Your submission was sent successfully! Close

CVE-2018-11763

Published: 25 September 2018

In Apache HTTP Server 2.4.17 to 2.4.34, by sending continuous, large SETTINGS frames a client can occupy a connection, server thread and CPU time without any connection timeout coming to effect. This affects only HTTP/2 connections. A possible mitigation is to not enable the h2 protocol.

Priority

Medium

CVSS 3 base score: 5.9

Status

Package Release Status
apache2
Launchpad, Ubuntu, Debian
bionic
Released (2.4.29-1ubuntu4.4)
precise Not vulnerable
(code not present)
trusty Not vulnerable
(code not present)
upstream
Released (2.4.35)
xenial Not vulnerable
(code not built)