[NGINX:CVE-2019-9516] Excessive memory usage in HTTP/2 with zero length headers

Severity Low

Affected Packages 1

Unaffected Packages 2

CVEs 1

Some HTTP/2 implementations are vulnerable to a header leak, potentially leading to a denial of service. The attacker sends a stream of headers with a 0-length header name and 0-length header value, optionally Huffman encoded into 1-byte or greater headers. Some implementations allocate memory for these headers and keep the allocation alive until the session dies. This can consume excess memory.

Package	Affected Version
pkg:nginx/nginx	>= 1.9.5, <= 1.17.2

Package	Unaffected Version
pkg:nginx/nginx	>= 1.17.3
pkg:nginx/nginx	>= 1.16.1

ID

NGINX:CVE-2019-9516

Severity

low

Published

2019-08-13T21:15:12
(5 years ago)

Modified

2019-08-13T21:15:12
(5 years ago)

Rights

NGINX Security Team

Other Advisories

Type	Package URL	Namespace	Name / Product	Version	Distribution / Platform	Arch	Patch / Fix
Affected	pkg:nginx/nginx		nginx	>= 1.9.5 <= 1.17.2
Unaffected	pkg:nginx/nginx		nginx	>= 1.17.3
Unaffected	pkg:nginx/nginx		nginx	>= 1.16.1

# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	Exploits	PoC	Pubblication Date	Modification Date
# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	PoC	Pubblication Date	Modification Date