Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
6.8
CVSSv2

CVE-2019-9516

Published: 13/08/2019 Updated: 07/11/2023
CVSS v2 Base Score: 6.8 | Impact Score: 6.9 | Exploitability Score: 8
CVSS v3 Base Score: 6.5 | Impact Score: 3.6 | Exploitability Score: 2.8
VMScore: 606
Vector: AV:N/AC:L/Au:S/C:N/I:N/A:C
Subscribe to Swiftnio

Vulnerability Summary

Some HTTP/2 implementations are vulnerable to a header leak, potentially leading to a denial of service. The attacker sends a stream of headers with a 0-length header name and 0-length header value, optionally Huffman encoded into 1-byte or greater headers. Some implementations allocate memory for these headers and keep the allocation alive until the session dies. This can consume excess memory.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

apple swiftnio

apache traffic server

canonical ubuntu linux 16.04

canonical ubuntu linux 18.04

canonical ubuntu linux 19.04

debian debian linux 9.0

debian debian linux 10.0

fedoraproject fedora 30

synology skynas -

synology diskstation manager 6.2

synology vs960hd_firmware -

fedoraproject fedora 29

fedoraproject fedora 32

opensuse leap 15.0

opensuse leap 15.1

redhat software collections 1.0

redhat jboss core services 1.0

redhat enterprise linux 8.0

redhat jboss enterprise application platform 7.2.0

redhat quay 3.0.0

redhat openshift service mesh 1.0

redhat jboss enterprise application platform 7.3.0

oracle graalvm 19.2.0

mcafee web gateway

f5 nginx

nodejs node.js

Vendor Advisories

Debian CVElist Bug Report Logs: nginx: CVE-2019-9511 CVE-2019-9513 CVE-2019-9516
Debian Bug report logs - #935037 nginx: CVE-2019-9511 CVE-2019-9513 CVE-2019-9516 Package: src:nginx; Maintainer for src:nginx is Debian Nginx Maintainers <pkg-nginx-maintainers@alioth-listsdebiannet>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Sun, 18 Aug 2019 12:33:01 UTC Severity: grave Tags: se ...
Ubuntu Security Notice: nginx vulnerabilities
nginx could be made to crash if it received specially crafted network traffic ...
Debian Security Advisories: DSA-4505-1 nginx -- security update
Three vulnerabilities were discovered in the HTTP/2 code of Nginx, a high-performance web and reverse proxy server, which could result in denial of service For the oldstable distribution (stretch), these problems have been fixed in version 1103-1+deb9u3 For the stable distribution (buster), these problems have been fixed in version 1142-2+deb ...
Amazon Linux 2: ALAS2-2019-1342
Some HTTP/2 implementations are vulnerable to window size manipulation and stream prioritization manipulation, potentially leading to a denial of service The attacker requests a large amount of data from a specified resource over multiple streams They manipulate window size and stream priority to force the server to queue the data in 1-byte chunk ...
Amazon Linux AMI: ALAS-2019-1299
Some HTTP/2 implementations are vulnerable to window size manipulation and stream prioritization manipulation, potentially leading to a denial of service The attacker requests a large amount of data from a specified resource over multiple streams They manipulate window size and stream priority to force the server to queue the data in 1-byte chunk ...
Red Hat: Important: rh-nginx112-nginx security update
Synopsis Important: rh-nginx112-nginx security update Type/Severity Security Advisory: Important Topic An update for rh-nginx112-nginx is now available for Red Hat Software CollectionsRed Hat Product Security has rated this update as having a security impact of Important A Common Vulnerability Scoring Sys ...
Red Hat: Important: Red Hat JBoss Core Services Apache HTTP Server 2.4.29 SP3 security update
Synopsis Important: Red Hat JBoss Core Services Apache HTTP Server 2429 SP3 security update Type/Severity Security Advisory: Important Topic Red Hat JBoss Core Services Pack Apache Server 2429 Service Pack 3 packages for RHEL 6, RHEL 7, Microsoft Windows and Oracle Solaris are now availableRed Hat Prod ...
Red Hat: Important: rh-nginx110-nginx security update
Synopsis Important: rh-nginx110-nginx security update Type/Severity Security Advisory: Important Topic An update for rh-nginx110-nginx is now available for Red Hat Software CollectionsRed Hat Product Security has rated this update as having a security impact of Important A Common Vulnerability Scoring Sys ...
Red Hat: Important: nginx:1.14 security update
Synopsis Important: nginx:114 security update Type/Severity Security Advisory: Important Topic An update for the nginx:114 module is now available for Red Hat Enterprise Linux 8Red Hat Product Security has rated this update as having a security impact of Important A Common Vulnerability Scoring System ( ...
Red Hat: Important: rh-nginx114-nginx security update
Synopsis Important: rh-nginx114-nginx security update Type/Severity Security Advisory: Important Topic An update for rh-nginx114-nginx is now available for Red Hat Software CollectionsRed Hat Product Security has rated this update as having a security impact of Important A Common Vulnerability Scoring Sys ...
Red Hat: Important: Red Hat JBoss Core Services Apache HTTP Server 2.4.29 SP3 security update
Synopsis Important: Red Hat JBoss Core Services Apache HTTP Server 2429 SP3 security update Type/Severity Security Advisory: Important Topic An update is now available for JBoss Core Services on RHEL 6 and RHEL 7Red Hat Product Security has rated this update as having a security impact of Important A Co ...
Red Hat: Important: rh-nodejs10-nodejs security update
Synopsis Important: rh-nodejs10-nodejs security update Type/Severity Security Advisory: Important Topic An update for rh-nodejs10-nodejs is now available for Red Hat Software CollectionsRed Hat Product Security has rated this update as having a security impact of Important A Common Vulnerability Scoring S ...
Red Hat: Important: rh-nodejs8-nodejs security update
Synopsis Important: rh-nodejs8-nodejs security update Type/Severity Security Advisory: Important Topic An update for rh-nodejs8-nodejs is now available for Red Hat Software CollectionsRed Hat Product Security has rated this update as having a security impact of Important A Common Vulnerability Scoring Sys ...
Red Hat: Important: Red Hat Quay v3.1.1 security update
Synopsis Important: Red Hat Quay v311 security update Type/Severity Security Advisory: Important Topic Updated Quay packages that fix several bugs and add various enhancements are now availableRed Hat Product Security has rated this update as having a security impact of Important A Common Vulnerability ...
Red Hat: Important: Red Hat JBoss Core Services Apache HTTP Server 2.4.37 Security Release
Synopsis Important: Red Hat JBoss Core Services Apache HTTP Server 2437 Security Release Type/Severity Security Advisory: Important Topic Red Hat JBoss Core Services Pack Apache Server 2437 zip releasefor RHEL 6, RHEL 7 and Microsoft Windows is availableRed Hat Product Security has rated this update as ...
Red Hat: Important: Red Hat JBoss Core Services Apache HTTP Server 2.4.37 Security Release on RHEL 6
Synopsis Important: Red Hat JBoss Core Services Apache HTTP Server 2437 Security Release on RHEL 6 Type/Severity Security Advisory: Important Topic Updated packages that provide Red Hat JBoss Core Services Pack Apache Server 2437 and fix several bugs, and add various enhancements are now available for R ...
Red Hat: Important: Red Hat JBoss Core Services Apache HTTP Server 2.4.37 Security Release on RHEL 7
Synopsis Important: Red Hat JBoss Core Services Apache HTTP Server 2437 Security Release on RHEL 7 Type/Severity Security Advisory: Important Topic An update is now available for JBoss Core Services on RHEL 7Red Hat Product Security has rated this update as having a security impact of Important A Common ...
Red Hat: Important: Red Hat Fuse 7.6.0 security update
Synopsis Important: Red Hat Fuse 760 security update Type/Severity Security Advisory: Important Topic A minor version update (from 75 to 76) is now available for Red Hat Fuse The purpose of this text-only errata is to inform you about the security issues fixed in this releaseRed Hat Product Security h ...
Red Hat: Important: Red Hat AMQ Broker 7.6 release and security update
Synopsis Important: Red Hat AMQ Broker 76 release and security update Type/Severity Security Advisory: Important Topic Red Hat AMQ Broker 76 is now available from the Red Hat Customer PortalRed Hat Product Security has rated this update as having a security impact of Important A Common Vulnerability Sco ...
Red Hat: Important: nodejs:10 security update
Synopsis Important: nodejs:10 security update Type/Severity Security Advisory: Important Topic An update for the nodejs:10 module is now available for Red Hat Enterprise Linux 8Red Hat Product Security has rated this update as having a security impact of Important A Common Vulnerability Scoring System (CV ...
Red Hat: Important: Red Hat AMQ Broker 7.4.3 release and security update
Synopsis Important: Red Hat AMQ Broker 743 release and security update Type/Severity Security Advisory: Important Topic Red Hat AMQ Broker 743 is now available from the Red Hat Customer PortalRed Hat Product Security has rated this update as having a security impact of Important A Common Vulnerability ...
Red Hat: CVE-2019-9516
Impact: Important Public Date: 2019-08-13 CWE: CWE-400 Bugzilla: 1741864: CVE-2019-9516 HTTP/2: 0-lengt ...
Arch Linux Issues:
An issue has been found in several HTTP/2 implementations, where the attacker sends a stream of headers with a 0-length header name and 0-length header value, optionally Huffman encoded into 1-byte or greater headers Some implementations allocate memory for these headers and keep the allocation alive until the session dies This can consume excess ...

Mailing Lists

Full Disclosure: APPLE-SA-2019-08-13-5 SwiftNIO HTTP/2 1.5.0
<!--X-Body-Begin--> <!--X-User-Header--> Full Disclosure mailing list archives <!--X-User-Header-End--> <!--X-TopPNI--> By Date By Thread </form> <!--X-TopPNI-End--> <!--X-MsgBody--> <!--X-Subject-Header-Begin--> APPLE-SA-2019-08-13-5 SwiftNIO HTTP/2 150 <!--X-Subject-Header-End--> <!--X-Head-of-Message--> From: Apple Product ...

References

CWE-770https://kb.cert.org/vuls/id/605641/https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.mdhttps://seclists.org/bugtraq/2019/Aug/24https://usn.ubuntu.com/4099-1/http://seclists.org/fulldisclosure/2019/Aug/16https://www.synology.com/security/advisory/Synology_SA_19_33https://support.f5.com/csp/article/K02591030https://seclists.org/bugtraq/2019/Aug/40https://www.debian.org/security/2019/dsa-4505https://security.netapp.com/advisory/ntap-20190823-0005/https://security.netapp.com/advisory/ntap-20190823-0002/http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00035.htmlhttp://lists.opensuse.org/opensuse-security-announce/2019-09/msg00032.htmlhttp://lists.opensuse.org/opensuse-security-announce/2019-09/msg00031.htmlhttps://kc.mcafee.com/corporate/index?page=content&id=SB10296https://access.redhat.com/errata/RHSA-2019:2746https://access.redhat.com/errata/RHSA-2019:2745https://access.redhat.com/errata/RHSA-2019:2775https://access.redhat.com/errata/RHSA-2019:2799https://access.redhat.com/errata/RHSA-2019:2925https://access.redhat.com/errata/RHSA-2019:2939https://access.redhat.com/errata/RHSA-2019:2946https://access.redhat.com/errata/RHSA-2019:2950https://access.redhat.com/errata/RHSA-2019:2955https://access.redhat.com/errata/RHSA-2019:2966http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00014.htmlhttps://access.redhat.com/errata/RHSA-2019:3935https://access.redhat.com/errata/RHSA-2019:3933https://access.redhat.com/errata/RHSA-2019:3932https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TAZZEVTCN2B4WT6AIBJ7XGYJMBTORJU5/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CMNFX5MNYRWWIMO4BTKYQCGUDMHO3AXP/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4ZQGHE3WTYLYAYJEIDJVF2FIGQTAYPMC/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BP556LEG3WENHZI5TAQ6ZEBFTJB4E2IS/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XHTKU7YQ5EEP2XNSAV4M4VJ7QCBOJMOD/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/POPAEC4FWL4UU4LDEGPY5NPALU24FFQD/https://support.f5.com/csp/article/K02591030?utm_source=f5support&%3Butm_medium=RSShttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H472D5HPXN6RRXCNFML3BK5OYC52CXF2/https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=935037https://usn.ubuntu.com/4099-1/https://nvd.nist.govhttps://www.kb.cert.org/vuls/id/605641
CVSSv2
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2023-3675CVE-2024-3400CVE-2024-23557mass assignmentCVE-2023-1389local file inclusionCVE-2024-32596file uploadCVE-2024-32593
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook