Your submission was sent successfully! Close

CVE-2019-9511

Published: 13 August 2019

Some HTTP/2 implementations are vulnerable to window size manipulation and stream prioritization manipulation, potentially leading to a denial of service. The attacker requests a large amount of data from a specified resource over multiple streams. They manipulate window size and stream priority to force the server to queue the data in 1-byte chunks. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both.

Priority

Medium

CVSS 3 base score: 7.5

Status

Package Release Status
nghttp2
Launchpad, Ubuntu, Debian
bionic Needed

cosmic Ignored
(reached end-of-life)
disco Ignored
(reached end-of-life)
eoan Not vulnerable
(1.39.2-1)
focal Not vulnerable
(1.39.2-1)
groovy Not vulnerable
(1.39.2-1)
hirsute Not vulnerable
(1.39.2-1)
impish Not vulnerable
(1.39.2-1)
jammy Not vulnerable
(1.39.2-1)
precise Does not exist

trusty Does not exist

upstream
Released (1.39.2)
xenial Ignored
(end of standard support, was needed)
nginx
Launchpad, Ubuntu, Debian
bionic
Released (1.14.0-0ubuntu1.4)
cosmic Ignored
(reached end-of-life)
disco
Released (1.15.9-0ubuntu1.1)
eoan
Released (1.16.1-0ubuntu1)
focal
Released (1.16.1-0ubuntu1)
groovy
Released (1.16.1-0ubuntu1)
hirsute
Released (1.16.1-0ubuntu1)
impish
Released (1.16.1-0ubuntu1)
jammy
Released (1.16.1-0ubuntu1)
precise Does not exist

trusty Not vulnerable
(http2 support not implemented)
upstream Needs triage

xenial
Released (1.10.3-0ubuntu0.16.04.4)
nodejs
Launchpad, Ubuntu, Debian
bionic Needs triage

focal Needs triage

groovy Ignored
(reached end-of-life)
hirsute Ignored
(reached end-of-life)
impish Needs triage

jammy Needs triage

precise Does not exist

trusty Needs triage

upstream Needs triage

xenial Ignored
(end of standard support, was needs-triage)

Notes

AuthorNote
sbeattie
nginx added http2 support in 1.9.5
nghttp2: nghttpd and nghttp are affected, libnghttp2 is not
mdeslaur
nghttp2-server is in universe

References

Bugs