Vulnerability Summary

A vulnerability in the Apache HTTP Server could allow an unauthenticated, remote malicious user to cause a denial of service (DoS) condition on a targeted system. The vulnerability exists when HTTP/2 is enabled for an http: host or when H2Upgrade is enabled for h2 on an https: host, and is due to the improper handling of an Upgrade request from http/1.1 to http/2 when the Upgrade request is not the first request on the connection. An attacker could exploit this vulnerability by sending requests that submit malicious input to the affected software. A successful exploit could allow the malicious user to cause the affected software to terminate abnormally, resulting in a DoS condition. Apache has confirmed the vulnerability and released software updates.

Vulnerability Trend

Vendor Advisories

Severity Unknown Remote Unknown Type Unknown Description AVG-946 apache 2438-1 2439-1 Medium Testing ...

Mailing Lists

CVE-2019-0197: mod_http2, possible crash on late upgrade Severity: Low Vendor: The Apache Software Foundation Versions Affected: httpd 2434 to 2438 Description: When HTTP/2 was enabled for a http: host or H2Upgrade was enabled for h2 on a https: host, an Upgrade request from http/11 to http/2 that was not the first request on a connection ...