Published: 11/06/2019 Updated: 17/06/2019
CVSS v2 Base Score: 4.9 | Impact Score: 4.9 | Exploitability Score: 6.8
CVSS v3 Base Score: 4.2 | Impact Score: 2.5 | Exploitability Score: 1.6
VMScore: 436
Vector: AV:N/AC:M/Au:S/C:N/I:P/A:P

Vulnerability Summary

A vulnerability in the Apache HTTP Server could allow an unauthenticated, remote malicious user to cause a denial of service (DoS) condition on a targeted system. The vulnerability exists when HTTP/2 is enabled for an http: host or when H2Upgrade is enabled for h2 on an https: host, and is due to the improper handling of an Upgrade request from http/1.1 to http/2 when the Upgrade request is not the first request on the connection. An attacker could exploit this vulnerability by sending requests that submit malicious input to the affected software. A successful exploit could allow the malicious user to cause the affected software to terminate abnormally, resulting in a DoS condition. Apache has confirmed the vulnerability and released software updates.

Vulnerability Trend

Affected Products

Vendor Product Versions
ApacheHttp Server2.4.17, 2.4.18, 2.4.19, 2.4.20, 2.4.21, 2.4.22, 2.4.23, 2.4.24, 2.4.25, 2.4.26, 2.4.27, 2.4.28, 2.4.29, 2.4.30, 2.4.32, 2.4.33, 2.4.34, 2.4.35, 2.4.36, 2.4.37, 2.4.38

Vendor Advisories

Severity Unknown Remote Unknown Type Unknown Description AVG-946 apache 2438-1 2439-1 Medium Testing ...

Mailing Lists

CVE-2019-0197: mod_http2, possible crash on late upgrade Severity: Low Vendor: The Apache Software Foundation Versions Affected: httpd 2434 to 2438 Description: When HTTP/2 was enabled for a http: host or H2Upgrade was enabled for h2 on a https: host, an Upgrade request from http/11 to http/2 that was not the first request on a connection ...