1. Home
  2. Vulnerabilities
  3. CVE-2019-9515

CVE-2019-9515

CVSS v3.1 7.5 (High)
75% Progress
CVSS v2.0 7.8 (High)
78% Progress
EPSS 3.89 % (92th)
3.89% Progress
Affected Products 25
Advisories 23
Info CVSS EPSS CAPEC Affected Configurations References Security Advisories Packages & Software OVAL Tools, Exploits & PoC Graph Web & Social Timeline

Some HTTP/2 implementations are vulnerable to a settings flood, potentially leading to a denial of service. The attacker sends a stream of SETTINGS frames to the peer. Since the RFC requires that the peer reply with one acknowledgement per SETTINGS frame, an empty SETTINGS frame is almost equivalent in behavior to a ping. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both.

Weaknesses
CWE-400
Uncontrolled Resource Consumption
CWE-770
Allocation of Resources Without Limits or Throttling
Related CVEs
CVE Status
PUBLISHED
CNA
CERT/CC
Published Date
2019-08-13 21:15:12
(5 years ago)
Updated Date
2023-11-07 03:13:42
(10 months ago)

Affected Products

Apache

Apple

Canonical

Debian

F5

Fedoraproject

Mcafee

Nodejs

Opensuse

Oracle

Redhat

Synology

Configuration #1

AND
    CPE23 From Up To
OR  
  Apple Swiftnio from 1.0.0 version and 1.4.0 and prior versions cpe:2.3:a:apple:swiftnio >= 1.0.0 <= 1.4.0
OR  
  Running on/with
  Apple Mac Os X from 10.12 version cpe:2.3:o:apple:mac_os_x >= 10.12
OR  
  Running on/with
  Canonical Ubuntu Linux from 14.04 version cpe:2.3:o:canonical:ubuntu_linux >= 14.04

Configuration #2

    CPE23 From Up To
  Apache Traffic Server from 6.0.0 version and 6.2.3 and prior versions cpe:2.3:a:apache:traffic_server >= 6.0.0 <= 6.2.3
  Apache Traffic Server from 7.0.0 version and 7.1.6 and prior versions cpe:2.3:a:apache:traffic_server >= 7.0.0 <= 7.1.6
  Apache Traffic Server from 8.0.0 version and 8.0.3 and prior versions cpe:2.3:a:apache:traffic_server >= 8.0.0 <= 8.0.3

Configuration #3

    CPE23 From Up To
  Canonical Ubuntu Linux 16.04 cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts
  Canonical Ubuntu Linux 18.04 cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts
  Canonical Ubuntu Linux 19.04 cpe:2.3:o:canonical:ubuntu_linux:19.04

Configuration #4

    CPE23 From Up To
  Debian Linux 9.0 cpe:2.3:o:debian:debian_linux:9.0
  Debian Linux 10.0 cpe:2.3:o:debian:debian_linux:10.0

Configuration #5

    CPE23 From Up To
  Synology Diskstation Manager 6.2 cpe:2.3:a:synology:diskstation_manager:6.2
  Synology Skynas cpe:2.3:a:synology:skynas:-

Configuration #6

AND
    CPE23 From Up To
OR  
  Synology Vs960hd Firmware cpe:2.3:o:synology:vs960hd_firmware:-
OR  
  Running on/with
  Synology Vs960hd cpe:2.3:h:synology:vs960hd:-

Configuration #7

    CPE23 From Up To
  Fedoraproject Fedora 29 cpe:2.3:o:fedoraproject:fedora:29
  Fedoraproject Fedora 30 cpe:2.3:o:fedoraproject:fedora:30

Configuration #8

    CPE23 From Up To
  Opensuse Leap 15.0 cpe:2.3:o:opensuse:leap:15.0
  Opensuse Leap 15.1 cpe:2.3:o:opensuse:leap:15.1

Configuration #9

    CPE23 From Up To
  Redhat Jboss Core Services 1.0 cpe:2.3:a:redhat:jboss_core_services:1.0
  Redhat Jboss Enterprise Application Platform 7.2.0 cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.2.0
  Redhat Jboss Enterprise Application Platform 7.3.0 cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.3.0
  Redhat Openshift Container Platform 4.1 cpe:2.3:a:redhat:openshift_container_platform:4.1
  Redhat Openshift Service Mesh 1.0 cpe:2.3:a:redhat:openshift_service_mesh:1.0
  Redhat Openstack 14 cpe:2.3:a:redhat:openstack:14
  Redhat Quay 3.0.0 cpe:2.3:a:redhat:quay:3.0.0
  Redhat Single Sign-on 7.3 cpe:2.3:a:redhat:single_sign-on:7.3
  Redhat Software Collections 1.0 cpe:2.3:a:redhat:software_collections:1.0
  Redhat Enterprise Linux 8.0 cpe:2.3:o:redhat:enterprise_linux:8.0

Configuration #10

    CPE23 From Up To
  Oracle Graalvm 19.2.0 cpe:2.3:a:oracle:graalvm:19.2.0:*:*:*:enterprise

Configuration #11

    CPE23 From Up To
  Mcafee Web Gateway from 7.7.2.0 version and prior 7.7.2.24 version cpe:2.3:a:mcafee:web_gateway >= 7.7.2.0 < 7.7.2.24
  Mcafee Web Gateway from 7.8.2.0 version and prior 7.8.2.13 version cpe:2.3:a:mcafee:web_gateway >= 7.8.2.0 < 7.8.2.13
  Mcafee Web Gateway from 8.1.0 version and prior 8.2.0 version cpe:2.3:a:mcafee:web_gateway >= 8.1.0 < 8.2.0

Configuration #12

    CPE23 From Up To
  F5 Big-ip Local Traffic Manager from 11.6.1 version and prior 11.6.5.1 version cpe:2.3:a:f5:big-ip_local_traffic_manager >= 11.6.1 < 11.6.5.1
  F5 Big-ip Local Traffic Manager from 12.1.0 version and prior 12.1.5.1 version cpe:2.3:a:f5:big-ip_local_traffic_manager >= 12.1.0 < 12.1.5.1
  F5 Big-ip Local Traffic Manager from 13.1.0 version and prior 13.1.3.2 version cpe:2.3:a:f5:big-ip_local_traffic_manager >= 13.1.0 < 13.1.3.2
  F5 Big-ip Local Traffic Manager from 14.0.0 version and prior 14.0.1.1 version cpe:2.3:a:f5:big-ip_local_traffic_manager >= 14.0.0 < 14.0.1.1
  F5 Big-ip Local Traffic Manager from 14.1.0 version and prior 14.1.2.1 version cpe:2.3:a:f5:big-ip_local_traffic_manager >= 14.1.0 < 14.1.2.1
  F5 Big-ip Local Traffic Manager from 15.0.0 version and prior 15.0.1.1 version cpe:2.3:a:f5:big-ip_local_traffic_manager >= 15.0.0 < 15.0.1.1

Configuration #13

    CPE23 From Up To
  Nodejs Node.js from 8.0.0 version and 8.8.1 and prior versions cpe:2.3:a:nodejs:node.js::*:*:*:- >= 8.0.0 <= 8.8.1
  Nodejs Node.js from 8.9.0 version and prior 8.16.1 version cpe:2.3:a:nodejs:node.js::*:*:*:lts >= 8.9.0 < 8.16.1
  Nodejs Node.js from 10.0.0 version and 10.12.0 and prior versions cpe:2.3:a:nodejs:node.js::*:*:*:- >= 10.0.0 <= 10.12.0
  Nodejs Node.js from 10.13.0 version and prior 10.16.3 version cpe:2.3:a:nodejs:node.js::*:*:*:lts >= 10.13.0 < 10.16.3
  Nodejs Node.js from 12.0.0 version and prior 12.8.1 version cpe:2.3:a:nodejs:node.js::*:*:*:- >= 12.0.0 < 12.8.1