A vulnerability was found in Apache HTTP Server 2.4.34 to 2.4.38. When HTTP/2 was enabled for a http: host or H2Upgrade was enabled for h2 on a https: host, an Upgrade request from http/1.1 to http/2 that was not the first request on a connection could lead to a misconfiguration and crash. Server that never enabled the h2 protocol or that only enabled it for https: and did not set "H2Upgrade on" are unaffected by this issue.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
apache http server |
||
canonical ubuntu linux 18.04 |
||
canonical ubuntu linux 19.04 |
||
canonical ubuntu linux 16.04 |
||
fedoraproject fedora 30 |
||
opensuse leap 42.3 |
||
opensuse leap 15.0 |
||
redhat jboss_core_services 1.0 |
||
oracle retail xstore point of service 7.1 |
||
oracle retail xstore point of service 7.0 |
||
oracle http server 12.2.1.3.0 |
||
oracle enterprise manager ops center 12.3.3 |
||
oracle instantis enterprisetrack 17.1 |
||
oracle instantis enterprisetrack 17.2 |
||
oracle instantis enterprisetrack 17.3 |
||
oracle enterprise manager ops center 12.4.0 |
||
oracle communications session report manager 8.1.1 |
||
oracle communications session report manager 8.2.0 |
||
oracle communications session route manager 8.1.1 |
||
oracle communications session route manager 8.2.0 |
||
oracle communications session route manager 8.0.0 |
||
oracle communications session route manager 8.1.0 |
||
oracle communications session report manager 8.0.0 |
||
oracle communications session report manager 8.1.0 |