1. Home
  2. Vulnerabilities
  3. CVE-2019-9511

CVE-2019-9511

CVSS v3.1 7.5 (High)
75% Progress
CVSS v2.0 7.8 (High)
78% Progress
EPSS 7.76 % (94th)
7.76% Progress
Affected Products 23
Advisories 55
Info CVSS EPSS CAPEC Affected Configurations References Security Advisories Packages & Software OVAL Tools, Exploits & PoC Graph Web & Social Timeline

Some HTTP/2 implementations are vulnerable to window size manipulation and stream prioritization manipulation, potentially leading to a denial of service. The attacker requests a large amount of data from a specified resource over multiple streams. They manipulate window size and stream priority to force the server to queue the data in 1-byte chunks. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both.

Weaknesses
CWE-400
Uncontrolled Resource Consumption
CWE-770
Allocation of Resources Without Limits or Throttling
Related CVEs
CVE Status
PUBLISHED
CNA
CERT/CC
Published Date
2019-08-13 21:15:12
(5 years ago)
Updated Date
2023-11-07 03:13:41
(10 months ago)

Affected Products

Apache

Apple

Canonical

Debian

F5

Fedoraproject

Mcafee

Nodejs

Opensuse

Oracle

Redhat

Synology

Configuration #1

AND
    CPE23 From Up To
OR  
  Apple Swiftnio from 1.0.0 version and 1.4.0 and prior versions cpe:2.3:a:apple:swiftnio >= 1.0.0 <= 1.4.0
OR  
  Running on/with
  Apple Mac Os X from 10.12 version cpe:2.3:o:apple:mac_os_x >= 10.12
OR  
  Running on/with
  Canonical Ubuntu Linux from 14.04 version cpe:2.3:o:canonical:ubuntu_linux >= 14.04

Configuration #2

    CPE23 From Up To
  Apache Traffic Server from 6.0.0 version and 6.2.3 and prior versions cpe:2.3:a:apache:traffic_server >= 6.0.0 <= 6.2.3
  Apache Traffic Server from 7.0.0 version and 7.1.6 and prior versions cpe:2.3:a:apache:traffic_server >= 7.0.0 <= 7.1.6
  Apache Traffic Server from 8.0.0 version and 8.0.3 and prior versions cpe:2.3:a:apache:traffic_server >= 8.0.0 <= 8.0.3

Configuration #3

    CPE23 From Up To
  Canonical Ubuntu Linux 16.04 cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts
  Canonical Ubuntu Linux 18.04 cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts
  Canonical Ubuntu Linux 19.04 cpe:2.3:o:canonical:ubuntu_linux:19.04

Configuration #4

    CPE23 From Up To
  Debian Linux 9.0 cpe:2.3:o:debian:debian_linux:9.0
  Debian Linux 10.0 cpe:2.3:o:debian:debian_linux:10.0

Configuration #5

    CPE23 From Up To
  Synology Diskstation Manager 6.2 cpe:2.3:a:synology:diskstation_manager:6.2
  Synology Skynas cpe:2.3:a:synology:skynas:-

Configuration #6

AND
    CPE23 From Up To
OR  
  Synology Vs960hd Firmware cpe:2.3:o:synology:vs960hd_firmware:-
OR  
  Running on/with
  Synology Vs960hd cpe:2.3:h:synology:vs960hd:-

Configuration #7

    CPE23 From Up To
  Fedoraproject Fedora 29 cpe:2.3:o:fedoraproject:fedora:29
  Fedoraproject Fedora 30 cpe:2.3:o:fedoraproject:fedora:30

Configuration #8

    CPE23 From Up To
  Opensuse Leap 15.0 cpe:2.3:o:opensuse:leap:15.0
  Opensuse Leap 15.1 cpe:2.3:o:opensuse:leap:15.1

Configuration #9

    CPE23 From Up To
  Redhat Jboss Core Services 1.0 cpe:2.3:a:redhat:jboss_core_services:1.0
  Redhat Jboss Enterprise Application Platform 7.2.0 cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.2.0
  Redhat Jboss Enterprise Application Platform 7.3.0 cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.3.0
  Redhat Openshift Service Mesh 1.0 cpe:2.3:a:redhat:openshift_service_mesh:1.0
  Redhat Quay 3.0.0 cpe:2.3:a:redhat:quay:3.0.0
  Redhat Software Collections 1.0 cpe:2.3:a:redhat:software_collections:1.0
  Redhat Enterprise Linux 8.0 cpe:2.3:o:redhat:enterprise_linux:8.0

Configuration #10

    CPE23 From Up To
  Oracle Graalvm 19.2.0 cpe:2.3:a:oracle:graalvm:19.2.0:*:*:*:enterprise

Configuration #11

    CPE23 From Up To
  Mcafee Web Gateway from 7.7.2.0 version and prior 7.7.2.24 version cpe:2.3:a:mcafee:web_gateway >= 7.7.2.0 < 7.7.2.24
  Mcafee Web Gateway from 7.8.2.0 version and prior 7.8.2.13 version cpe:2.3:a:mcafee:web_gateway >= 7.8.2.0 < 7.8.2.13
  Mcafee Web Gateway from 8.1.0 version and prior 8.2.0 version cpe:2.3:a:mcafee:web_gateway >= 8.1.0 < 8.2.0

Configuration #12

    CPE23 From Up To
  F5 Nginx from 1.9.5 version and prior 1.16.1 version cpe:2.3:a:f5:nginx >= 1.9.5 < 1.16.1
  F5 Nginx from 1.17.0 version and 1.17.2 and prior versions cpe:2.3:a:f5:nginx >= 1.17.0 <= 1.17.2

Configuration #13

    CPE23 From Up To
  Oracle Enterprise Communications Broker 3.1.0 cpe:2.3:a:oracle:enterprise_communications_broker:3.1.0
  Oracle Enterprise Communications Broker 3.2.0 cpe:2.3:a:oracle:enterprise_communications_broker:3.2.0

Configuration #14

    CPE23 From Up To
  Nodejs Node.js from 8.0.0 version and 8.8.1 and prior versions cpe:2.3:a:nodejs:node.js::*:*:*:- >= 8.0.0 <= 8.8.1
  Nodejs Node.js from 8.9.0 version and prior 8.16.1 version cpe:2.3:a:nodejs:node.js::*:*:*:lts >= 8.9.0 < 8.16.1
  Nodejs Node.js from 10.0.0 version and 10.12.0 and prior versions cpe:2.3:a:nodejs:node.js::*:*:*:- >= 10.0.0 <= 10.12.0
  Nodejs Node.js from 10.13.0 version and prior 10.16.3 version cpe:2.3:a:nodejs:node.js::*:*:*:lts >= 10.13.0 < 10.16.3
  Nodejs Node.js from 12.0.0 version and prior 12.8.1 version cpe:2.3:a:nodejs:node.js::*:*:*:- >= 12.0.0 < 12.8.1