b2aa9a38c5f59d978497a1f794af53be%40%3Ccvs.httpd.apache.org%3Ehttps://lists.apache.org/thread.html/r76142b8c5119df2178be7c2dba88fde552eedeec37ea993dfce68d1d%40%3Ccvs.httpd.apache.org%3Ehttps://bugs.debian.org/cgi-bin/bugreport.cgi?bug=909591https://usn.ubuntu.com/3783-1/https://nvd.nist.gov
CVSSv3
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2023-38298CVE-2024-20356CVE-2023-21987CVE-2024-33217bypassCVE-2024-31804CVE-2024-32660unauthorizedSSRF
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook