Search

Find a vulnerability

Search criteria

    42 vulnerabilities found for openshift_service_mesh by redhat

    CVE-2025-0752 (GCVE-0-2025-0752)

    Vulnerability from nvd – Published: 2025-01-28 09:29 – Updated: 2026-02-24 08:03
    VLAI
    Title
    Envoyproxy: openshift service mesh envoy http header sanitization bypass leading to dos and unauthorized access
    Summary
    A flaw was found in OpenShift Service Mesh 2.6.3 and 2.5.6. Rate-limiter avoidance, access-control bypass, CPU and memory exhaustion, and replay attacks may be possible due to improper HTTP header sanitization in Envoy.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
    Assigner
    References
    URL Tags
    https://access.redhat.com/security/cve/CVE-2025-0752 vdb-entryx_refsource_REDHAT
    https://bugzilla.redhat.com/show_bug.cgi?id=2339115 issue-trackingx_refsource_REDHAT
    Impacted products
    Vendor Product Version
    Affected: 2.6.3 (semver)
    Affected: 2.5.6 (semver)
    Red Hat OpenShift Service Mesh 2     cpe:/a:redhat:service_mesh:2
    Create a notification for this product.
    Date Public
    2025-01-21 00:00
    Credits
    Red Hat would like to thank Antony Di Scala and Michael Whale for reporting this issue.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-0752",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-01-28T14:35:14.655204Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-01-28T14:35:24.738Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://github.com/openshift-service-mesh/proxy",
              "defaultStatus": "unaffected",
              "packageName": "envoyproxy",
              "versions": [
                {
                  "status": "affected",
                  "version": "2.6.3",
                  "versionType": "semver"
                },
                {
                  "status": "affected",
                  "version": "2.5.6",
                  "versionType": "semver"
                }
              ]
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:service_mesh:2"
              ],
              "defaultStatus": "affected",
              "packageName": "openshift-service-mesh/proxyv2-rhel8",
              "product": "OpenShift Service Mesh 2",
              "vendor": "Red Hat"
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:service_mesh:2"
              ],
              "defaultStatus": "unaffected",
              "packageName": "openshift-service-mesh/proxyv2-rhel9",
              "product": "OpenShift Service Mesh 2",
              "vendor": "Red Hat"
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Red Hat would like to thank Antony Di Scala and Michael Whale for reporting this issue."
            }
          ],
          "datePublic": "2025-01-21T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "A flaw was found in OpenShift Service Mesh 2.6.3 and 2.5.6. Rate-limiter avoidance, access-control bypass, CPU and memory exhaustion, and replay attacks may be possible due to improper HTTP header sanitization in Envoy."
            }
          ],
          "metrics": [
            {
              "other": {
                "content": {
                  "namespace": "https://access.redhat.com/security/updates/classification/",
                  "value": "Important"
                },
                "type": "Red Hat severity rating"
              }
            },
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.1,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H",
                "version": "3.1"
              },
              "format": "CVSS"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-444",
                  "description": "Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-02-24T08:03:27.631Z",
            "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
            "shortName": "redhat"
          },
          "references": [
            {
              "tags": [
                "vdb-entry",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/security/cve/CVE-2025-0752"
            },
            {
              "name": "RHBZ#2339115",
              "tags": [
                "issue-tracking",
                "x_refsource_REDHAT"
              ],
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2339115"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2025-01-21T12:07:54.692Z",
              "value": "Reported to Red Hat."
            },
            {
              "lang": "en",
              "time": "2025-01-21T00:00:00.000Z",
              "value": "Made public."
            }
          ],
          "title": "Envoyproxy: openshift service mesh envoy http header sanitization bypass leading to dos and unauthorized access",
          "workarounds": [
            {
              "lang": "en",
              "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."
            }
          ],
          "x_generator": {
            "engine": "cvelib 1.8.0"
          },
          "x_redhatCweChain": "CWE-444: Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "assignerShortName": "redhat",
        "cveId": "CVE-2025-0752",
        "datePublished": "2025-01-28T09:29:33.073Z",
        "dateReserved": "2025-01-27T14:16:01.506Z",
        "dateUpdated": "2026-02-24T08:03:27.631Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2023-44487 (GCVE-0-2023-44487)

    Vulnerability from nvd – Published: 2023-10-10 00:00 – Updated: 2026-05-12 10:52
    VLAI CISA KEVIntel
    Summary
    The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
    SSVC
    Exploitation: active Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • n/a
    • CWE-400 - Uncontrolled Resource Consumption
    Assigner
    References
    URL Tags
    https://github.com/dotnet/core/blob/e4613450ea0da…
    https://blog.cloudflare.com/technical-breakdown-h…
    https://aws.amazon.com/security/security-bulletin…
    https://cloud.google.com/blog/products/identity-s…
    https://www.nginx.com/blog/http-2-rapid-reset-att…
    https://cloud.google.com/blog/products/identity-s…
    https://news.ycombinator.com/item?id=37831062
    https://blog.cloudflare.com/zero-day-rapid-reset-…
    https://www.phoronix.com/news/HTTP2-Rapid-Reset-Attack
    https://github.com/envoyproxy/envoy/pull/30055
    https://github.com/haproxy/haproxy/issues/2312
    https://github.com/eclipse/jetty.project/issues/10679
    https://forums.swift.org/t/swift-nio-http2-securi…
    https://github.com/nghttp2/nghttp2/pull/1961
    https://github.com/netty/netty/commit/58f75f665aa…
    https://github.com/alibaba/tengine/issues/1872
    https://github.com/apache/tomcat/tree/main/java/o…
    https://news.ycombinator.com/item?id=37830987
    https://news.ycombinator.com/item?id=37830998
    https://github.com/caddyserver/caddy/issues/5877
    https://www.bleepingcomputer.com/news/security/ne…
    https://github.com/bcdannyboy/CVE-2023-44487
    https://github.com/grpc/grpc-go/pull/6703
    https://github.com/icing/mod_h2/blob/0a864782af0a…
    https://github.com/nghttp2/nghttp2/releases/tag/v1.57.0
    https://mailman.nginx.org/pipermail/nginx-devel/2…
    https://my.f5.com/manage/s/article/K000137106
    https://msrc.microsoft.com/blog/2023/10/microsoft…
    https://bugzilla.proxmox.com/show_bug.cgi?id=4988
    https://cgit.freebsd.org/ports/commit/?id=c64c329…
    http://www.openwall.com/lists/oss-security/2023/10/10/7 mailing-list
    http://www.openwall.com/lists/oss-security/2023/10/10/6 mailing-list
    https://seanmonstar.com/post/730794151136935936/h…
    https://github.com/microsoft/CBL-Mariner/pull/6381
    https://groups.google.com/g/golang-announce/c/iNN…
    https://github.com/facebook/proxygen/pull/466
    https://gist.github.com/adulau/7c2bfb8e9cdbe4b35a…
    https://github.com/micrictor/http2-rst-stream
    https://edg.io/lp/blog/resets-leaks-ddos-and-the-…
    https://openssf.org/blog/2023/10/10/http-2-rapid-…
    https://github.com/h2o/h2o/security/advisories/GH…
    https://github.com/h2o/h2o/pull/3291
    https://github.com/nodejs/node/pull/50121
    https://github.com/dotnet/announcements/issues/277
    https://github.com/golang/go/issues/63417
    https://github.com/advisories/GHSA-vx74-f528-fxqg
    https://github.com/apache/trafficserver/pull/10564
    https://msrc.microsoft.com/update-guide/vulnerabi…
    https://tomcat.apache.org/security-10.html#Fixed_…
    https://lists.apache.org/thread/5py8h42mxfsn8l1wy…
    https://www.openwall.com/lists/oss-security/2023/…
    https://www.haproxy.com/blog/haproxy-is-not-affec…
    https://github.com/opensearch-project/data-preppe…
    https://github.com/kubernetes/kubernetes/pull/121120
    https://github.com/oqtane/oqtane.framework/discus…
    https://github.com/advisories/GHSA-xpw8-rcwv-8f8p
    https://netty.io/news/2023/10/10/4-1-100-Final.html
    https://www.cisa.gov/news-events/alerts/2023/10/1…
    https://www.theregister.com/2023/10/10/http2_rapi…
    https://blog.qualys.com/vulnerabilities-threat-re…
    https://news.ycombinator.com/item?id=37837043
    https://github.com/kazu-yamamoto/http2/issues/93
    https://martinthomson.github.io/h2-stream-limits/…
    https://github.com/kazu-yamamoto/http2/commit/f61…
    https://github.com/apache/httpd/blob/afcdbeebbff4…
    https://www.debian.org/security/2023/dsa-5522 vendor-advisory
    https://www.debian.org/security/2023/dsa-5521 vendor-advisory
    https://access.redhat.com/security/cve/cve-2023-44487
    https://github.com/ninenines/cowboy/issues/1615
    https://github.com/varnishcache/varnish-cache/iss…
    https://github.com/tempesta-tech/tempesta/issues/1986
    https://blog.vespa.ai/cve-2023-44487/
    https://github.com/etcd-io/etcd/issues/16740
    https://www.darkreading.com/cloud/internet-wide-z…
    https://istio.io/latest/news/security/istio-secur…
    https://github.com/junkurihara/rust-rpxy/issues/97
    https://bugzilla.suse.com/show_bug.cgi?id=1216123
    https://bugzilla.redhat.com/show_bug.cgi?id=2242803
    https://ubuntu.com/security/CVE-2023-44487
    https://community.traefik.io/t/is-traefik-vulnera…
    https://github.com/advisories/GHSA-qppj-fm5r-hxr3
    https://github.com/apache/httpd-site/pull/10
    https://github.com/projectcontour/contour/pull/5826
    https://github.com/linkerd/website/pull/1695/comm…
    https://github.com/line/armeria/pull/5232
    https://blog.litespeedtech.com/2023/10/11/rapid-r…
    https://security.paloaltonetworks.com/CVE-2023-44487
    https://github.com/akka/akka-http/issues/4323
    https://github.com/openresty/openresty/issues/930
    https://github.com/apache/apisix/issues/10320
    https://github.com/Azure/AKS/issues/3947
    https://github.com/Kong/kong/discussions/11741
    https://github.com/arkrwn/PoC/tree/main/CVE-2023-44487
    https://www.netlify.com/blog/netlify-successfully…
    https://github.com/caddyserver/caddy/releases/tag…
    https://lists.debian.org/debian-lts-announce/2023… mailing-list
    http://www.openwall.com/lists/oss-security/2023/10/13/4 mailing-list
    http://www.openwall.com/lists/oss-security/2023/10/13/9 mailing-list
    https://arstechnica.com/security/2023/10/how-ddos…
    https://lists.w3.org/Archives/Public/ietf-http-wg…
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisory
    https://linkerd.io/2023/10/12/linkerd-cve-2023-44487/
    https://lists.debian.org/debian-lts-announce/2023… mailing-list
    https://security.netapp.com/advisory/ntap-2023101…
    https://lists.debian.org/debian-lts-announce/2023… mailing-list
    http://www.openwall.com/lists/oss-security/2023/10/18/4 mailing-list
    http://www.openwall.com/lists/oss-security/2023/10/18/8 mailing-list
    http://www.openwall.com/lists/oss-security/2023/10/19/6 mailing-list
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisory
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisory
    http://www.openwall.com/lists/oss-security/2023/10/20/8 mailing-list
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisory
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisory
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisory
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisory
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisory
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisory
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisory
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisory
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisory
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisory
    https://lists.debian.org/debian-lts-announce/2023… mailing-list
    https://www.debian.org/security/2023/dsa-5540 vendor-advisory
    https://lists.debian.org/debian-lts-announce/2023… mailing-list
    https://discuss.hashicorp.com/t/hcsec-2023-32-vau…
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisory
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisory
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisory
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisory
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisory
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisory
    https://lists.debian.org/debian-lts-announce/2023… mailing-list
    https://www.debian.org/security/2023/dsa-5549 vendor-advisory
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisory
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisory
    https://www.debian.org/security/2023/dsa-5558 vendor-advisory
    https://lists.debian.org/debian-lts-announce/2023… mailing-list
    https://security.gentoo.org/glsa/202311-09 vendor-advisory
    https://www.debian.org/security/2023/dsa-5570 vendor-advisory
    https://security.netapp.com/advisory/ntap-2024042…
    https://security.netapp.com/advisory/ntap-2024062…
    https://security.netapp.com/advisory/ntap-2024062…
    https://github.com/grpc/grpc/releases/tag/v1.59.2
    https://sec.cloudapps.cisco.com/security/center/c…
    https://www.cisa.gov/known-exploited-vulnerabilit… government-resource
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisoryx_transferred
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisoryx_transferred
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisoryx_transferred
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisoryx_transferred
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisoryx_transferred
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisoryx_transferred
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisoryx_transferred
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisoryx_transferred
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisoryx_transferred
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisoryx_transferred
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisoryx_transferred
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisoryx_transferred
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisoryx_transferred
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisoryx_transferred
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisoryx_transferred
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisoryx_transferred
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisoryx_transferred
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisoryx_transferred
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisoryx_transferred
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisoryx_transferred
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisoryx_transferred
    https://www.vicarius.io/vsociety/posts/rapid-rese…
    http://www.openwall.com/lists/oss-security/2025/08/13/6
    https://cert-portal.siemens.com/productcert/html/…
    https://cert-portal.siemens.com/productcert/html/…
    https://cert-portal.siemens.com/productcert/html/…
    https://cert-portal.siemens.com/productcert/html/…
    https://cert-portal.siemens.com/productcert/html/…
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:ietf:http:2.0:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "http",
                "vendor": "ietf",
                "versions": [
                  {
                    "status": "affected",
                    "version": "2.0"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "HIGH",
                  "baseScore": 7.5,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "NONE",
                  "integrityImpact": "NONE",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-44487",
                    "options": [
                      {
                        "Exploitation": "active"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-07-23T20:34:21.334116Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              },
              {
                "other": {
                  "content": {
                    "dateAdded": "2023-10-10",
                    "reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-44487"
                  },
                  "type": "kev"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-400",
                    "description": "CWE-400 Uncontrolled Resource Consumption",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-10-21T23:05:35.187Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "government-resource"
                ],
                "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-44487"
              }
            ],
            "timeline": [
              {
                "lang": "en",
                "time": "2023-10-10T00:00:00.000Z",
                "value": "CVE-2023-44487 added to CISA KEV"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2025-11-04T21:08:27.383Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/dotnet/core/blob/e4613450ea0da7fd2fc6b61dfb2c1c1dec1ce9ec/release-notes/6.0/6.0.23/6.0.23.md?plain=1#L73"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://aws.amazon.com/security/security-bulletins/AWS-2023-011/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.nginx.com/blog/http-2-rapid-reset-attack-impacting-f5-nginx-products/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://cloud.google.com/blog/products/identity-security/google-cloud-mitigated-largest-ddos-attack-peaking-above-398-million-rps/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://news.ycombinator.com/item?id=37831062"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://blog.cloudflare.com/zero-day-rapid-reset-http2-record-breaking-ddos-attack/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.phoronix.com/news/HTTP2-Rapid-Reset-Attack"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/envoyproxy/envoy/pull/30055"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/haproxy/haproxy/issues/2312"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/eclipse/jetty.project/issues/10679"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://forums.swift.org/t/swift-nio-http2-security-update-cve-2023-44487-http-2-dos/67764"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/nghttp2/nghttp2/pull/1961"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/alibaba/tengine/issues/1872"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/apache/tomcat/tree/main/java/org/apache/coyote/http2"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://news.ycombinator.com/item?id=37830987"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://news.ycombinator.com/item?id=37830998"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/caddyserver/caddy/issues/5877"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.bleepingcomputer.com/news/security/new-http-2-rapid-reset-zero-day-attack-breaks-ddos-records/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/bcdannyboy/CVE-2023-44487"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/grpc/grpc-go/pull/6703"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/icing/mod_h2/blob/0a864782af0a942aa2ad4ed960a6b32cd35bcf0a/mod_http2/README.md?plain=1#L239-L244"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/nghttp2/nghttp2/releases/tag/v1.57.0"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://mailman.nginx.org/pipermail/nginx-devel/2023-October/S36Q5HBXR7CAIMPLLPRSSSYR4PCMWILK.html"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://my.f5.com/manage/s/article/K000137106"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://msrc.microsoft.com/blog/2023/10/microsoft-response-to-distributed-denial-of-service-ddos-attacks-against-http/2/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://bugzilla.proxmox.com/show_bug.cgi?id=4988"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://cgit.freebsd.org/ports/commit/?id=c64c329c2c1752f46b73e3e6ce9f4329be6629f9"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://seanmonstar.com/post/730794151136935936/hyper-http2-rapid-reset-unaffected"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/microsoft/CBL-Mariner/pull/6381"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://groups.google.com/g/golang-announce/c/iNNxDTCjZvo"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/facebook/proxygen/pull/466"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://gist.github.com/adulau/7c2bfb8e9cdbe4b35a5e131c66a0c088"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/micrictor/http2-rst-stream"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://edg.io/lp/blog/resets-leaks-ddos-and-the-tale-of-a-hidden-cve"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://openssf.org/blog/2023/10/10/http-2-rapid-reset-vulnerability-highlights-need-for-rapid-response/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/h2o/h2o/security/advisories/GHSA-2m7v-gc89-fjqf"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/h2o/h2o/pull/3291"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/nodejs/node/pull/50121"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/dotnet/announcements/issues/277"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/golang/go/issues/63417"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/advisories/GHSA-vx74-f528-fxqg"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/apache/trafficserver/pull/10564"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-44487"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.1.14"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread/5py8h42mxfsn8l1wy6o41xwhsjlsd87q"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.openwall.com/lists/oss-security/2023/10/10/6"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.haproxy.com/blog/haproxy-is-not-affected-by-the-http-2-rapid-reset-attack-cve-2023-44487"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/opensearch-project/data-prepper/issues/3474"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/kubernetes/kubernetes/pull/121120"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/oqtane/oqtane.framework/discussions/3367"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/advisories/GHSA-xpw8-rcwv-8f8p"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://netty.io/news/2023/10/10/4-1-100-Final.html"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.cisa.gov/news-events/alerts/2023/10/10/http2-rapid-reset-vulnerability-cve-2023-44487"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.theregister.com/2023/10/10/http2_rapid_reset_zeroday/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://blog.qualys.com/vulnerabilities-threat-research/2023/10/10/cve-2023-44487-http-2-rapid-reset-attack"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://news.ycombinator.com/item?id=37837043"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/kazu-yamamoto/http2/issues/93"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://martinthomson.github.io/h2-stream-limits/draft-thomson-httpbis-h2-stream-limits.html"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/kazu-yamamoto/http2/commit/f61d41a502bd0f60eb24e1ce14edc7b6df6722a1"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/apache/httpd/blob/afcdbeebbff4b0c50ea26cdd16e178c0d1f24152/modules/http2/h2_mplx.c#L1101-L1113"
              },
              {
                "name": "DSA-5522",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://www.debian.org/security/2023/dsa-5522"
              },
              {
                "name": "DSA-5521",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://www.debian.org/security/2023/dsa-5521"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/security/cve/cve-2023-44487"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/ninenines/cowboy/issues/1615"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/varnishcache/varnish-cache/issues/3996"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/tempesta-tech/tempesta/issues/1986"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://blog.vespa.ai/cve-2023-44487/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/etcd-io/etcd/issues/16740"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.darkreading.com/cloud/internet-wide-zero-day-bug-fuels-largest-ever-ddos-event"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://istio.io/latest/news/security/istio-security-2023-004/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/junkurihara/rust-rpxy/issues/97"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://bugzilla.suse.com/show_bug.cgi?id=1216123"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2242803"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://ubuntu.com/security/CVE-2023-44487"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://community.traefik.io/t/is-traefik-vulnerable-to-cve-2023-44487/20125"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/advisories/GHSA-qppj-fm5r-hxr3"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/apache/httpd-site/pull/10"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/projectcontour/contour/pull/5826"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/linkerd/website/pull/1695/commits/4b9c6836471bc8270ab48aae6fd2181bc73fd632"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/line/armeria/pull/5232"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://blog.litespeedtech.com/2023/10/11/rapid-reset-http-2-vulnerablilty/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://security.paloaltonetworks.com/CVE-2023-44487"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/akka/akka-http/issues/4323"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/openresty/openresty/issues/930"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/apache/apisix/issues/10320"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/Azure/AKS/issues/3947"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/Kong/kong/discussions/11741"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/arkrwn/PoC/tree/main/CVE-2023-44487"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.netlify.com/blog/netlify-successfully-mitigates-cve-2023-44487/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/caddyserver/caddy/releases/tag/v2.7.5"
              },
              {
                "name": "[debian-lts-announce] 20231013 [SECURITY] [DLA 3617-1] tomcat9 security update",
                "tags": [
                  "mailing-list",
                  "x_transferred"
                ],
                "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00020.html"
              },
              {
                "name": "[oss-security] 20231013 Re: CVE-2023-44487: HTTP/2 Rapid Reset attack against many implementations",
                "tags": [
                  "mailing-list",
                  "x_transferred"
                ],
                "url": "http://www.openwall.com/lists/oss-security/2023/10/13/4"
              },
              {
                "name": "[oss-security] 20231013 Re: CVE-2023-44487: HTTP/2 Rapid Reset attack against many implementations",
                "tags": [
                  "mailing-list",
                  "x_transferred"
                ],
                "url": "http://www.openwall.com/lists/oss-security/2023/10/13/9"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://arstechnica.com/security/2023/10/how-ddosers-used-the-http-2-protocol-to-deliver-attacks-of-unprecedented-size/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://lists.w3.org/Archives/Public/ietf-http-wg/2023OctDec/0025.html"
              },
              {
                "name": "FEDORA-2023-ed2642fd58",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JMEXY22BFG5Q64HQCM5CK2Q7KDKVV4TY/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://linkerd.io/2023/10/12/linkerd-cve-2023-44487/"
              },
              {
                "name": "[debian-lts-announce] 20231016 [SECURITY] [DLA 3621-1] nghttp2 security update",
                "tags": [
                  "mailing-list",
                  "x_transferred"
                ],
                "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00023.html"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://security.netapp.com/advisory/ntap-20231016-0001/"
              },
              {
                "name": "[debian-lts-announce] 20231016 [SECURITY] [DLA 3617-2] tomcat9 regression update",
                "tags": [
                  "mailing-list",
                  "x_transferred"
                ],
                "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00024.html"
              },
              {
                "name": "[oss-security] 20231018 Vulnerability in Jenkins",
                "tags": [
                  "mailing-list",
                  "x_transferred"
                ],
                "url": "http://www.openwall.com/lists/oss-security/2023/10/18/4"
              },
              {
                "name": "[oss-security] 20231018 Re: CVE-2023-44487: HTTP/2 Rapid Reset attack against many implementations",
                "tags": [
                  "mailing-list",
                  "x_transferred"
                ],
                "url": "http://www.openwall.com/lists/oss-security/2023/10/18/8"
              },
              {
                "name": "[oss-security] 20231019 CVE-2023-45802: Apache HTTP Server: HTTP/2 stream memory not reclaimed right away on RST",
                "tags": [
                  "mailing-list",
                  "x_transferred"
                ],
                "url": "http://www.openwall.com/lists/oss-security/2023/10/19/6"
              },
              {
                "name": "FEDORA-2023-54fadada12",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZKQSIKIAT5TJ3WSLU3RDBQ35YX4GY4V3/"
              },
              {
                "name": "FEDORA-2023-5ff7bf1dd8",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JIZSEFC3YKCGABA2BZW6ZJRMDZJMB7PJ/"
              },
              {
                "name": "[oss-security] 20231020 Re: CVE-2023-44487: HTTP/2 Rapid Reset attack against many implementations",
                "tags": [
                  "mailing-list",
                  "x_transferred"
                ],
                "url": "http://www.openwall.com/lists/oss-security/2023/10/20/8"
              },
              {
                "name": "FEDORA-2023-17efd3f2cd",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WLPRQ5TWUQQXYWBJM7ECYDAIL2YVKIUH/"
              },
              {
                "name": "FEDORA-2023-d5030c983c",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/E72T67UPDRXHIDLO3OROR25YAMN4GGW5/"
              },
              {
                "name": "FEDORA-2023-0259c3f26f",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BFQD3KUEMFBHPAPBGLWQC34L4OWL5HAZ/"
              },
              {
                "name": "FEDORA-2023-2a9214af5f",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZLU6U2R2IC2K64NDPNMV55AUAO65MAF4/"
              },
              {
                "name": "FEDORA-2023-e9c04d81c1",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X6QXN4ORIVF6XBW4WWFE7VNPVC74S45Y/"
              },
              {
                "name": "FEDORA-2023-f66fc0f62a",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LKYHSZQFDNR7RSA7LHVLLIAQMVYCUGBG/"
              },
              {
                "name": "FEDORA-2023-4d2fd884ea",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FNA62Q767CFAFHBCDKYNPBMZWB7TWYVU/"
              },
              {
                "name": "FEDORA-2023-b2c50535cb",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LNMZJCDHGLJJLXO4OXWJMTVQRNWOC7UL/"
              },
              {
                "name": "FEDORA-2023-fe53e13b5b",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KSEGD2IWKNUO3DWY4KQGUQM5BISRWHQE/"
              },
              {
                "name": "FEDORA-2023-4bf641255e",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CLB4TW7KALB3EEQWNWCN7OUIWWVWWCG2/"
              },
              {
                "name": "[debian-lts-announce] 20231030 [SECURITY] [DLA 3641-1] jetty9 security update",
                "tags": [
                  "mailing-list",
                  "x_transferred"
                ],
                "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00045.html"
              },
              {
                "name": "DSA-5540",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://www.debian.org/security/2023/dsa-5540"
              },
              {
                "name": "[debian-lts-announce] 20231031 [SECURITY] [DLA 3638-1] h2o security update",
                "tags": [
                  "mailing-list",
                  "x_transferred"
                ],
                "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00047.html"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://discuss.hashicorp.com/t/hcsec-2023-32-vault-consul-and-boundary-affected-by-http-2-rapid-reset-denial-of-service-vulnerability-cve-2023-44487/59715"
              },
              {
                "name": "FEDORA-2023-1caffb88af",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VHUHTSXLXGXS7JYKBXTA3VINUPHTNGVU/"
              },
              {
                "name": "FEDORA-2023-3f70b8d406",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VSRDIV77HNKUSM7SJC5BKE5JSHLHU2NK/"
              },
              {
                "name": "FEDORA-2023-7b52921cae",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3N4NJ7FR4X4FPZUGNTQAPSTVB2HB2Y4A/"
              },
              {
                "name": "FEDORA-2023-7934802344",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZB43REMKRQR62NJEI7I5NQ4FSXNLBKRT/"
              },
              {
                "name": "FEDORA-2023-dbe64661af",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HT7T2R4MQKLIF4ODV4BDLPARWFPCJ5CZ/"
              },
              {
                "name": "FEDORA-2023-822aab0a5a",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XFOIBB4YFICHDM7IBOP7PWXW3FX4HLL2/"
              },
              {
                "name": "[debian-lts-announce] 20231105 [SECURITY] [DLA 3645-1] trafficserver security update",
                "tags": [
                  "mailing-list",
                  "x_transferred"
                ],
                "url": "https://lists.debian.org/debian-lts-announce/2023/11/msg00001.html"
              },
              {
                "name": "DSA-5549",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://www.debian.org/security/2023/dsa-5549"
              },
              {
                "name": "FEDORA-2023-c0c6a91330",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2MBEPPC36UBVOZZNAXFHKLFGSLCMN5LI/"
              },
              {
                "name": "FEDORA-2023-492b7be466",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WE2I52RHNNU42PX6NZ2RBUHSFFJ2LVZX/"
              },
              {
                "name": "DSA-5558",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://www.debian.org/security/2023/dsa-5558"
              },
              {
                "name": "[debian-lts-announce] 20231119 [SECURITY] [DLA 3656-1] netty security update",
                "tags": [
                  "mailing-list",
                  "x_transferred"
                ],
                "url": "https://lists.debian.org/debian-lts-announce/2023/11/msg00012.html"
              },
              {
                "name": "GLSA-202311-09",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://security.gentoo.org/glsa/202311-09"
              },
              {
                "name": "DSA-5570",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://www.debian.org/security/2023/dsa-5570"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://security.netapp.com/advisory/ntap-20240426-0007/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://security.netapp.com/advisory/ntap-20240621-0006/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://security.netapp.com/advisory/ntap-20240621-0007/"
              },
              {
                "url": "https://www.vicarius.io/vsociety/posts/rapid-reset-cve-2023-44487-dos-in-http2-understanding-the-root-cause"
              },
              {
                "url": "http://www.openwall.com/lists/oss-security/2025/08/13/6"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "affected": [
              {
                "defaultStatus": "unknown",
                "product": "RUGGEDCOM APE1808",
                "vendor": "Siemens",
                "versions": [
                  {
                    "lessThan": "*",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              },
              {
                "defaultStatus": "unknown",
                "product": "SIMATIC S7-1500 CPU 1518-4 PN/DP MFP",
                "vendor": "Siemens",
                "versions": [
                  {
                    "lessThan": "*",
                    "status": "affected",
                    "version": "V3.1.5",
                    "versionType": "custom"
                  }
                ]
              },
              {
                "defaultStatus": "unknown",
                "product": "SIMATIC S7-1500 CPU 1518-4 PN/DP MFP",
                "vendor": "Siemens",
                "versions": [
                  {
                    "lessThan": "*",
                    "status": "affected",
                    "version": "V3.1.5",
                    "versionType": "custom"
                  }
                ]
              },
              {
                "defaultStatus": "unknown",
                "product": "SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP",
                "vendor": "Siemens",
                "versions": [
                  {
                    "lessThan": "*",
                    "status": "affected",
                    "version": "V3.1.5",
                    "versionType": "custom"
                  }
                ]
              },
              {
                "defaultStatus": "unknown",
                "product": "SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP",
                "vendor": "Siemens",
                "versions": [
                  {
                    "lessThan": "*",
                    "status": "affected",
                    "version": "V3.1.5",
                    "versionType": "custom"
                  }
                ]
              },
              {
                "defaultStatus": "unknown",
                "product": "SINEC NMS",
                "vendor": "Siemens",
                "versions": [
                  {
                    "lessThan": "V3.0",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              },
              {
                "defaultStatus": "unknown",
                "product": "SIPLUS S7-1500 CPU 1518-4 PN/DP MFP",
                "vendor": "Siemens",
                "versions": [
                  {
                    "lessThan": "*",
                    "status": "affected",
                    "version": "V3.1.5",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-12T10:52:23.784Z",
              "orgId": "0b142b55-0307-4c5a-b3c9-f314f3fb7c5e",
              "shortName": "siemens-SADP"
            },
            "references": [
              {
                "url": "https://cert-portal.siemens.com/productcert/html/ssa-832273.html"
              },
              {
                "url": "https://cert-portal.siemens.com/productcert/html/ssa-341067.html"
              },
              {
                "url": "https://cert-portal.siemens.com/productcert/html/ssa-784301.html"
              },
              {
                "url": "https://cert-portal.siemens.com/productcert/html/ssa-915275.html"
              },
              {
                "url": "https://cert-portal.siemens.com/productcert/html/ssa-082556.html"
              }
            ],
            "x_adpType": "supplier"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-06-07T20:05:34.376Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "url": "https://github.com/dotnet/core/blob/e4613450ea0da7fd2fc6b61dfb2c1c1dec1ce9ec/release-notes/6.0/6.0.23/6.0.23.md?plain=1#L73"
            },
            {
              "url": "https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/"
            },
            {
              "url": "https://aws.amazon.com/security/security-bulletins/AWS-2023-011/"
            },
            {
              "url": "https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack"
            },
            {
              "url": "https://www.nginx.com/blog/http-2-rapid-reset-attack-impacting-f5-nginx-products/"
            },
            {
              "url": "https://cloud.google.com/blog/products/identity-security/google-cloud-mitigated-largest-ddos-attack-peaking-above-398-million-rps/"
            },
            {
              "url": "https://news.ycombinator.com/item?id=37831062"
            },
            {
              "url": "https://blog.cloudflare.com/zero-day-rapid-reset-http2-record-breaking-ddos-attack/"
            },
            {
              "url": "https://www.phoronix.com/news/HTTP2-Rapid-Reset-Attack"
            },
            {
              "url": "https://github.com/envoyproxy/envoy/pull/30055"
            },
            {
              "url": "https://github.com/haproxy/haproxy/issues/2312"
            },
            {
              "url": "https://github.com/eclipse/jetty.project/issues/10679"
            },
            {
              "url": "https://forums.swift.org/t/swift-nio-http2-security-update-cve-2023-44487-http-2-dos/67764"
            },
            {
              "url": "https://github.com/nghttp2/nghttp2/pull/1961"
            },
            {
              "url": "https://github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61"
            },
            {
              "url": "https://github.com/alibaba/tengine/issues/1872"
            },
            {
              "url": "https://github.com/apache/tomcat/tree/main/java/org/apache/coyote/http2"
            },
            {
              "url": "https://news.ycombinator.com/item?id=37830987"
            },
            {
              "url": "https://news.ycombinator.com/item?id=37830998"
            },
            {
              "url": "https://github.com/caddyserver/caddy/issues/5877"
            },
            {
              "url": "https://www.bleepingcomputer.com/news/security/new-http-2-rapid-reset-zero-day-attack-breaks-ddos-records/"
            },
            {
              "url": "https://github.com/bcdannyboy/CVE-2023-44487"
            },
            {
              "url": "https://github.com/grpc/grpc-go/pull/6703"
            },
            {
              "url": "https://github.com/icing/mod_h2/blob/0a864782af0a942aa2ad4ed960a6b32cd35bcf0a/mod_http2/README.md?plain=1#L239-L244"
            },
            {
              "url": "https://github.com/nghttp2/nghttp2/releases/tag/v1.57.0"
            },
            {
              "url": "https://mailman.nginx.org/pipermail/nginx-devel/2023-October/S36Q5HBXR7CAIMPLLPRSSSYR4PCMWILK.html"
            },
            {
              "url": "https://my.f5.com/manage/s/article/K000137106"
            },
            {
              "url": "https://msrc.microsoft.com/blog/2023/10/microsoft-response-to-distributed-denial-of-service-ddos-attacks-against-http/2/"
            },
            {
              "url": "https://bugzilla.proxmox.com/show_bug.cgi?id=4988"
            },
            {
              "url": "https://cgit.freebsd.org/ports/commit/?id=c64c329c2c1752f46b73e3e6ce9f4329be6629f9"
            },
            {
              "name": "[oss-security] 20231010 Re: CVE-2023-44487: HTTP/2 Rapid Reset attack against many implementations",
              "tags": [
                "mailing-list"
              ],
              "url": "http://www.openwall.com/lists/oss-security/2023/10/10/7"
            },
            {
              "name": "[oss-security] 20231010 CVE-2023-44487: HTTP/2 Rapid Reset attack against many implementations",
              "tags": [
                "mailing-list"
              ],
              "url": "http://www.openwall.com/lists/oss-security/2023/10/10/6"
            },
            {
              "url": "https://seanmonstar.com/post/730794151136935936/hyper-http2-rapid-reset-unaffected"
            },
            {
              "url": "https://github.com/microsoft/CBL-Mariner/pull/6381"
            },
            {
              "url": "https://groups.google.com/g/golang-announce/c/iNNxDTCjZvo"
            },
            {
              "url": "https://github.com/facebook/proxygen/pull/466"
            },
            {
              "url": "https://gist.github.com/adulau/7c2bfb8e9cdbe4b35a5e131c66a0c088"
            },
            {
              "url": "https://github.com/micrictor/http2-rst-stream"
            },
            {
              "url": "https://edg.io/lp/blog/resets-leaks-ddos-and-the-tale-of-a-hidden-cve"
            },
            {
              "url": "https://openssf.org/blog/2023/10/10/http-2-rapid-reset-vulnerability-highlights-need-for-rapid-response/"
            },
            {
              "url": "https://github.com/h2o/h2o/security/advisories/GHSA-2m7v-gc89-fjqf"
            },
            {
              "url": "https://github.com/h2o/h2o/pull/3291"
            },
            {
              "url": "https://github.com/nodejs/node/pull/50121"
            },
            {
              "url": "https://github.com/dotnet/announcements/issues/277"
            },
            {
              "url": "https://github.com/golang/go/issues/63417"
            },
            {
              "url": "https://github.com/advisories/GHSA-vx74-f528-fxqg"
            },
            {
              "url": "https://github.com/apache/trafficserver/pull/10564"
            },
            {
              "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-44487"
            },
            {
              "url": "https://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.1.14"
            },
            {
              "url": "https://lists.apache.org/thread/5py8h42mxfsn8l1wy6o41xwhsjlsd87q"
            },
            {
              "url": "https://www.openwall.com/lists/oss-security/2023/10/10/6"
            },
            {
              "url": "https://www.haproxy.com/blog/haproxy-is-not-affected-by-the-http-2-rapid-reset-attack-cve-2023-44487"
            },
            {
              "url": "https://github.com/opensearch-project/data-prepper/issues/3474"
            },
            {
              "url": "https://github.com/kubernetes/kubernetes/pull/121120"
            },
            {
              "url": "https://github.com/oqtane/oqtane.framework/discussions/3367"
            },
            {
              "url": "https://github.com/advisories/GHSA-xpw8-rcwv-8f8p"
            },
            {
              "url": "https://netty.io/news/2023/10/10/4-1-100-Final.html"
            },
            {
              "url": "https://www.cisa.gov/news-events/alerts/2023/10/10/http2-rapid-reset-vulnerability-cve-2023-44487"
            },
            {
              "url": "https://www.theregister.com/2023/10/10/http2_rapid_reset_zeroday/"
            },
            {
              "url": "https://blog.qualys.com/vulnerabilities-threat-research/2023/10/10/cve-2023-44487-http-2-rapid-reset-attack"
            },
            {
              "url": "https://news.ycombinator.com/item?id=37837043"
            },
            {
              "url": "https://github.com/kazu-yamamoto/http2/issues/93"
            },
            {
              "url": "https://martinthomson.github.io/h2-stream-limits/draft-thomson-httpbis-h2-stream-limits.html"
            },
            {
              "url": "https://github.com/kazu-yamamoto/http2/commit/f61d41a502bd0f60eb24e1ce14edc7b6df6722a1"
            },
            {
              "url": "https://github.com/apache/httpd/blob/afcdbeebbff4b0c50ea26cdd16e178c0d1f24152/modules/http2/h2_mplx.c#L1101-L1113"
            },
            {
              "name": "DSA-5522",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.debian.org/security/2023/dsa-5522"
            },
            {
              "name": "DSA-5521",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.debian.org/security/2023/dsa-5521"
            },
            {
              "url": "https://access.redhat.com/security/cve/cve-2023-44487"
            },
            {
              "url": "https://github.com/ninenines/cowboy/issues/1615"
            },
            {
              "url": "https://github.com/varnishcache/varnish-cache/issues/3996"
            },
            {
              "url": "https://github.com/tempesta-tech/tempesta/issues/1986"
            },
            {
              "url": "https://blog.vespa.ai/cve-2023-44487/"
            },
            {
              "url": "https://github.com/etcd-io/etcd/issues/16740"
            },
            {
              "url": "https://www.darkreading.com/cloud/internet-wide-zero-day-bug-fuels-largest-ever-ddos-event"
            },
            {
              "url": "https://istio.io/latest/news/security/istio-security-2023-004/"
            },
            {
              "url": "https://github.com/junkurihara/rust-rpxy/issues/97"
            },
            {
              "url": "https://bugzilla.suse.com/show_bug.cgi?id=1216123"
            },
            {
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2242803"
            },
            {
              "url": "https://ubuntu.com/security/CVE-2023-44487"
            },
            {
              "url": "https://community.traefik.io/t/is-traefik-vulnerable-to-cve-2023-44487/20125"
            },
            {
              "url": "https://github.com/advisories/GHSA-qppj-fm5r-hxr3"
            },
            {
              "url": "https://github.com/apache/httpd-site/pull/10"
            },
            {
              "url": "https://github.com/projectcontour/contour/pull/5826"
            },
            {
              "url": "https://github.com/linkerd/website/pull/1695/commits/4b9c6836471bc8270ab48aae6fd2181bc73fd632"
            },
            {
              "url": "https://github.com/line/armeria/pull/5232"
            },
            {
              "url": "https://blog.litespeedtech.com/2023/10/11/rapid-reset-http-2-vulnerablilty/"
            },
            {
              "url": "https://security.paloaltonetworks.com/CVE-2023-44487"
            },
            {
              "url": "https://github.com/akka/akka-http/issues/4323"
            },
            {
              "url": "https://github.com/openresty/openresty/issues/930"
            },
            {
              "url": "https://github.com/apache/apisix/issues/10320"
            },
            {
              "url": "https://github.com/Azure/AKS/issues/3947"
            },
            {
              "url": "https://github.com/Kong/kong/discussions/11741"
            },
            {
              "url": "https://github.com/arkrwn/PoC/tree/main/CVE-2023-44487"
            },
            {
              "url": "https://www.netlify.com/blog/netlify-successfully-mitigates-cve-2023-44487/"
            },
            {
              "url": "https://github.com/caddyserver/caddy/releases/tag/v2.7.5"
            },
            {
              "name": "[debian-lts-announce] 20231013 [SECURITY] [DLA 3617-1] tomcat9 security update",
              "tags": [
                "mailing-list"
              ],
              "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00020.html"
            },
            {
              "name": "[oss-security] 20231013 Re: CVE-2023-44487: HTTP/2 Rapid Reset attack against many implementations",
              "tags": [
                "mailing-list"
              ],
              "url": "http://www.openwall.com/lists/oss-security/2023/10/13/4"
            },
            {
              "name": "[oss-security] 20231013 Re: CVE-2023-44487: HTTP/2 Rapid Reset attack against many implementations",
              "tags": [
                "mailing-list"
              ],
              "url": "http://www.openwall.com/lists/oss-security/2023/10/13/9"
            },
            {
              "url": "https://arstechnica.com/security/2023/10/how-ddosers-used-the-http-2-protocol-to-deliver-attacks-of-unprecedented-size/"
            },
            {
              "url": "https://lists.w3.org/Archives/Public/ietf-http-wg/2023OctDec/0025.html"
            },
            {
              "name": "FEDORA-2023-ed2642fd58",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JMEXY22BFG5Q64HQCM5CK2Q7KDKVV4TY/"
            },
            {
              "url": "https://linkerd.io/2023/10/12/linkerd-cve-2023-44487/"
            },
            {
              "name": "[debian-lts-announce] 20231016 [SECURITY] [DLA 3621-1] nghttp2 security update",
              "tags": [
                "mailing-list"
              ],
              "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00023.html"
            },
            {
              "url": "https://security.netapp.com/advisory/ntap-20231016-0001/"
            },
            {
              "name": "[debian-lts-announce] 20231016 [SECURITY] [DLA 3617-2] tomcat9 regression update",
              "tags": [
                "mailing-list"
              ],
              "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00024.html"
            },
            {
              "name": "[oss-security] 20231018 Vulnerability in Jenkins",
              "tags": [
                "mailing-list"
              ],
              "url": "http://www.openwall.com/lists/oss-security/2023/10/18/4"
            },
            {
              "name": "[oss-security] 20231018 Re: CVE-2023-44487: HTTP/2 Rapid Reset attack against many implementations",
              "tags": [
                "mailing-list"
              ],
              "url": "http://www.openwall.com/lists/oss-security/2023/10/18/8"
            },
            {
              "name": "[oss-security] 20231019 CVE-2023-45802: Apache HTTP Server: HTTP/2 stream memory not reclaimed right away on RST",
              "tags": [
                "mailing-list"
              ],
              "url": "http://www.openwall.com/lists/oss-security/2023/10/19/6"
            },
            {
              "name": "FEDORA-2023-54fadada12",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZKQSIKIAT5TJ3WSLU3RDBQ35YX4GY4V3/"
            },
            {
              "name": "FEDORA-2023-5ff7bf1dd8",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JIZSEFC3YKCGABA2BZW6ZJRMDZJMB7PJ/"
            },
            {
              "name": "[oss-security] 20231020 Re: CVE-2023-44487: HTTP/2 Rapid Reset attack against many implementations",
              "tags": [
                "mailing-list"
              ],
              "url": "http://www.openwall.com/lists/oss-security/2023/10/20/8"
            },
            {
              "name": "FEDORA-2023-17efd3f2cd",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WLPRQ5TWUQQXYWBJM7ECYDAIL2YVKIUH/"
            },
            {
              "name": "FEDORA-2023-d5030c983c",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/E72T67UPDRXHIDLO3OROR25YAMN4GGW5/"
            },
            {
              "name": "FEDORA-2023-0259c3f26f",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BFQD3KUEMFBHPAPBGLWQC34L4OWL5HAZ/"
            },
            {
              "name": "FEDORA-2023-2a9214af5f",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZLU6U2R2IC2K64NDPNMV55AUAO65MAF4/"
            },
            {
              "name": "FEDORA-2023-e9c04d81c1",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X6QXN4ORIVF6XBW4WWFE7VNPVC74S45Y/"
            },
            {
              "name": "FEDORA-2023-f66fc0f62a",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LKYHSZQFDNR7RSA7LHVLLIAQMVYCUGBG/"
            },
            {
              "name": "FEDORA-2023-4d2fd884ea",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FNA62Q767CFAFHBCDKYNPBMZWB7TWYVU/"
            },
            {
              "name": "FEDORA-2023-b2c50535cb",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LNMZJCDHGLJJLXO4OXWJMTVQRNWOC7UL/"
            },
            {
              "name": "FEDORA-2023-fe53e13b5b",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KSEGD2IWKNUO3DWY4KQGUQM5BISRWHQE/"
            },
            {
              "name": "FEDORA-2023-4bf641255e",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CLB4TW7KALB3EEQWNWCN7OUIWWVWWCG2/"
            },
            {
              "name": "[debian-lts-announce] 20231030 [SECURITY] [DLA 3641-1] jetty9 security update",
              "tags": [
                "mailing-list"
              ],
              "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00045.html"
            },
            {
              "name": "DSA-5540",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.debian.org/security/2023/dsa-5540"
            },
            {
              "name": "[debian-lts-announce] 20231031 [SECURITY] [DLA 3638-1] h2o security update",
              "tags": [
                "mailing-list"
              ],
              "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00047.html"
            },
            {
              "url": "https://discuss.hashicorp.com/t/hcsec-2023-32-vault-consul-and-boundary-affected-by-http-2-rapid-reset-denial-of-service-vulnerability-cve-2023-44487/59715"
            },
            {
              "name": "FEDORA-2023-1caffb88af",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VHUHTSXLXGXS7JYKBXTA3VINUPHTNGVU/"
            },
            {
              "name": "FEDORA-2023-3f70b8d406",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VSRDIV77HNKUSM7SJC5BKE5JSHLHU2NK/"
            },
            {
              "name": "FEDORA-2023-7b52921cae",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3N4NJ7FR4X4FPZUGNTQAPSTVB2HB2Y4A/"
            },
            {
              "name": "FEDORA-2023-7934802344",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZB43REMKRQR62NJEI7I5NQ4FSXNLBKRT/"
            },
            {
              "name": "FEDORA-2023-dbe64661af",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HT7T2R4MQKLIF4ODV4BDLPARWFPCJ5CZ/"
            },
            {
              "name": "FEDORA-2023-822aab0a5a",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XFOIBB4YFICHDM7IBOP7PWXW3FX4HLL2/"
            },
            {
              "name": "[debian-lts-announce] 20231105 [SECURITY] [DLA 3645-1] trafficserver security update",
              "tags": [
                "mailing-list"
              ],
              "url": "https://lists.debian.org/debian-lts-announce/2023/11/msg00001.html"
            },
            {
              "name": "DSA-5549",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.debian.org/security/2023/dsa-5549"
            },
            {
              "name": "FEDORA-2023-c0c6a91330",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2MBEPPC36UBVOZZNAXFHKLFGSLCMN5LI/"
            },
            {
              "name": "FEDORA-2023-492b7be466",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WE2I52RHNNU42PX6NZ2RBUHSFFJ2LVZX/"
            },
            {
              "name": "DSA-5558",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.debian.org/security/2023/dsa-5558"
            },
            {
              "name": "[debian-lts-announce] 20231119 [SECURITY] [DLA 3656-1] netty security update",
              "tags": [
                "mailing-list"
              ],
              "url": "https://lists.debian.org/debian-lts-announce/2023/11/msg00012.html"
            },
            {
              "name": "GLSA-202311-09",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://security.gentoo.org/glsa/202311-09"
            },
            {
              "name": "DSA-5570",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.debian.org/security/2023/dsa-5570"
            },
            {
              "url": "https://security.netapp.com/advisory/ntap-20240426-0007/"
            },
            {
              "url": "https://security.netapp.com/advisory/ntap-20240621-0006/"
            },
            {
              "url": "https://security.netapp.com/advisory/ntap-20240621-0007/"
            },
            {
              "url": "https://github.com/grpc/grpc/releases/tag/v1.59.2"
            },
            {
              "url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-http2-reset-d8Kf32vZ"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2023-44487",
        "datePublished": "2023-10-10T00:00:00.000Z",
        "dateReserved": "2023-09-29T00:00:00.000Z",
        "dateUpdated": "2026-05-12T10:52:23.784Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2022-3962 (GCVE-0-2022-3962)

    Vulnerability from nvd – Published: 2023-09-23 19:00 – Updated: 2024-08-03 01:27
    VLAI
    Title
    Kiali: error message spoofing in kiali ui
    Summary
    A content spoofing vulnerability was found in Kiali. It was discovered that Kiali does not implement error handling when the page or endpoint being accessed cannot be found. This issue allows an attacker to perform arbitrary text injection when an error response is retrieved from the URL being accessed.
    CWE
    • CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
    Assigner
    References
    URL Tags
    https://access.redhat.com/errata/RHSA-2023:0542 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/security/cve/CVE-2022-3962 vdb-entryx_refsource_REDHAT
    https://bugzilla.redhat.com/show_bug.cgi?id=2148661 issue-trackingx_refsource_REDHAT
    Impacted products
    Vendor Product Version
    Red Hat Red Hat OpenShift Service Mesh 2.3 for RHEL 8 Unaffected: 1.57.5-3 , < * (rpm)
        cpe:/a:redhat:service_mesh:2.3::el8
    Create a notification for this product.
    Red Hat OpenShift Service Mesh 2.1     cpe:/a:redhat:service_mesh:2.1
    Create a notification for this product.
    Date Public
    2022-11-22 00:00
    Credits
    This issue was discovered by John Mazzitelli (Red Hat).
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T01:27:53.126Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "RHSA-2023:0542",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2023:0542"
              },
              {
                "tags": [
                  "vdb-entry",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/security/cve/CVE-2022-3962"
              },
              {
                "name": "RHBZ#2148661",
                "tags": [
                  "issue-tracking",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2148661"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:service_mesh:2.3::el8"
              ],
              "defaultStatus": "affected",
              "packageName": "openshift-service-mesh/kiali-rhel8",
              "product": "Red Hat OpenShift Service Mesh 2.3 for RHEL 8",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "1.57.5-3",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:service_mesh:2.1"
              ],
              "defaultStatus": "affected",
              "packageName": "openshift-service-mesh/kiali-rhel8",
              "product": "OpenShift Service Mesh 2.1",
              "vendor": "Red Hat"
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "This issue was discovered by John Mazzitelli (Red Hat)."
            }
          ],
          "datePublic": "2022-11-22T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "A content spoofing vulnerability was found in Kiali. It was discovered that Kiali does not implement error handling when the page or endpoint being accessed cannot be found. This issue allows an attacker to perform arbitrary text injection when an error response is retrieved from the URL being accessed."
            }
          ],
          "metrics": [
            {
              "other": {
                "content": {
                  "namespace": "https://access.redhat.com/security/updates/classification/",
                  "value": "Low"
                },
                "type": "Red Hat severity rating"
              }
            },
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
                "version": "3.1"
              },
              "format": "CVSS"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-74",
                  "description": "Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-05-03T15:32:26.058Z",
            "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
            "shortName": "redhat"
          },
          "references": [
            {
              "name": "RHSA-2023:0542",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2023:0542"
            },
            {
              "tags": [
                "vdb-entry",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/security/cve/CVE-2022-3962"
            },
            {
              "name": "RHBZ#2148661",
              "tags": [
                "issue-tracking",
                "x_refsource_REDHAT"
              ],
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2148661"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2022-11-11T00:00:00.000Z",
              "value": "Reported to Red Hat."
            },
            {
              "lang": "en",
              "time": "2022-11-22T00:00:00.000Z",
              "value": "Made public."
            }
          ],
          "title": "Kiali: error message spoofing in kiali ui",
          "x_redhatCweChain": "CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "assignerShortName": "redhat",
        "cveId": "CVE-2022-3962",
        "datePublished": "2023-09-23T19:00:54.200Z",
        "dateReserved": "2022-11-12T00:20:34.872Z",
        "dateUpdated": "2024-08-03T01:27:53.126Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-3586 (GCVE-0-2021-3586)

    Vulnerability from nvd – Published: 2022-08-22 14:46 – Updated: 2024-08-03 17:01
    VLAI
    Summary
    A flaw was found in servicemesh-operator. The NetworkPolicy resources installed for Maistra do not properly specify which ports may be accessed, allowing access to all ports on these resources from any pod. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
    Severity
    No CVSS data available.
    CWE
    • CWE-1188 - - Insecure Default Initialization of Resource
    Assigner
    References
    Impacted products
    Vendor Product Version
    n/a servicemesh-operator Affected: Affects v2.0.5.1, Fixed in v2.0.5.2.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T17:01:07.389Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1967738"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/security/cve/CVE-2021-3586"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "servicemesh-operator",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "Affects v2.0.5.1, Fixed in v2.0.5.2."
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A flaw was found in servicemesh-operator. The NetworkPolicy resources installed for Maistra do not properly specify which ports may be accessed, allowing access to all ports on these resources from any pod. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-1188",
                  "description": "CWE-1188 - Insecure Default Initialization of Resource",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-08-22T14:46:32.000Z",
            "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
            "shortName": "redhat"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1967738"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://access.redhat.com/security/cve/CVE-2021-3586"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "secalert@redhat.com",
              "ID": "CVE-2021-3586",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "servicemesh-operator",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "Affects v2.0.5.1, Fixed in v2.0.5.2."
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "n/a"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "A flaw was found in servicemesh-operator. The NetworkPolicy resources installed for Maistra do not properly specify which ports may be accessed, allowing access to all ports on these resources from any pod. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-1188 - Insecure Default Initialization of Resource"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://bugzilla.redhat.com/show_bug.cgi?id=1967738",
                  "refsource": "MISC",
                  "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1967738"
                },
                {
                  "name": "https://access.redhat.com/security/cve/CVE-2021-3586",
                  "refsource": "MISC",
                  "url": "https://access.redhat.com/security/cve/CVE-2021-3586"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "assignerShortName": "redhat",
        "cveId": "CVE-2021-3586",
        "datePublished": "2022-08-22T14:46:32.000Z",
        "dateReserved": "2021-06-07T00:00:00.000Z",
        "dateUpdated": "2024-08-03T17:01:07.389Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-3495 (GCVE-0-2021-3495)

    Vulnerability from nvd – Published: 2021-06-01 13:31 – Updated: 2024-08-03 16:53
    VLAI
    Summary
    An incorrect access control flaw was found in the kiali-operator in versions before 1.33.0 and before 1.24.7. This flaw allows an attacker with a basic level of access to the cluster (to deploy a kiali operand) to use this vulnerability and deploy a given image to anywhere in the cluster, potentially gaining access to privileged service account tokens. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
    Severity
    No CVSS data available.
    CWE
    Assigner
    References
    Impacted products
    Vendor Product Version
    n/a kiali/kiali-operator Affected: kiali/kiali-operator 1.33.0, kiali/kiali-operator 1.24.7
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T16:53:17.829Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1947361"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://kiali.io/news/security-bulletins/kiali-security-003/"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "kiali/kiali-operator",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "kiali/kiali-operator 1.33.0, kiali/kiali-operator 1.24.7"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "An incorrect access control flaw was found in the kiali-operator in versions before 1.33.0 and before 1.24.7. This flaw allows an attacker with a basic level of access to the cluster (to deploy a kiali operand) to use this vulnerability and deploy a given image to anywhere in the cluster, potentially gaining access to privileged service account tokens. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-281",
                  "description": "CWE-281",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-06-01T13:31:32.000Z",
            "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
            "shortName": "redhat"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1947361"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://kiali.io/news/security-bulletins/kiali-security-003/"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "secalert@redhat.com",
              "ID": "CVE-2021-3495",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "kiali/kiali-operator",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "kiali/kiali-operator 1.33.0, kiali/kiali-operator 1.24.7"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "n/a"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "An incorrect access control flaw was found in the kiali-operator in versions before 1.33.0 and before 1.24.7. This flaw allows an attacker with a basic level of access to the cluster (to deploy a kiali operand) to use this vulnerability and deploy a given image to anywhere in the cluster, potentially gaining access to privileged service account tokens. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-281"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://bugzilla.redhat.com/show_bug.cgi?id=1947361",
                  "refsource": "MISC",
                  "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1947361"
                },
                {
                  "name": "https://kiali.io/news/security-bulletins/kiali-security-003/",
                  "refsource": "MISC",
                  "url": "https://kiali.io/news/security-bulletins/kiali-security-003/"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "assignerShortName": "redhat",
        "cveId": "CVE-2021-3495",
        "datePublished": "2021-06-01T13:31:32.000Z",
        "dateReserved": "2021-04-12T00:00:00.000Z",
        "dateUpdated": "2024-08-03T16:53:17.829Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2019-25014 (GCVE-0-2019-25014)

    Vulnerability from nvd – Published: 2021-01-29 06:00 – Updated: 2024-08-05 03:00
    VLAI
    Summary
    A NULL pointer dereference was found in pkg/proxy/envoy/v2/debug.go getResourceVersion in Istio pilot before 1.5.0-alpha.0. If a particular HTTP GET request is made to the pilot API endpoint, it is possible to cause the Go runtime to panic (resulting in a denial of service to the istio-pilot application).
    Severity
    No CVSS data available.
    CWE
    • n/a
    Assigner
    References
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-05T03:00:18.878Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/istio/istio/compare/1.4.2...1.5.0-alpha.0"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1919066"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A NULL pointer dereference was found in pkg/proxy/envoy/v2/debug.go getResourceVersion in Istio pilot before 1.5.0-alpha.0. If a particular HTTP GET request is made to the pilot API endpoint, it is possible to cause the Go runtime to panic (resulting in a denial of service to the istio-pilot application)."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-01-29T06:00:23.000Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/istio/istio/compare/1.4.2...1.5.0-alpha.0"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1919066"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "cve@mitre.org",
              "ID": "CVE-2019-25014",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "n/a",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "n/a"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "n/a"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "A NULL pointer dereference was found in pkg/proxy/envoy/v2/debug.go getResourceVersion in Istio pilot before 1.5.0-alpha.0. If a particular HTTP GET request is made to the pilot API endpoint, it is possible to cause the Go runtime to panic (resulting in a denial of service to the istio-pilot application)."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "n/a"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://github.com/istio/istio/compare/1.4.2...1.5.0-alpha.0",
                  "refsource": "MISC",
                  "url": "https://github.com/istio/istio/compare/1.4.2...1.5.0-alpha.0"
                },
                {
                  "name": "https://bugzilla.redhat.com/show_bug.cgi?id=1919066",
                  "refsource": "MISC",
                  "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1919066"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2019-25014",
        "datePublished": "2021-01-29T06:00:23.000Z",
        "dateReserved": "2021-01-21T00:00:00.000Z",
        "dateUpdated": "2024-08-05T03:00:18.878Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2020-27846 (GCVE-0-2020-27846)

    Vulnerability from nvd – Published: 2020-12-21 15:16 – Updated: 2024-08-04 16:25
    VLAI
    Summary
    A signature verification vulnerability exists in crewjam/saml. This flaw allows an attacker to bypass SAML Authentication. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.
    Severity
    No CVSS data available.
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    n/a crewjam/saml Affected: grafana-7.3.6, grafana-7.2.3, grafana-6.7.5, github.com/crewjam/saml-0.4.3
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T16:25:43.248Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1907670"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://mattermost.com/blog/coordinated-disclosure-go-xml-vulnerabilities/"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/crewjam/saml/security/advisories/GHSA-4hq8-gmxx-h6w9"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://grafana.com/blog/2020/12/17/grafana-6.7.5-7.2.3-and-7.3.6-released-with-important-security-fix-for-grafana-enterprise/"
              },
              {
                "name": "FEDORA-2020-968067abfa",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_FEDORA",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3YUTKIRWT6TWU7DS6GF3EOANVQBFQZYI/"
              },
              {
                "name": "FEDORA-2020-64e54abd9f",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_FEDORA",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ICP3YRY2VUCNCF2VFUSK77ZMRIC77FEM/"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://security.netapp.com/advisory/ntap-20210205-0002/"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "crewjam/saml",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "grafana-7.3.6, grafana-7.2.3, grafana-6.7.5, github.com/crewjam/saml-0.4.3"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A signature verification vulnerability exists in crewjam/saml. This flaw allows an attacker to bypass SAML Authentication. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-115",
                  "description": "CWE-115",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-02-05T11:06:13.000Z",
            "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
            "shortName": "redhat"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1907670"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://mattermost.com/blog/coordinated-disclosure-go-xml-vulnerabilities/"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/crewjam/saml/security/advisories/GHSA-4hq8-gmxx-h6w9"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://grafana.com/blog/2020/12/17/grafana-6.7.5-7.2.3-and-7.3.6-released-with-important-security-fix-for-grafana-enterprise/"
            },
            {
              "name": "FEDORA-2020-968067abfa",
              "tags": [
                "vendor-advisory",
                "x_refsource_FEDORA"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3YUTKIRWT6TWU7DS6GF3EOANVQBFQZYI/"
            },
            {
              "name": "FEDORA-2020-64e54abd9f",
              "tags": [
                "vendor-advisory",
                "x_refsource_FEDORA"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ICP3YRY2VUCNCF2VFUSK77ZMRIC77FEM/"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://security.netapp.com/advisory/ntap-20210205-0002/"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "secalert@redhat.com",
              "ID": "CVE-2020-27846",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "crewjam/saml",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "grafana-7.3.6, grafana-7.2.3, grafana-6.7.5, github.com/crewjam/saml-0.4.3"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "n/a"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "A signature verification vulnerability exists in crewjam/saml. This flaw allows an attacker to bypass SAML Authentication. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-115"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://bugzilla.redhat.com/show_bug.cgi?id=1907670",
                  "refsource": "MISC",
                  "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1907670"
                },
                {
                  "name": "https://mattermost.com/blog/coordinated-disclosure-go-xml-vulnerabilities/",
                  "refsource": "MISC",
                  "url": "https://mattermost.com/blog/coordinated-disclosure-go-xml-vulnerabilities/"
                },
                {
                  "name": "https://github.com/crewjam/saml/security/advisories/GHSA-4hq8-gmxx-h6w9",
                  "refsource": "MISC",
                  "url": "https://github.com/crewjam/saml/security/advisories/GHSA-4hq8-gmxx-h6w9"
                },
                {
                  "name": "https://grafana.com/blog/2020/12/17/grafana-6.7.5-7.2.3-and-7.3.6-released-with-important-security-fix-for-grafana-enterprise/",
                  "refsource": "MISC",
                  "url": "https://grafana.com/blog/2020/12/17/grafana-6.7.5-7.2.3-and-7.3.6-released-with-important-security-fix-for-grafana-enterprise/"
                },
                {
                  "name": "FEDORA-2020-968067abfa",
                  "refsource": "FEDORA",
                  "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3YUTKIRWT6TWU7DS6GF3EOANVQBFQZYI/"
                },
                {
                  "name": "FEDORA-2020-64e54abd9f",
                  "refsource": "FEDORA",
                  "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ICP3YRY2VUCNCF2VFUSK77ZMRIC77FEM/"
                },
                {
                  "name": "https://security.netapp.com/advisory/ntap-20210205-0002/",
                  "refsource": "CONFIRM",
                  "url": "https://security.netapp.com/advisory/ntap-20210205-0002/"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "assignerShortName": "redhat",
        "cveId": "CVE-2020-27846",
        "datePublished": "2020-12-21T15:16:14.000Z",
        "dateReserved": "2020-10-27T00:00:00.000Z",
        "dateUpdated": "2024-08-04T16:25:43.248Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2020-1762 (GCVE-0-2020-1762)

    Vulnerability from nvd – Published: 2020-04-27 20:41 – Updated: 2024-08-04 06:46
    VLAI
    Summary
    An insufficient JWT validation vulnerability was found in Kiali versions 0.4.0 to 1.15.0 and was fixed in Kiali version 1.15.1, wherein a remote attacker could abuse this flaw by stealing a valid JWT cookie and using that to spoof a user session, possibly gaining privileges to view and alter the Istio configuration.
    Assigner
    References
    Impacted products
    Vendor Product Version
    [Kiali] kiali Affected: >= 0.4.0, < 1.15.1
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T06:46:30.907Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://kiali.io/news/security-bulletins/kiali-security-001/"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1762"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "kiali",
              "vendor": "[Kiali]",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 0.4.0, \u003c 1.15.1"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "An insufficient JWT validation vulnerability was found in Kiali versions 0.4.0 to 1.15.0 and was fixed in Kiali version 1.15.1, wherein a remote attacker could abuse this flaw by stealing a valid JWT cookie and using that to spoof a user session, possibly gaining privileges to view and alter the Istio configuration."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-613",
                  "description": "CWE-613",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-384",
                  "description": "CWE-384",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2020-04-27T20:41:37.000Z",
            "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
            "shortName": "redhat"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://kiali.io/news/security-bulletins/kiali-security-001/"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1762"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "secalert@redhat.com",
              "ID": "CVE-2020-1762",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "kiali",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "\u003e= 0.4.0, \u003c 1.15.1"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "[Kiali]"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "An insufficient JWT validation vulnerability was found in Kiali versions 0.4.0 to 1.15.0 and was fixed in Kiali version 1.15.1, wherein a remote attacker could abuse this flaw by stealing a valid JWT cookie and using that to spoof a user session, possibly gaining privileges to view and alter the Istio configuration."
                }
              ]
            },
            "impact": {
              "cvss": [
                [
                  {
                    "vectorString": "7.0/CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H",
                    "version": "3.0"
                  }
                ]
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-613"
                    }
                  ]
                },
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-384"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://kiali.io/news/security-bulletins/kiali-security-001/",
                  "refsource": "MISC",
                  "url": "https://kiali.io/news/security-bulletins/kiali-security-001/"
                },
                {
                  "name": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1762",
                  "refsource": "CONFIRM",
                  "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1762"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "assignerShortName": "redhat",
        "cveId": "CVE-2020-1762",
        "datePublished": "2020-04-27T20:41:37.000Z",
        "dateReserved": "2019-11-27T00:00:00.000Z",
        "dateUpdated": "2024-08-04T06:46:30.907Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2020-1764 (GCVE-0-2020-1764)

    Vulnerability from nvd – Published: 2020-03-26 11:16 – Updated: 2024-08-04 06:46
    VLAI
    Summary
    A hard-coded cryptographic key vulnerability in the default configuration file was found in Kiali, all versions prior to 1.15.1. A remote attacker could abuse this flaw by creating their own JWT signed tokens and bypass Kiali authentication mechanisms, possibly gaining privileges to view and alter the Istio configuration.
    CWE
    Assigner
    References
    Impacted products
    Vendor Product Version
    Red Hat kiali Affected: all Kiali versions prior to 1.15.1
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T06:46:30.916Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://kiali.io/news/security-bulletins/kiali-security-001/"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1764"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "kiali",
              "vendor": "Red Hat",
              "versions": [
                {
                  "status": "affected",
                  "version": "all Kiali versions prior to 1.15.1"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A hard-coded cryptographic key vulnerability in the default configuration file was found in Kiali, all versions prior to 1.15.1. A remote attacker could abuse this flaw by creating their own JWT signed tokens and bypass Kiali authentication mechanisms, possibly gaining privileges to view and alter the Istio configuration."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8.6,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-321",
                  "description": "CWE-321",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2020-03-26T11:16:09.000Z",
            "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
            "shortName": "redhat"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://kiali.io/news/security-bulletins/kiali-security-001/"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1764"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "secalert@redhat.com",
              "ID": "CVE-2020-1764",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "kiali",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "all Kiali versions prior to 1.15.1"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Red Hat"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "A hard-coded cryptographic key vulnerability in the default configuration file was found in Kiali, all versions prior to 1.15.1. A remote attacker could abuse this flaw by creating their own JWT signed tokens and bypass Kiali authentication mechanisms, possibly gaining privileges to view and alter the Istio configuration."
                }
              ]
            },
            "impact": {
              "cvss": [
                [
                  {
                    "vectorString": "8.6/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H",
                    "version": "3.0"
                  }
                ]
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-321"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://kiali.io/news/security-bulletins/kiali-security-001/",
                  "refsource": "MISC",
                  "url": "https://kiali.io/news/security-bulletins/kiali-security-001/"
                },
                {
                  "name": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1764",
                  "refsource": "CONFIRM",
                  "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1764"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "assignerShortName": "redhat",
        "cveId": "CVE-2020-1764",
        "datePublished": "2020-03-26T11:16:09.000Z",
        "dateReserved": "2019-11-27T00:00:00.000Z",
        "dateUpdated": "2024-08-04T06:46:30.916Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2020-8661 (GCVE-0-2020-8661)

    Vulnerability from nvd – Published: 2020-03-04 20:48 – Updated: 2024-08-04 10:03
    VLAI
    Summary
    CNCF Envoy through 1.13.0 may consume excessive amounts of memory when responding internally to pipelined requests.
    Severity
    No CVSS data available.
    CWE
    • n/a
    Assigner
    References
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T10:03:46.322Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.envoyproxy.io/docs/envoy/v1.13.1/intro/version_history"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-36cq-ww7h-p4j7"
              },
              {
                "name": "RHSA-2020:0734",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2020:0734"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "CNCF Envoy through 1.13.0 may consume excessive amounts of memory when responding internally to pipelined requests."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2020-03-11T11:06:32.000Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.envoyproxy.io/docs/envoy/v1.13.1/intro/version_history"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-36cq-ww7h-p4j7"
            },
            {
              "name": "RHSA-2020:0734",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2020:0734"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "cve@mitre.org",
              "ID": "CVE-2020-8661",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "n/a",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "n/a"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "n/a"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "CNCF Envoy through 1.13.0 may consume excessive amounts of memory when responding internally to pipelined requests."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "n/a"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://www.envoyproxy.io/docs/envoy/v1.13.1/intro/version_history",
                  "refsource": "CONFIRM",
                  "url": "https://www.envoyproxy.io/docs/envoy/v1.13.1/intro/version_history"
                },
                {
                  "name": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-36cq-ww7h-p4j7",
                  "refsource": "MISC",
                  "url": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-36cq-ww7h-p4j7"
                },
                {
                  "name": "RHSA-2020:0734",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2020:0734"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2020-8661",
        "datePublished": "2020-03-04T20:48:16.000Z",
        "dateReserved": "2020-02-06T00:00:00.000Z",
        "dateUpdated": "2024-08-04T10:03:46.322Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2020-8659 (GCVE-0-2020-8659)

    Vulnerability from nvd – Published: 2020-03-04 20:43 – Updated: 2024-08-04 10:03
    VLAI
    Summary
    CNCF Envoy through 1.13.0 may consume excessive amounts of memory when proxying HTTP/1.1 requests or responses with many small (i.e. 1 byte) chunks.
    Severity
    No CVSS data available.
    CWE
    • n/a
    Assigner
    References
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T10:03:46.378Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.envoyproxy.io/docs/envoy/v1.13.1/intro/version_history"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-jwcm-4pwp-c2qv"
              },
              {
                "name": "RHSA-2020:0734",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2020:0734"
              },
              {
                "name": "[debian-lts-announce] 20220518 [SECURITY] [DLA 3014-1] elog security update",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.debian.org/debian-lts-announce/2022/05/msg00025.html"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "CNCF Envoy through 1.13.0 may consume excessive amounts of memory when proxying HTTP/1.1 requests or responses with many small (i.e. 1 byte) chunks."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-05-18T13:06:17.000Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.envoyproxy.io/docs/envoy/v1.13.1/intro/version_history"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-jwcm-4pwp-c2qv"
            },
            {
              "name": "RHSA-2020:0734",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2020:0734"
            },
            {
              "name": "[debian-lts-announce] 20220518 [SECURITY] [DLA 3014-1] elog security update",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.debian.org/debian-lts-announce/2022/05/msg00025.html"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "cve@mitre.org",
              "ID": "CVE-2020-8659",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "n/a",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "n/a"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "n/a"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "CNCF Envoy through 1.13.0 may consume excessive amounts of memory when proxying HTTP/1.1 requests or responses with many small (i.e. 1 byte) chunks."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "n/a"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://www.envoyproxy.io/docs/envoy/v1.13.1/intro/version_history",
                  "refsource": "CONFIRM",
                  "url": "https://www.envoyproxy.io/docs/envoy/v1.13.1/intro/version_history"
                },
                {
                  "name": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-jwcm-4pwp-c2qv",
                  "refsource": "MISC",
                  "url": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-jwcm-4pwp-c2qv"
                },
                {
                  "name": "RHSA-2020:0734",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2020:0734"
                },
                {
                  "name": "[debian-lts-announce] 20220518 [SECURITY] [DLA 3014-1] elog security update",
                  "refsource": "MLIST",
                  "url": "https://lists.debian.org/debian-lts-announce/2022/05/msg00025.html"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2020-8659",
        "datePublished": "2020-03-04T20:43:55.000Z",
        "dateReserved": "2020-02-06T00:00:00.000Z",
        "dateUpdated": "2024-08-04T10:03:46.378Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2020-1704 (GCVE-0-2020-1704)

    Vulnerability from nvd – Published: 2020-02-17 16:38 – Updated: 2024-08-04 06:46
    VLAI
    Summary
    An insecure modification vulnerability in the /etc/passwd file was found in all versions of OpenShift ServiceMesh (maistra) before 1.0.8 in the openshift/istio-kialia-rhel7-operator-container. An attacker with access to the container could use this flaw to modify /etc/passwd and escalate their privileges.
    CWE
    Assigner
    References
    Impacted products
    Vendor Product Version
    Red Hat openshift-service-mesh/kiali-rhel7-operator Affected: All maistra versions before 1.0.8
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T06:46:30.534Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1704"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "openshift-service-mesh/kiali-rhel7-operator",
              "vendor": "Red Hat",
              "versions": [
                {
                  "status": "affected",
                  "version": "All maistra versions before 1.0.8"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "An insecure modification vulnerability in the /etc/passwd file was found in all versions of OpenShift ServiceMesh (maistra) before 1.0.8 in the openshift/istio-kialia-rhel7-operator-container. An attacker with access to the container could use this flaw to modify /etc/passwd and escalate their privileges."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "LOCAL",
                "availabilityImpact": "HIGH",
                "baseScore": 7,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-266",
                  "description": "CWE-266",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2020-02-17T16:38:06.000Z",
            "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
            "shortName": "redhat"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1704"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "secalert@redhat.com",
              "ID": "CVE-2020-1704",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "openshift-service-mesh/kiali-rhel7-operator",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "All maistra versions before 1.0.8"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Red Hat"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "An insecure modification vulnerability in the /etc/passwd file was found in all versions of OpenShift ServiceMesh (maistra) before 1.0.8 in the openshift/istio-kialia-rhel7-operator-container. An attacker with access to the container could use this flaw to modify /etc/passwd and escalate their privileges."
                }
              ]
            },
            "impact": {
              "cvss": [
                [
                  {
                    "vectorString": "7/CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
                    "version": "3.0"
                  }
                ]
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-266"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1704",
                  "refsource": "CONFIRM",
                  "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1704"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "assignerShortName": "redhat",
        "cveId": "CVE-2020-1704",
        "datePublished": "2020-02-17T16:38:06.000Z",
        "dateReserved": "2019-11-27T00:00:00.000Z",
        "dateUpdated": "2024-08-04T06:46:30.534Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2020-8595 (GCVE-0-2020-8595)

    Vulnerability from nvd – Published: 2020-02-12 14:10 – Updated: 2024-08-04 10:03
    VLAI
    Summary
    Istio versions 1.2.10 (End of Life) and prior, 1.3 through 1.3.7, and 1.4 through 1.4.3 allows authentication bypass. The Authentication Policy exact-path matching logic can allow unauthorized access to HTTP paths even if they are configured to be only accessed after presenting a valid JWT token. For example, an attacker can add a ? or # character to a URI that would otherwise satisfy an exact-path match.
    Severity
    No CVSS data available.
    CWE
    • n/a
    Assigner
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T10:03:45.884Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/istio/istio/commits/master"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://istio.io/news/security/"
              },
              {
                "name": "RHSA-2020:0477",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2020:0477"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/security/cve/cve-2020-8595"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://istio.io/news/security/istio-security-2020-001/"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-8595"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Istio versions 1.2.10 (End of Life) and prior, 1.3 through 1.3.7, and 1.4 through 1.4.3 allows authentication bypass. The Authentication Policy exact-path matching logic can allow unauthorized access to HTTP paths even if they are configured to be only accessed after presenting a valid JWT token. For example, an attacker can add a ? or # character to a URI that would otherwise satisfy an exact-path match."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2020-02-20T15:54:35.000Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/istio/istio/commits/master"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://istio.io/news/security/"
            },
            {
              "name": "RHSA-2020:0477",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2020:0477"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://access.redhat.com/security/cve/cve-2020-8595"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://istio.io/news/security/istio-security-2020-001/"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-8595"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "cve@mitre.org",
              "ID": "CVE-2020-8595",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "n/a",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "n/a"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "n/a"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Istio versions 1.2.10 (End of Life) and prior, 1.3 through 1.3.7, and 1.4 through 1.4.3 allows authentication bypass. The Authentication Policy exact-path matching logic can allow unauthorized access to HTTP paths even if they are configured to be only accessed after presenting a valid JWT token. For example, an attacker can add a ? or # character to a URI that would otherwise satisfy an exact-path match."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "n/a"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://github.com/istio/istio/commits/master",
                  "refsource": "MISC",
                  "url": "https://github.com/istio/istio/commits/master"
                },
                {
                  "name": "https://istio.io/news/security/",
                  "refsource": "MISC",
                  "url": "https://istio.io/news/security/"
                },
                {
                  "name": "RHSA-2020:0477",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2020:0477"
                },
                {
                  "name": "https://access.redhat.com/security/cve/cve-2020-8595",
                  "refsource": "CONFIRM",
                  "url": "https://access.redhat.com/security/cve/cve-2020-8595"
                },
                {
                  "name": "https://istio.io/news/security/istio-security-2020-001/",
                  "refsource": "CONFIRM",
                  "url": "https://istio.io/news/security/istio-security-2020-001/"
                },
                {
                  "name": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-8595",
                  "refsource": "MISC",
                  "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-8595"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2020-8595",
        "datePublished": "2020-02-12T14:10:15.000Z",
        "dateReserved": "2020-02-03T00:00:00.000Z",
        "dateUpdated": "2024-08-04T10:03:45.884Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2019-9518 (GCVE-0-2019-9518)

    Vulnerability from nvd – Published: 2019-08-13 20:50 – Updated: 2024-08-04 21:54
    VLAI
    Title
    Some HTTP/2 implementations are vulnerable to a flood of empty frames, potentially leading to a denial of service
    Summary
    Some HTTP/2 implementations are vulnerable to a flood of empty frames, potentially leading to a denial of service. The attacker sends a stream of frames with an empty payload and without the end-of-stream flag. These frames can be DATA, HEADERS, CONTINUATION and/or PUSH_PROMISE. The peer spends time processing each frame disproportionate to attack bandwidth. This can consume excess CPU.
    CWE
    • CWE-400 - Uncontrolled Resource Consumption
    Assigner
    References
    URL Tags
    https://kb.cert.org/vuls/id/605641/ third-party-advisoryx_refsource_CERT-VN
    https://github.com/Netflix/security-bulletins/blo… x_refsource_MISC
    https://seclists.org/bugtraq/2019/Aug/24 mailing-listx_refsource_BUGTRAQ
    http://seclists.org/fulldisclosure/2019/Aug/16 mailing-listx_refsource_FULLDISC
    https://www.synology.com/security/advisory/Synolo… x_refsource_CONFIRM
    https://support.f5.com/csp/article/K46011592 x_refsource_CONFIRM
    https://lists.apache.org/thread.html/2653c5654557… mailing-listx_refsource_MLIST
    https://lists.apache.org/thread.html/091b518265bc… mailing-listx_refsource_MLIST
    https://lists.apache.org/thread.html/ff5b0821a698… mailing-listx_refsource_MLIST
    https://security.netapp.com/advisory/ntap-2019082… x_refsource_CONFIRM
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisoryx_refsource_FEDORA
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisoryx_refsource_FEDORA
    https://www.debian.org/security/2019/dsa-4520 vendor-advisoryx_refsource_DEBIAN
    https://seclists.org/bugtraq/2019/Sep/18 mailing-listx_refsource_BUGTRAQ
    http://lists.opensuse.org/opensuse-security-annou… vendor-advisoryx_refsource_SUSE
    http://lists.opensuse.org/opensuse-security-annou… vendor-advisoryx_refsource_SUSE
    https://kc.mcafee.com/corporate/index?page=conten… x_refsource_CONFIRM
    https://access.redhat.com/errata/RHSA-2019:2925 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2019:2939 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2019:2955 vendor-advisoryx_refsource_REDHAT
    https://support.f5.com/csp/article/K46011592?utm_… x_refsource_CONFIRM
    https://access.redhat.com/errata/RHSA-2019:3892 vendor-advisoryx_refsource_REDHAT
    https://lists.apache.org/thread.html/9317fd092b25… mailing-listx_refsource_MLIST
    https://access.redhat.com/errata/RHSA-2019:4352 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2020:0727 vendor-advisoryx_refsource_REDHAT
    https://lists.apache.org/thread.html/r99a625fb170… mailing-listx_refsource_MLIST
    https://lists.apache.org/thread.html/rd31230d01fa… mailing-listx_refsource_MLIST
    Credits
    Thanks to Piotr Sikora of Google for reporting this vulnerability.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T21:54:44.510Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "VU#605641",
                "tags": [
                  "third-party-advisory",
                  "x_refsource_CERT-VN",
                  "x_transferred"
                ],
                "url": "https://kb.cert.org/vuls/id/605641/"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md"
              },
              {
                "name": "20190814 APPLE-SA-2019-08-13-5 SwiftNIO HTTP/2 1.5.0",
                "tags": [
                  "mailing-list",
                  "x_refsource_BUGTRAQ",
                  "x_transferred"
                ],
                "url": "https://seclists.org/bugtraq/2019/Aug/24"
              },
              {
                "name": "20190816 APPLE-SA-2019-08-13-5 SwiftNIO HTTP/2 1.5.0",
                "tags": [
                  "mailing-list",
                  "x_refsource_FULLDISC",
                  "x_transferred"
                ],
                "url": "http://seclists.org/fulldisclosure/2019/Aug/16"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.synology.com/security/advisory/Synology_SA_19_33"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://support.f5.com/csp/article/K46011592"
              },
              {
                "name": "[trafficserver-announce] 20190820 ATS is vulnerable to a HTTP/2 attack with empty frames",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/2653c56545573b528f3f6352a29eccaf498bd6fb2a6a59568d81a61d%40%3Cannounce.trafficserver.apache.org%3E"
              },
              {
                "name": "[trafficserver-users] 20190820 ATS is vulnerable to a HTTP/2 attack with empty frames",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/091b518265bce56a16af87b77c8cfacda902a02079e866f9fdf13b61%40%3Cusers.trafficserver.apache.org%3E"
              },
              {
                "name": "[trafficserver-dev] 20190820 ATS is vulnerable to a HTTP/2 attack with empty frames",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/ff5b0821a6985159a832ff6d1a4bd311ac07ecc7db1e2d8bab619107%40%3Cdev.trafficserver.apache.org%3E"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://security.netapp.com/advisory/ntap-20190823-0005/"
              },
              {
                "name": "FEDORA-2019-5a6a7bc12c",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_FEDORA",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CMNFX5MNYRWWIMO4BTKYQCGUDMHO3AXP/"
              },
              {
                "name": "FEDORA-2019-6a2980de56",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_FEDORA",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4ZQGHE3WTYLYAYJEIDJVF2FIGQTAYPMC/"
              },
              {
                "name": "DSA-4520",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_DEBIAN",
                  "x_transferred"
                ],
                "url": "https://www.debian.org/security/2019/dsa-4520"
              },
              {
                "name": "20190910 [SECURITY] [DSA 4520-1] trafficserver security update",
                "tags": [
                  "mailing-list",
                  "x_refsource_BUGTRAQ",
                  "x_transferred"
                ],
                "url": "https://seclists.org/bugtraq/2019/Sep/18"
              },
              {
                "name": "openSUSE-SU-2019:2114",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_SUSE",
                  "x_transferred"
                ],
                "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00032.html"
              },
              {
                "name": "openSUSE-SU-2019:2115",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_SUSE",
                  "x_transferred"
                ],
                "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00031.html"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10296"
              },
              {
                "name": "RHSA-2019:2925",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:2925"
              },
              {
                "name": "RHSA-2019:2939",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:2939"
              },
              {
                "name": "RHSA-2019:2955",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:2955"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://support.f5.com/csp/article/K46011592?utm_source=f5support\u0026amp%3Butm_medium=RSS"
              },
              {
                "name": "RHSA-2019:3892",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:3892"
              },
              {
                "name": "[druid-commits] 20191115 [GitHub] [incubator-druid] ccaominh opened a new pull request #8878: Address security vulnerabilities",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe%40%3Ccommits.druid.apache.org%3E"
              },
              {
                "name": "RHSA-2019:4352",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:4352"
              },
              {
                "name": "RHSA-2020:0727",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2020:0727"
              },
              {
                "name": "[cassandra-commits] 20210526 [jira] [Created] (CASSANDRA-16698) Security vulnerability CVE-2019-9518 for Netty",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/r99a625fb17032646d96cd23dec49603ff630e9318e44a686d63046bc%40%3Ccommits.cassandra.apache.org%3E"
              },
              {
                "name": "[cassandra-commits] 20210526 [jira] [Updated] (CASSANDRA-16698) Security vulnerability CVE-2019-9518 for Netty",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/rd31230d01fa6aad18bdadc0720acd1747e53690bd35f73a48e7a9b75%40%3Ccommits.cassandra.apache.org%3E"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Thanks to Piotr Sikora of Google for reporting this vulnerability."
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Some HTTP/2 implementations are vulnerable to a flood of empty frames, potentially leading to a denial of service. The attacker sends a stream of frames with an empty payload and without the end-of-stream flag. These frames can be DATA, HEADERS, CONTINUATION and/or PUSH_PROMISE. The peer spends time processing each frame disproportionate to attack bandwidth. This can consume excess CPU."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-400",
                  "description": "CWE-400 Uncontrolled Resource Consumption",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-05-26T16:06:12.000Z",
            "orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
            "shortName": "certcc"
          },
          "references": [
            {
              "name": "VU#605641",
              "tags": [
                "third-party-advisory",
                "x_refsource_CERT-VN"
              ],
              "url": "https://kb.cert.org/vuls/id/605641/"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md"
            },
            {
              "name": "20190814 APPLE-SA-2019-08-13-5 SwiftNIO HTTP/2 1.5.0",
              "tags": [
                "mailing-list",
                "x_refsource_BUGTRAQ"
              ],
              "url": "https://seclists.org/bugtraq/2019/Aug/24"
            },
            {
              "name": "20190816 APPLE-SA-2019-08-13-5 SwiftNIO HTTP/2 1.5.0",
              "tags": [
                "mailing-list",
                "x_refsource_FULLDISC"
              ],
              "url": "http://seclists.org/fulldisclosure/2019/Aug/16"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.synology.com/security/advisory/Synology_SA_19_33"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://support.f5.com/csp/article/K46011592"
            },
            {
              "name": "[trafficserver-announce] 20190820 ATS is vulnerable to a HTTP/2 attack with empty frames",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/2653c56545573b528f3f6352a29eccaf498bd6fb2a6a59568d81a61d%40%3Cannounce.trafficserver.apache.org%3E"
            },
            {
              "name": "[trafficserver-users] 20190820 ATS is vulnerable to a HTTP/2 attack with empty frames",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/091b518265bce56a16af87b77c8cfacda902a02079e866f9fdf13b61%40%3Cusers.trafficserver.apache.org%3E"
            },
            {
              "name": "[trafficserver-dev] 20190820 ATS is vulnerable to a HTTP/2 attack with empty frames",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/ff5b0821a6985159a832ff6d1a4bd311ac07ecc7db1e2d8bab619107%40%3Cdev.trafficserver.apache.org%3E"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://security.netapp.com/advisory/ntap-20190823-0005/"
            },
            {
              "name": "FEDORA-2019-5a6a7bc12c",
              "tags": [
                "vendor-advisory",
                "x_refsource_FEDORA"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CMNFX5MNYRWWIMO4BTKYQCGUDMHO3AXP/"
            },
            {
              "name": "FEDORA-2019-6a2980de56",
              "tags": [
                "vendor-advisory",
                "x_refsource_FEDORA"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4ZQGHE3WTYLYAYJEIDJVF2FIGQTAYPMC/"
            },
            {
              "name": "DSA-4520",
              "tags": [
                "vendor-advisory",
                "x_refsource_DEBIAN"
              ],
              "url": "https://www.debian.org/security/2019/dsa-4520"
            },
            {
              "name": "20190910 [SECURITY] [DSA 4520-1] trafficserver security update",
              "tags": [
                "mailing-list",
                "x_refsource_BUGTRAQ"
              ],
              "url": "https://seclists.org/bugtraq/2019/Sep/18"
            },
            {
              "name": "openSUSE-SU-2019:2114",
              "tags": [
                "vendor-advisory",
                "x_refsource_SUSE"
              ],
              "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00032.html"
            },
            {
              "name": "openSUSE-SU-2019:2115",
              "tags": [
                "vendor-advisory",
                "x_refsource_SUSE"
              ],
              "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00031.html"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10296"
            },
            {
              "name": "RHSA-2019:2925",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:2925"
            },
            {
              "name": "RHSA-2019:2939",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:2939"
            },
            {
              "name": "RHSA-2019:2955",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:2955"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://support.f5.com/csp/article/K46011592?utm_source=f5support\u0026amp%3Butm_medium=RSS"
            },
            {
              "name": "RHSA-2019:3892",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:3892"
            },
            {
              "name": "[druid-commits] 20191115 [GitHub] [incubator-druid] ccaominh opened a new pull request #8878: Address security vulnerabilities",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe%40%3Ccommits.druid.apache.org%3E"
            },
            {
              "name": "RHSA-2019:4352",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:4352"
            },
            {
              "name": "RHSA-2020:0727",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2020:0727"
            },
            {
              "name": "[cassandra-commits] 20210526 [jira] [Created] (CASSANDRA-16698) Security vulnerability CVE-2019-9518 for Netty",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/r99a625fb17032646d96cd23dec49603ff630e9318e44a686d63046bc%40%3Ccommits.cassandra.apache.org%3E"
            },
            {
              "name": "[cassandra-commits] 20210526 [jira] [Updated] (CASSANDRA-16698) Security vulnerability CVE-2019-9518 for Netty",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/rd31230d01fa6aad18bdadc0720acd1747e53690bd35f73a48e7a9b75%40%3Ccommits.cassandra.apache.org%3E"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Some HTTP/2 implementations are vulnerable to a flood of empty frames, potentially leading to a denial of service",
          "x_generator": {
            "engine": "Vulnogram 0.0.7"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "AKA": "HTTP/2 Empty Frame Flooding",
              "ASSIGNER": "cert@cert.org",
              "ID": "CVE-2019-9518",
              "STATE": "PUBLIC",
              "TITLE": "Some HTTP/2 implementations are vulnerable to a flood of empty frames, potentially leading to a denial of service"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "n/a",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "n/a"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "n/a"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "Thanks to Piotr Sikora of Google for reporting this vulnerability."
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Some HTTP/2 implementations are vulnerable to a flood of empty frames, potentially leading to a denial of service. The attacker sends a stream of frames with an empty payload and without the end-of-stream flag. These frames can be DATA, HEADERS, CONTINUATION and/or PUSH_PROMISE. The peer spends time processing each frame disproportionate to attack bandwidth. This can consume excess CPU."
                }
              ]
            },
            "generator": {
              "engine": "Vulnogram 0.0.7"
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.0"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-400 Uncontrolled Resource Consumption"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "VU#605641",
                  "refsource": "CERT-VN",
                  "url": "https://kb.cert.org/vuls/id/605641/"
                },
                {
                  "name": "https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md",
                  "refsource": "MISC",
                  "url": "https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md"
                },
                {
                  "name": "20190814 APPLE-SA-2019-08-13-5 SwiftNIO HTTP/2 1.5.0",
                  "refsource": "BUGTRAQ",
                  "url": "https://seclists.org/bugtraq/2019/Aug/24"
                },
                {
                  "name": "20190816 APPLE-SA-2019-08-13-5 SwiftNIO HTTP/2 1.5.0",
                  "refsource": "FULLDISC",
                  "url": "http://seclists.org/fulldisclosure/2019/Aug/16"
                },
                {
                  "name": "https://www.synology.com/security/advisory/Synology_SA_19_33",
                  "refsource": "CONFIRM",
                  "url": "https://www.synology.com/security/advisory/Synology_SA_19_33"
                },
                {
                  "name": "https://support.f5.com/csp/article/K46011592",
                  "refsource": "CONFIRM",
                  "url": "https://support.f5.com/csp/article/K46011592"
                },
                {
                  "name": "[trafficserver-announce] 20190820 ATS is vulnerable to a HTTP/2 attack with empty frames",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/2653c56545573b528f3f6352a29eccaf498bd6fb2a6a59568d81a61d@%3Cannounce.trafficserver.apache.org%3E"
                },
                {
                  "name": "[trafficserver-users] 20190820 ATS is vulnerable to a HTTP/2 attack with empty frames",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/091b518265bce56a16af87b77c8cfacda902a02079e866f9fdf13b61@%3Cusers.trafficserver.apache.org%3E"
                },
                {
                  "name": "[trafficserver-dev] 20190820 ATS is vulnerable to a HTTP/2 attack with empty frames",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/ff5b0821a6985159a832ff6d1a4bd311ac07ecc7db1e2d8bab619107@%3Cdev.trafficserver.apache.org%3E"
                },
                {
                  "name": "https://security.netapp.com/advisory/ntap-20190823-0005/",
                  "refsource": "CONFIRM",
                  "url": "https://security.netapp.com/advisory/ntap-20190823-0005/"
                },
                {
                  "name": "FEDORA-2019-5a6a7bc12c",
                  "refsource": "FEDORA",
                  "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CMNFX5MNYRWWIMO4BTKYQCGUDMHO3AXP/"
                },
                {
                  "name": "FEDORA-2019-6a2980de56",
                  "refsource": "FEDORA",
                  "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4ZQGHE3WTYLYAYJEIDJVF2FIGQTAYPMC/"
                },
                {
                  "name": "DSA-4520",
                  "refsource": "DEBIAN",
                  "url": "https://www.debian.org/security/2019/dsa-4520"
                },
                {
                  "name": "20190910 [SECURITY] [DSA 4520-1] trafficserver security update",
                  "refsource": "BUGTRAQ",
                  "url": "https://seclists.org/bugtraq/2019/Sep/18"
                },
                {
                  "name": "openSUSE-SU-2019:2114",
                  "refsource": "SUSE",
                  "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00032.html"
                },
                {
                  "name": "openSUSE-SU-2019:2115",
                  "refsource": "SUSE",
                  "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00031.html"
                },
                {
                  "name": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10296",
                  "refsource": "CONFIRM",
                  "url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10296"
                },
                {
                  "name": "RHSA-2019:2925",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2019:2925"
                },
                {
                  "name": "RHSA-2019:2939",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2019:2939"
                },
                {
                  "name": "RHSA-2019:2955",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2019:2955"
                },
                {
                  "name": "https://support.f5.com/csp/article/K46011592?utm_source=f5support\u0026amp;utm_medium=RSS",
                  "refsource": "CONFIRM",
                  "url": "https://support.f5.com/csp/article/K46011592?utm_source=f5support\u0026amp;utm_medium=RSS"
                },
                {
                  "name": "RHSA-2019:3892",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2019:3892"
                },
                {
                  "name": "[druid-commits] 20191115 [GitHub] [incubator-druid] ccaominh opened a new pull request #8878: Address security vulnerabilities",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe@%3Ccommits.druid.apache.org%3E"
                },
                {
                  "name": "RHSA-2019:4352",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2019:4352"
                },
                {
                  "name": "RHSA-2020:0727",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2020:0727"
                },
                {
                  "name": "[cassandra-commits] 20210526 [jira] [Created] (CASSANDRA-16698) Security vulnerability CVE-2019-9518 for Netty",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/r99a625fb17032646d96cd23dec49603ff630e9318e44a686d63046bc@%3Ccommits.cassandra.apache.org%3E"
                },
                {
                  "name": "[cassandra-commits] 20210526 [jira] [Updated] (CASSANDRA-16698) Security vulnerability CVE-2019-9518 for Netty",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/rd31230d01fa6aad18bdadc0720acd1747e53690bd35f73a48e7a9b75@%3Ccommits.cassandra.apache.org%3E"
                }
              ]
            },
            "source": {
              "discovery": "UNKNOWN"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
        "assignerShortName": "certcc",
        "cveId": "CVE-2019-9518",
        "datePublished": "2019-08-13T20:50:59.000Z",
        "dateReserved": "2019-03-01T00:00:00.000Z",
        "dateUpdated": "2024-08-04T21:54:44.510Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2019-9517 (GCVE-0-2019-9517)

    Vulnerability from nvd – Published: 2019-08-13 20:50 – Updated: 2024-08-04 21:54
    VLAI
    Title
    Some HTTP/2 implementations are vulnerable to unconstrained interal data buffering, potentially leading to a denial of service
    Summary
    Some HTTP/2 implementations are vulnerable to unconstrained interal data buffering, potentially leading to a denial of service. The attacker opens the HTTP/2 window so the peer can send without constraint; however, they leave the TCP window closed so the peer cannot actually write (many of) the bytes on the wire. The attacker then sends a stream of requests for a large response object. Depending on how the servers queue the responses, this can consume excess memory, CPU, or both.
    CWE
    • CWE-400 - Uncontrolled Resource Consumption
    Assigner
    References
    URL Tags
    https://kb.cert.org/vuls/id/605641/ third-party-advisoryx_refsource_CERT-VN
    https://github.com/Netflix/security-bulletins/blo… x_refsource_MISC
    https://lists.apache.org/thread.html/461076245664… mailing-listx_refsource_MLIST
    https://lists.apache.org/thread.html/56c2e7cc9deb… mailing-listx_refsource_MLIST
    http://www.openwall.com/lists/oss-security/2019/08/15/7 mailing-listx_refsource_MLIST
    https://lists.apache.org/thread.html/ec97fdfc1a85… mailing-listx_refsource_MLIST
    https://lists.apache.org/thread.html/d89f999e26df… mailing-listx_refsource_MLIST
    https://www.synology.com/security/advisory/Synolo… x_refsource_CONFIRM
    https://support.f5.com/csp/article/K02591030 x_refsource_CONFIRM
    https://security.netapp.com/advisory/ntap-2019082… x_refsource_CONFIRM
    https://security.netapp.com/advisory/ntap-2019082… x_refsource_CONFIRM
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisoryx_refsource_FEDORA
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisoryx_refsource_FEDORA
    https://www.debian.org/security/2019/dsa-4509 vendor-advisoryx_refsource_DEBIAN
    https://seclists.org/bugtraq/2019/Aug/47 mailing-listx_refsource_BUGTRAQ
    https://usn.ubuntu.com/4113-1/ vendor-advisoryx_refsource_UBUNTU
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisoryx_refsource_FEDORA
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisoryx_refsource_FEDORA
    http://lists.opensuse.org/opensuse-security-annou… vendor-advisoryx_refsource_SUSE
    https://security.netapp.com/advisory/ntap-2019090… x_refsource_CONFIRM
    https://security.gentoo.org/glsa/201909-04 vendor-advisoryx_refsource_GENTOO
    http://lists.opensuse.org/opensuse-security-annou… vendor-advisoryx_refsource_SUSE
    http://lists.opensuse.org/opensuse-security-annou… vendor-advisoryx_refsource_SUSE
    https://kc.mcafee.com/corporate/index?page=conten… x_refsource_CONFIRM
    https://access.redhat.com/errata/RHSA-2019:2893 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2019:2925 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2019:2939 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2019:2946 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2019:2950 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2019:2949 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2019:2955 vendor-advisoryx_refsource_REDHAT
    https://support.f5.com/csp/article/K02591030?utm_… x_refsource_CONFIRM
    https://www.oracle.com/technetwork/security-advis… x_refsource_MISC
    https://access.redhat.com/errata/RHSA-2019:3933 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2019:3935 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2019:3932 vendor-advisoryx_refsource_REDHAT
    https://lists.apache.org/thread.html/rd18c3c43602… mailing-listx_refsource_MLIST
    https://lists.apache.org/thread.html/re3d27b6250a… mailing-listx_refsource_MLIST
    https://www.oracle.com/security-alerts/cpuapr2020.html x_refsource_MISC
    https://lists.apache.org/thread.html/rf6449464fd8… mailing-listx_refsource_MLIST
    https://lists.apache.org/thread.html/r06f0d87ebb6… mailing-listx_refsource_MLIST
    https://lists.apache.org/thread.html/rc998b18880d… mailing-listx_refsource_MLIST
    https://lists.apache.org/thread.html/r03ee478b3dd… mailing-listx_refsource_MLIST
    https://lists.apache.org/thread.html/rd2fb621142e… mailing-listx_refsource_MLIST
    https://lists.apache.org/thread.html/r9f93cf6dde3… mailing-listx_refsource_MLIST
    https://lists.apache.org/thread.html/r3c5c3104813… mailing-listx_refsource_MLIST
    https://lists.apache.org/thread.html/r76142b8c511… mailing-listx_refsource_MLIST
    Credits
    Thanks to Jonathan Looney of Netflix for reporting this vulnerability.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T21:54:44.675Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "VU#605641",
                "tags": [
                  "third-party-advisory",
                  "x_refsource_CERT-VN",
                  "x_transferred"
                ],
                "url": "https://kb.cert.org/vuls/id/605641/"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md"
              },
              {
                "name": "[httpd-announce] 20190814 CVE-2019-9517: mod_http2, DoS attack by exhausting h2 workers",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/4610762456644181b267c846423b3a990bd4aaea1886ecc7d51febdb%40%3Cannounce.httpd.apache.org%3E"
              },
              {
                "name": "[httpd-cvs] 20190815 svn commit: r1048743 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/56c2e7cc9deb1c12a843d0dc251ea7fd3e7e80293cde02fcd65286ba%40%3Ccvs.httpd.apache.org%3E"
              },
              {
                "name": "[oss-security] 20190814 CVE-2019-9517: mod_http2, DoS attack by exhausting h2 workers",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "http://www.openwall.com/lists/oss-security/2019/08/15/7"
              },
              {
                "name": "[httpd-dev] 20190817 CVE-2019-10097 vs. CHANGEs entry",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/ec97fdfc1a859266e56fef084353a34e0a0b08901b3c1aa317a43c8c%40%3Cdev.httpd.apache.org%3E"
              },
              {
                "name": "[httpd-dev] 20190817 Re: CVE-2019-10097 vs. CHANGEs entry",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/d89f999e26dfb1d50f247ead1fe8538014eb412b2dbe5be4b1a9ef50%40%3Cdev.httpd.apache.org%3E"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.synology.com/security/advisory/Synology_SA_19_33"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://support.f5.com/csp/article/K02591030"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://security.netapp.com/advisory/ntap-20190823-0005/"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://security.netapp.com/advisory/ntap-20190823-0003/"
              },
              {
                "name": "FEDORA-2019-5a6a7bc12c",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_FEDORA",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CMNFX5MNYRWWIMO4BTKYQCGUDMHO3AXP/"
              },
              {
                "name": "FEDORA-2019-6a2980de56",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_FEDORA",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4ZQGHE3WTYLYAYJEIDJVF2FIGQTAYPMC/"
              },
              {
                "name": "DSA-4509",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_DEBIAN",
                  "x_transferred"
                ],
                "url": "https://www.debian.org/security/2019/dsa-4509"
              },
              {
                "name": "20190826 [SECURITY] [DSA 4509-1] apache2 security update",
                "tags": [
                  "mailing-list",
                  "x_refsource_BUGTRAQ",
                  "x_transferred"
                ],
                "url": "https://seclists.org/bugtraq/2019/Aug/47"
              },
              {
                "name": "USN-4113-1",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_UBUNTU",
                  "x_transferred"
                ],
                "url": "https://usn.ubuntu.com/4113-1/"
              },
              {
                "name": "FEDORA-2019-4427fd65be",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_FEDORA",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BP556LEG3WENHZI5TAQ6ZEBFTJB4E2IS/"
              },
              {
                "name": "FEDORA-2019-63ba15cc83",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_FEDORA",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XHTKU7YQ5EEP2XNSAV4M4VJ7QCBOJMOD/"
              },
              {
                "name": "openSUSE-SU-2019:2051",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_SUSE",
                  "x_transferred"
                ],
                "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00004.html"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://security.netapp.com/advisory/ntap-20190905-0003/"
              },
              {
                "name": "GLSA-201909-04",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_GENTOO",
                  "x_transferred"
                ],
                "url": "https://security.gentoo.org/glsa/201909-04"
              },
              {
                "name": "openSUSE-SU-2019:2114",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_SUSE",
                  "x_transferred"
                ],
                "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00032.html"
              },
              {
                "name": "openSUSE-SU-2019:2115",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_SUSE",
                  "x_transferred"
                ],
                "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00031.html"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10296"
              },
              {
                "name": "RHSA-2019:2893",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:2893"
              },
              {
                "name": "RHSA-2019:2925",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:2925"
              },
              {
                "name": "RHSA-2019:2939",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:2939"
              },
              {
                "name": "RHSA-2019:2946",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:2946"
              },
              {
                "name": "RHSA-2019:2950",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:2950"
              },
              {
                "name": "RHSA-2019:2949",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:2949"
              },
              {
                "name": "RHSA-2019:2955",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:2955"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://support.f5.com/csp/article/K02591030?utm_source=f5support\u0026amp%3Butm_medium=RSS"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html"
              },
              {
                "name": "RHSA-2019:3933",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:3933"
              },
              {
                "name": "RHSA-2019:3935",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:3935"
              },
              {
                "name": "RHSA-2019:3932",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:3932"
              },
              {
                "name": "[httpd-cvs] 20200401 svn commit: r1058586 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/rd18c3c43602e66f9cdcf09f1de233804975b9572b0456cc582390b6f%40%3Ccvs.httpd.apache.org%3E"
              },
              {
                "name": "[httpd-cvs] 20200401 svn commit: r1058587 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/re3d27b6250aa8548b8845d314bb8a350b3df326cacbbfdfe4d455234%40%3Ccvs.httpd.apache.org%3E"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.oracle.com/security-alerts/cpuapr2020.html"
              },
              {
                "name": "[httpd-cvs] 20210330 svn commit: r1073139 [1/13] - in /websites/staging/httpd/trunk/content: ./ security/json/",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9%40%3Ccvs.httpd.apache.org%3E"
              },
              {
                "name": "[httpd-cvs] 20210330 svn commit: r1073143 [3/3] - in /websites/staging/httpd/trunk/content: ./ security/",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/r06f0d87ebb6d59ed8379633f36f72f5b1f79cadfda72ede0830b42cf%40%3Ccvs.httpd.apache.org%3E"
              },
              {
                "name": "[httpd-cvs] 20210330 svn commit: r1073140 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/cvejsontohtml.py security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/rc998b18880df98bafaade071346690c2bc1444adaa1a1ea464b93f0a%40%3Ccvs.httpd.apache.org%3E"
              },
              {
                "name": "[httpd-cvs] 20210330 svn commit: r1073139 [12/13] - in /websites/staging/httpd/trunk/content: ./ security/json/",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/r03ee478b3dda3e381fd6189366fa7af97c980d2f602846eef935277d%40%3Ccvs.httpd.apache.org%3E"
              },
              {
                "name": "[httpd-cvs] 20210330 svn commit: r1888194 [12/13] - /httpd/site/trunk/content/security/json/",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/rd2fb621142e7fa187cfe12d7137bf66e7234abcbbcd800074c84a538%40%3Ccvs.httpd.apache.org%3E"
              },
              {
                "name": "[httpd-cvs] 20210330 svn commit: r1073149 [1/13] - in /websites/staging/httpd/trunk/content: ./ security/ security/json/",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920%40%3Ccvs.httpd.apache.org%3E"
              },
              {
                "name": "[httpd-cvs] 20210330 svn commit: r1073149 [13/13] - in /websites/staging/httpd/trunk/content: ./ security/ security/json/",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/r3c5c3104813c1c5508b55564b66546933079250a46ce50eee90b2e36%40%3Ccvs.httpd.apache.org%3E"
              },
              {
                "name": "[httpd-cvs] 20210606 svn commit: r1075470 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/json/CVE-2020-13938.json security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/r76142b8c5119df2178be7c2dba88fde552eedeec37ea993dfce68d1d%40%3Ccvs.httpd.apache.org%3E"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Thanks to Jonathan Looney of Netflix for reporting this vulnerability."
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Some HTTP/2 implementations are vulnerable to unconstrained interal data buffering, potentially leading to a denial of service. The attacker opens the HTTP/2 window so the peer can send without constraint; however, they leave the TCP window closed so the peer cannot actually write (many of) the bytes on the wire. The attacker then sends a stream of requests for a large response object. Depending on how the servers queue the responses, this can consume excess memory, CPU, or both."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-400",
                  "description": "CWE-400 Uncontrolled Resource Consumption",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-06-06T10:10:48.000Z",
            "orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
            "shortName": "certcc"
          },
          "references": [
            {
              "name": "VU#605641",
              "tags": [
                "third-party-advisory",
                "x_refsource_CERT-VN"
              ],
              "url": "https://kb.cert.org/vuls/id/605641/"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md"
            },
            {
              "name": "[httpd-announce] 20190814 CVE-2019-9517: mod_http2, DoS attack by exhausting h2 workers",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/4610762456644181b267c846423b3a990bd4aaea1886ecc7d51febdb%40%3Cannounce.httpd.apache.org%3E"
            },
            {
              "name": "[httpd-cvs] 20190815 svn commit: r1048743 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/56c2e7cc9deb1c12a843d0dc251ea7fd3e7e80293cde02fcd65286ba%40%3Ccvs.httpd.apache.org%3E"
            },
            {
              "name": "[oss-security] 20190814 CVE-2019-9517: mod_http2, DoS attack by exhausting h2 workers",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "http://www.openwall.com/lists/oss-security/2019/08/15/7"
            },
            {
              "name": "[httpd-dev] 20190817 CVE-2019-10097 vs. CHANGEs entry",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/ec97fdfc1a859266e56fef084353a34e0a0b08901b3c1aa317a43c8c%40%3Cdev.httpd.apache.org%3E"
            },
            {
              "name": "[httpd-dev] 20190817 Re: CVE-2019-10097 vs. CHANGEs entry",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/d89f999e26dfb1d50f247ead1fe8538014eb412b2dbe5be4b1a9ef50%40%3Cdev.httpd.apache.org%3E"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.synology.com/security/advisory/Synology_SA_19_33"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://support.f5.com/csp/article/K02591030"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://security.netapp.com/advisory/ntap-20190823-0005/"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://security.netapp.com/advisory/ntap-20190823-0003/"
            },
            {
              "name": "FEDORA-2019-5a6a7bc12c",
              "tags": [
                "vendor-advisory",
                "x_refsource_FEDORA"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CMNFX5MNYRWWIMO4BTKYQCGUDMHO3AXP/"
            },
            {
              "name": "FEDORA-2019-6a2980de56",
              "tags": [
                "vendor-advisory",
                "x_refsource_FEDORA"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4ZQGHE3WTYLYAYJEIDJVF2FIGQTAYPMC/"
            },
            {
              "name": "DSA-4509",
              "tags": [
                "vendor-advisory",
                "x_refsource_DEBIAN"
              ],
              "url": "https://www.debian.org/security/2019/dsa-4509"
            },
            {
              "name": "20190826 [SECURITY] [DSA 4509-1] apache2 security update",
              "tags": [
                "mailing-list",
                "x_refsource_BUGTRAQ"
              ],
              "url": "https://seclists.org/bugtraq/2019/Aug/47"
            },
            {
              "name": "USN-4113-1",
              "tags": [
                "vendor-advisory",
                "x_refsource_UBUNTU"
              ],
              "url": "https://usn.ubuntu.com/4113-1/"
            },
            {
              "name": "FEDORA-2019-4427fd65be",
              "tags": [
                "vendor-advisory",
                "x_refsource_FEDORA"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BP556LEG3WENHZI5TAQ6ZEBFTJB4E2IS/"
            },
            {
              "name": "FEDORA-2019-63ba15cc83",
              "tags": [
                "vendor-advisory",
                "x_refsource_FEDORA"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XHTKU7YQ5EEP2XNSAV4M4VJ7QCBOJMOD/"
            },
            {
              "name": "openSUSE-SU-2019:2051",
              "tags": [
                "vendor-advisory",
                "x_refsource_SUSE"
              ],
              "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00004.html"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://security.netapp.com/advisory/ntap-20190905-0003/"
            },
            {
              "name": "GLSA-201909-04",
              "tags": [
                "vendor-advisory",
                "x_refsource_GENTOO"
              ],
              "url": "https://security.gentoo.org/glsa/201909-04"
            },
            {
              "name": "openSUSE-SU-2019:2114",
              "tags": [
                "vendor-advisory",
                "x_refsource_SUSE"
              ],
              "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00032.html"
            },
            {
              "name": "openSUSE-SU-2019:2115",
              "tags": [
                "vendor-advisory",
                "x_refsource_SUSE"
              ],
              "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00031.html"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10296"
            },
            {
              "name": "RHSA-2019:2893",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:2893"
            },
            {
              "name": "RHSA-2019:2925",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:2925"
            },
            {
              "name": "RHSA-2019:2939",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:2939"
            },
            {
              "name": "RHSA-2019:2946",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:2946"
            },
            {
              "name": "RHSA-2019:2950",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:2950"
            },
            {
              "name": "RHSA-2019:2949",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:2949"
            },
            {
              "name": "RHSA-2019:2955",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:2955"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://support.f5.com/csp/article/K02591030?utm_source=f5support\u0026amp%3Butm_medium=RSS"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html"
            },
            {
              "name": "RHSA-2019:3933",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:3933"
            },
            {
              "name": "RHSA-2019:3935",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:3935"
            },
            {
              "name": "RHSA-2019:3932",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:3932"
            },
            {
              "name": "[httpd-cvs] 20200401 svn commit: r1058586 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/rd18c3c43602e66f9cdcf09f1de233804975b9572b0456cc582390b6f%40%3Ccvs.httpd.apache.org%3E"
            },
            {
              "name": "[httpd-cvs] 20200401 svn commit: r1058587 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/re3d27b6250aa8548b8845d314bb8a350b3df326cacbbfdfe4d455234%40%3Ccvs.httpd.apache.org%3E"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.oracle.com/security-alerts/cpuapr2020.html"
            },
            {
              "name": "[httpd-cvs] 20210330 svn commit: r1073139 [1/13] - in /websites/staging/httpd/trunk/content: ./ security/json/",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9%40%3Ccvs.httpd.apache.org%3E"
            },
            {
              "name": "[httpd-cvs] 20210330 svn commit: r1073143 [3/3] - in /websites/staging/httpd/trunk/content: ./ security/",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/r06f0d87ebb6d59ed8379633f36f72f5b1f79cadfda72ede0830b42cf%40%3Ccvs.httpd.apache.org%3E"
            },
            {
              "name": "[httpd-cvs] 20210330 svn commit: r1073140 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/cvejsontohtml.py security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/rc998b18880df98bafaade071346690c2bc1444adaa1a1ea464b93f0a%40%3Ccvs.httpd.apache.org%3E"
            },
            {
              "name": "[httpd-cvs] 20210330 svn commit: r1073139 [12/13] - in /websites/staging/httpd/trunk/content: ./ security/json/",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/r03ee478b3dda3e381fd6189366fa7af97c980d2f602846eef935277d%40%3Ccvs.httpd.apache.org%3E"
            },
            {
              "name": "[httpd-cvs] 20210330 svn commit: r1888194 [12/13] - /httpd/site/trunk/content/security/json/",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/rd2fb621142e7fa187cfe12d7137bf66e7234abcbbcd800074c84a538%40%3Ccvs.httpd.apache.org%3E"
            },
            {
              "name": "[httpd-cvs] 20210330 svn commit: r1073149 [1/13] - in /websites/staging/httpd/trunk/content: ./ security/ security/json/",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920%40%3Ccvs.httpd.apache.org%3E"
            },
            {
              "name": "[httpd-cvs] 20210330 svn commit: r1073149 [13/13] - in /websites/staging/httpd/trunk/content: ./ security/ security/json/",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/r3c5c3104813c1c5508b55564b66546933079250a46ce50eee90b2e36%40%3Ccvs.httpd.apache.org%3E"
            },
            {
              "name": "[httpd-cvs] 20210606 svn commit: r1075470 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/json/CVE-2020-13938.json security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/r76142b8c5119df2178be7c2dba88fde552eedeec37ea993dfce68d1d%40%3Ccvs.httpd.apache.org%3E"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Some HTTP/2 implementations are vulnerable to unconstrained interal data buffering, potentially leading to a denial of service",
          "x_generator": {
            "engine": "Vulnogram 0.0.7"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "AKA": "HTTP/2 Internal Data Buffering",
              "ASSIGNER": "cert@cert.org",
              "ID": "CVE-2019-9517",
              "STATE": "PUBLIC",
              "TITLE": "Some HTTP/2 implementations are vulnerable to unconstrained interal data buffering, potentially leading to a denial of service"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "n/a",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "n/a"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "n/a"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "Thanks to Jonathan Looney of Netflix for reporting this vulnerability."
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Some HTTP/2 implementations are vulnerable to unconstrained interal data buffering, potentially leading to a denial of service. The attacker opens the HTTP/2 window so the peer can send without constraint; however, they leave the TCP window closed so the peer cannot actually write (many of) the bytes on the wire. The attacker then sends a stream of requests for a large response object. Depending on how the servers queue the responses, this can consume excess memory, CPU, or both."
                }
              ]
            },
            "generator": {
              "engine": "Vulnogram 0.0.7"
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.0"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-400 Uncontrolled Resource Consumption"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "VU#605641",
                  "refsource": "CERT-VN",
                  "url": "https://kb.cert.org/vuls/id/605641/"
                },
                {
                  "name": "https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md",
                  "refsource": "MISC",
                  "url": "https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md"
                },
                {
                  "name": "[httpd-announce] 20190814 CVE-2019-9517: mod_http2, DoS attack by exhausting h2 workers",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/4610762456644181b267c846423b3a990bd4aaea1886ecc7d51febdb@%3Cannounce.httpd.apache.org%3E"
                },
                {
                  "name": "[httpd-cvs] 20190815 svn commit: r1048743 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/56c2e7cc9deb1c12a843d0dc251ea7fd3e7e80293cde02fcd65286ba@%3Ccvs.httpd.apache.org%3E"
                },
                {
                  "name": "[oss-security] 20190814 CVE-2019-9517: mod_http2, DoS attack by exhausting h2 workers",
                  "refsource": "MLIST",
                  "url": "http://www.openwall.com/lists/oss-security/2019/08/15/7"
                },
                {
                  "name": "[httpd-dev] 20190817 CVE-2019-10097 vs. CHANGEs entry",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/ec97fdfc1a859266e56fef084353a34e0a0b08901b3c1aa317a43c8c@%3Cdev.httpd.apache.org%3E"
                },
                {
                  "name": "[httpd-dev] 20190817 Re: CVE-2019-10097 vs. CHANGEs entry",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/d89f999e26dfb1d50f247ead1fe8538014eb412b2dbe5be4b1a9ef50@%3Cdev.httpd.apache.org%3E"
                },
                {
                  "name": "https://www.synology.com/security/advisory/Synology_SA_19_33",
                  "refsource": "CONFIRM",
                  "url": "https://www.synology.com/security/advisory/Synology_SA_19_33"
                },
                {
                  "name": "https://support.f5.com/csp/article/K02591030",
                  "refsource": "CONFIRM",
                  "url": "https://support.f5.com/csp/article/K02591030"
                },
                {
                  "name": "https://security.netapp.com/advisory/ntap-20190823-0005/",
                  "refsource": "CONFIRM",
                  "url": "https://security.netapp.com/advisory/ntap-20190823-0005/"
                },
                {
                  "name": "https://security.netapp.com/advisory/ntap-20190823-0003/",
                  "refsource": "CONFIRM",
                  "url": "https://security.netapp.com/advisory/ntap-20190823-0003/"
                },
                {
                  "name": "FEDORA-2019-5a6a7bc12c",
                  "refsource": "FEDORA",
                  "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CMNFX5MNYRWWIMO4BTKYQCGUDMHO3AXP/"
                },
                {
                  "name": "FEDORA-2019-6a2980de56",
                  "refsource": "FEDORA",
                  "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4ZQGHE3WTYLYAYJEIDJVF2FIGQTAYPMC/"
                },
                {
                  "name": "DSA-4509",
                  "refsource": "DEBIAN",
                  "url": "https://www.debian.org/security/2019/dsa-4509"
                },
                {
                  "name": "20190826 [SECURITY] [DSA 4509-1] apache2 security update",
                  "refsource": "BUGTRAQ",
                  "url": "https://seclists.org/bugtraq/2019/Aug/47"
                },
                {
                  "name": "USN-4113-1",
                  "refsource": "UBUNTU",
                  "url": "https://usn.ubuntu.com/4113-1/"
                },
                {
                  "name": "FEDORA-2019-4427fd65be",
                  "refsource": "FEDORA",
                  "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BP556LEG3WENHZI5TAQ6ZEBFTJB4E2IS/"
                },
                {
                  "name": "FEDORA-2019-63ba15cc83",
                  "refsource": "FEDORA",
                  "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XHTKU7YQ5EEP2XNSAV4M4VJ7QCBOJMOD/"
                },
                {
                  "name": "openSUSE-SU-2019:2051",
                  "refsource": "SUSE",
                  "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00004.html"
                },
                {
                  "name": "https://security.netapp.com/advisory/ntap-20190905-0003/",
                  "refsource": "CONFIRM",
                  "url": "https://security.netapp.com/advisory/ntap-20190905-0003/"
                },
                {
                  "name": "GLSA-201909-04",
                  "refsource": "GENTOO",
                  "url": "https://security.gentoo.org/glsa/201909-04"
                },
                {
                  "name": "openSUSE-SU-2019:2114",
                  "refsource": "SUSE",
                  "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00032.html"
                },
                {
                  "name": "openSUSE-SU-2019:2115",
                  "refsource": "SUSE",
                  "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00031.html"
                },
                {
                  "name": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10296",
                  "refsource": "CONFIRM",
                  "url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10296"
                },
                {
                  "name": "RHSA-2019:2893",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2019:2893"
                },
                {
                  "name": "RHSA-2019:2925",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2019:2925"
                },
                {
                  "name": "RHSA-2019:2939",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2019:2939"
                },
                {
                  "name": "RHSA-2019:2946",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2019:2946"
                },
                {
                  "name": "RHSA-2019:2950",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2019:2950"
                },
                {
                  "name": "RHSA-2019:2949",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2019:2949"
                },
                {
                  "name": "RHSA-2019:2955",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2019:2955"
                },
                {
                  "name": "https://support.f5.com/csp/article/K02591030?utm_source=f5support\u0026amp;utm_medium=RSS",
                  "refsource": "CONFIRM",
                  "url": "https://support.f5.com/csp/article/K02591030?utm_source=f5support\u0026amp;utm_medium=RSS"
                },
                {
                  "name": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html",
                  "refsource": "MISC",
                  "url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html"
                },
                {
                  "name": "RHSA-2019:3933",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2019:3933"
                },
                {
                  "name": "RHSA-2019:3935",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2019:3935"
                },
                {
                  "name": "RHSA-2019:3932",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2019:3932"
                },
                {
                  "name": "[httpd-cvs] 20200401 svn commit: r1058586 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/rd18c3c43602e66f9cdcf09f1de233804975b9572b0456cc582390b6f@%3Ccvs.httpd.apache.org%3E"
                },
                {
                  "name": "[httpd-cvs] 20200401 svn commit: r1058587 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/re3d27b6250aa8548b8845d314bb8a350b3df326cacbbfdfe4d455234@%3Ccvs.httpd.apache.org%3E"
                },
                {
                  "name": "https://www.oracle.com/security-alerts/cpuapr2020.html",
                  "refsource": "MISC",
                  "url": "https://www.oracle.com/security-alerts/cpuapr2020.html"
                },
                {
                  "name": "[httpd-cvs] 20210330 svn commit: r1073139 [1/13] - in /websites/staging/httpd/trunk/content: ./ security/json/",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9@%3Ccvs.httpd.apache.org%3E"
                },
                {
                  "name": "[httpd-cvs] 20210330 svn commit: r1073143 [3/3] - in /websites/staging/httpd/trunk/content: ./ security/",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/r06f0d87ebb6d59ed8379633f36f72f5b1f79cadfda72ede0830b42cf@%3Ccvs.httpd.apache.org%3E"
                },
                {
                  "name": "[httpd-cvs] 20210330 svn commit: r1073140 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/cvejsontohtml.py security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/rc998b18880df98bafaade071346690c2bc1444adaa1a1ea464b93f0a@%3Ccvs.httpd.apache.org%3E"
                },
                {
                  "name": "[httpd-cvs] 20210330 svn commit: r1073139 [12/13] - in /websites/staging/httpd/trunk/content: ./ security/json/",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/r03ee478b3dda3e381fd6189366fa7af97c980d2f602846eef935277d@%3Ccvs.httpd.apache.org%3E"
                },
                {
                  "name": "[httpd-cvs] 20210330 svn commit: r1888194 [12/13] - /httpd/site/trunk/content/security/json/",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/rd2fb621142e7fa187cfe12d7137bf66e7234abcbbcd800074c84a538@%3Ccvs.httpd.apache.org%3E"
                },
                {
                  "name": "[httpd-cvs] 20210330 svn commit: r1073149 [1/13] - in /websites/staging/httpd/trunk/content: ./ security/ security/json/",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920@%3Ccvs.httpd.apache.org%3E"
                },
                {
                  "name": "[httpd-cvs] 20210330 svn commit: r1073149 [13/13] - in /websites/staging/httpd/trunk/content: ./ security/ security/json/",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/r3c5c3104813c1c5508b55564b66546933079250a46ce50eee90b2e36@%3Ccvs.httpd.apache.org%3E"
                },
                {
                  "name": "[httpd-cvs] 20210606 svn commit: r1075470 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/json/CVE-2020-13938.json security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/r76142b8c5119df2178be7c2dba88fde552eedeec37ea993dfce68d1d@%3Ccvs.httpd.apache.org%3E"
                }
              ]
            },
            "source": {
              "discovery": "UNKNOWN"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
        "assignerShortName": "certcc",
        "cveId": "CVE-2019-9517",
        "datePublished": "2019-08-13T20:50:59.000Z",
        "dateReserved": "2019-03-01T00:00:00.000Z",
        "dateUpdated": "2024-08-04T21:54:44.675Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2019-9516 (GCVE-0-2019-9516)

    Vulnerability from nvd – Published: 2019-08-13 20:50 – Updated: 2024-08-04 21:54
    VLAI
    Title
    Some HTTP/2 implementations are vulnerable to a header leak, potentially leading to a denial of service
    Summary
    Some HTTP/2 implementations are vulnerable to a header leak, potentially leading to a denial of service. The attacker sends a stream of headers with a 0-length header name and 0-length header value, optionally Huffman encoded into 1-byte or greater headers. Some implementations allocate memory for these headers and keep the allocation alive until the session dies. This can consume excess memory.
    CWE
    • CWE-400 - Uncontrolled Resource Consumption
    Assigner
    References
    URL Tags
    https://kb.cert.org/vuls/id/605641/ third-party-advisoryx_refsource_CERT-VN
    https://github.com/Netflix/security-bulletins/blo… x_refsource_MISC
    https://seclists.org/bugtraq/2019/Aug/24 mailing-listx_refsource_BUGTRAQ
    https://usn.ubuntu.com/4099-1/ vendor-advisoryx_refsource_UBUNTU
    http://seclists.org/fulldisclosure/2019/Aug/16 mailing-listx_refsource_FULLDISC
    https://www.synology.com/security/advisory/Synolo… x_refsource_CONFIRM
    https://support.f5.com/csp/article/K02591030 x_refsource_CONFIRM
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisoryx_refsource_FEDORA
    https://seclists.org/bugtraq/2019/Aug/40 mailing-listx_refsource_BUGTRAQ
    https://www.debian.org/security/2019/dsa-4505 vendor-advisoryx_refsource_DEBIAN
    https://security.netapp.com/advisory/ntap-2019082… x_refsource_CONFIRM
    https://security.netapp.com/advisory/ntap-2019082… x_refsource_CONFIRM
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisoryx_refsource_FEDORA
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisoryx_refsource_FEDORA
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisoryx_refsource_FEDORA
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisoryx_refsource_FEDORA
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisoryx_refsource_FEDORA
    http://lists.opensuse.org/opensuse-security-annou… vendor-advisoryx_refsource_SUSE
    http://lists.opensuse.org/opensuse-security-annou… vendor-advisoryx_refsource_SUSE
    http://lists.opensuse.org/opensuse-security-annou… vendor-advisoryx_refsource_SUSE
    https://kc.mcafee.com/corporate/index?page=conten… x_refsource_CONFIRM
    https://access.redhat.com/errata/RHSA-2019:2745 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2019:2746 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2019:2775 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2019:2799 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2019:2925 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2019:2939 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2019:2946 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2019:2950 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2019:2955 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2019:2966 vendor-advisoryx_refsource_REDHAT
    http://lists.opensuse.org/opensuse-security-annou… vendor-advisoryx_refsource_SUSE
    https://support.f5.com/csp/article/K02591030?utm_… x_refsource_CONFIRM
    https://access.redhat.com/errata/RHSA-2019:3933 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2019:3935 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2019:3932 vendor-advisoryx_refsource_REDHAT
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisoryx_refsource_FEDORA
    Credits
    Thanks to Jonathan Looney of Netflix for reporting this vulnerability.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T21:54:44.285Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "VU#605641",
                "tags": [
                  "third-party-advisory",
                  "x_refsource_CERT-VN",
                  "x_transferred"
                ],
                "url": "https://kb.cert.org/vuls/id/605641/"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md"
              },
              {
                "name": "20190814 APPLE-SA-2019-08-13-5 SwiftNIO HTTP/2 1.5.0",
                "tags": [
                  "mailing-list",
                  "x_refsource_BUGTRAQ",
                  "x_transferred"
                ],
                "url": "https://seclists.org/bugtraq/2019/Aug/24"
              },
              {
                "name": "USN-4099-1",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_UBUNTU",
                  "x_transferred"
                ],
                "url": "https://usn.ubuntu.com/4099-1/"
              },
              {
                "name": "20190816 APPLE-SA-2019-08-13-5 SwiftNIO HTTP/2 1.5.0",
                "tags": [
                  "mailing-list",
                  "x_refsource_FULLDISC",
                  "x_transferred"
                ],
                "url": "http://seclists.org/fulldisclosure/2019/Aug/16"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.synology.com/security/advisory/Synology_SA_19_33"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://support.f5.com/csp/article/K02591030"
              },
              {
                "name": "FEDORA-2019-befd924cfe",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_FEDORA",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TAZZEVTCN2B4WT6AIBJ7XGYJMBTORJU5/"
              },
              {
                "name": "20190822 [SECURITY] [DSA 4505-1] nginx security update",
                "tags": [
                  "mailing-list",
                  "x_refsource_BUGTRAQ",
                  "x_transferred"
                ],
                "url": "https://seclists.org/bugtraq/2019/Aug/40"
              },
              {
                "name": "DSA-4505",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_DEBIAN",
                  "x_transferred"
                ],
                "url": "https://www.debian.org/security/2019/dsa-4505"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://security.netapp.com/advisory/ntap-20190823-0002/"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://security.netapp.com/advisory/ntap-20190823-0005/"
              },
              {
                "name": "FEDORA-2019-5a6a7bc12c",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_FEDORA",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CMNFX5MNYRWWIMO4BTKYQCGUDMHO3AXP/"
              },
              {
                "name": "FEDORA-2019-6a2980de56",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_FEDORA",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4ZQGHE3WTYLYAYJEIDJVF2FIGQTAYPMC/"
              },
              {
                "name": "FEDORA-2019-4427fd65be",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_FEDORA",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BP556LEG3WENHZI5TAQ6ZEBFTJB4E2IS/"
              },
              {
                "name": "FEDORA-2019-63ba15cc83",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_FEDORA",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XHTKU7YQ5EEP2XNSAV4M4VJ7QCBOJMOD/"
              },
              {
                "name": "FEDORA-2019-7a0b45fdc4",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_FEDORA",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/POPAEC4FWL4UU4LDEGPY5NPALU24FFQD/"
              },
              {
                "name": "openSUSE-SU-2019:2120",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_SUSE",
                  "x_transferred"
                ],
                "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00035.html"
              },
              {
                "name": "openSUSE-SU-2019:2114",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_SUSE",
                  "x_transferred"
                ],
                "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00032.html"
              },
              {
                "name": "openSUSE-SU-2019:2115",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_SUSE",
                  "x_transferred"
                ],
                "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00031.html"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10296"
              },
              {
                "name": "RHSA-2019:2745",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:2745"
              },
              {
                "name": "RHSA-2019:2746",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:2746"
              },
              {
                "name": "RHSA-2019:2775",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:2775"
              },
              {
                "name": "RHSA-2019:2799",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:2799"
              },
              {
                "name": "RHSA-2019:2925",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:2925"
              },
              {
                "name": "RHSA-2019:2939",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:2939"
              },
              {
                "name": "RHSA-2019:2946",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:2946"
              },
              {
                "name": "RHSA-2019:2950",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:2950"
              },
              {
                "name": "RHSA-2019:2955",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:2955"
              },
              {
                "name": "RHSA-2019:2966",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:2966"
              },
              {
                "name": "openSUSE-SU-2019:2264",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_SUSE",
                  "x_transferred"
                ],
                "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00014.html"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://support.f5.com/csp/article/K02591030?utm_source=f5support\u0026amp%3Butm_medium=RSS"
              },
              {
                "name": "RHSA-2019:3933",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:3933"
              },
              {
                "name": "RHSA-2019:3935",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:3935"
              },
              {
                "name": "RHSA-2019:3932",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:3932"
              },
              {
                "name": "FEDORA-2021-d5b2c18fe6",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_FEDORA",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H472D5HPXN6RRXCNFML3BK5OYC52CXF2/"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Thanks to Jonathan Looney of Netflix for reporting this vulnerability."
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Some HTTP/2 implementations are vulnerable to a header leak, potentially leading to a denial of service. The attacker sends a stream of headers with a 0-length header name and 0-length header value, optionally Huffman encoded into 1-byte or greater headers. Some implementations allocate memory for these headers and keep the allocation alive until the session dies. This can consume excess memory."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-400",
                  "description": "CWE-400 Uncontrolled Resource Consumption",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-01-16T02:06:09.000Z",
            "orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
            "shortName": "certcc"
          },
          "references": [
            {
              "name": "VU#605641",
              "tags": [
                "third-party-advisory",
                "x_refsource_CERT-VN"
              ],
              "url": "https://kb.cert.org/vuls/id/605641/"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md"
            },
            {
              "name": "20190814 APPLE-SA-2019-08-13-5 SwiftNIO HTTP/2 1.5.0",
              "tags": [
                "mailing-list",
                "x_refsource_BUGTRAQ"
              ],
              "url": "https://seclists.org/bugtraq/2019/Aug/24"
            },
            {
              "name": "USN-4099-1",
              "tags": [
                "vendor-advisory",
                "x_refsource_UBUNTU"
              ],
              "url": "https://usn.ubuntu.com/4099-1/"
            },
            {
              "name": "20190816 APPLE-SA-2019-08-13-5 SwiftNIO HTTP/2 1.5.0",
              "tags": [
                "mailing-list",
                "x_refsource_FULLDISC"
              ],
              "url": "http://seclists.org/fulldisclosure/2019/Aug/16"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.synology.com/security/advisory/Synology_SA_19_33"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://support.f5.com/csp/article/K02591030"
            },
            {
              "name": "FEDORA-2019-befd924cfe",
              "tags": [
                "vendor-advisory",
                "x_refsource_FEDORA"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TAZZEVTCN2B4WT6AIBJ7XGYJMBTORJU5/"
            },
            {
              "name": "20190822 [SECURITY] [DSA 4505-1] nginx security update",
              "tags": [
                "mailing-list",
                "x_refsource_BUGTRAQ"
              ],
              "url": "https://seclists.org/bugtraq/2019/Aug/40"
            },
            {
              "name": "DSA-4505",
              "tags": [
                "vendor-advisory",
                "x_refsource_DEBIAN"
              ],
              "url": "https://www.debian.org/security/2019/dsa-4505"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://security.netapp.com/advisory/ntap-20190823-0002/"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://security.netapp.com/advisory/ntap-20190823-0005/"
            },
            {
              "name": "FEDORA-2019-5a6a7bc12c",
              "tags": [
                "vendor-advisory",
                "x_refsource_FEDORA"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CMNFX5MNYRWWIMO4BTKYQCGUDMHO3AXP/"
            },
            {
              "name": "FEDORA-2019-6a2980de56",
              "tags": [
                "vendor-advisory",
                "x_refsource_FEDORA"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4ZQGHE3WTYLYAYJEIDJVF2FIGQTAYPMC/"
            },
            {
              "name": "FEDORA-2019-4427fd65be",
              "tags": [
                "vendor-advisory",
                "x_refsource_FEDORA"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BP556LEG3WENHZI5TAQ6ZEBFTJB4E2IS/"
            },
            {
              "name": "FEDORA-2019-63ba15cc83",
              "tags": [
                "vendor-advisory",
                "x_refsource_FEDORA"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XHTKU7YQ5EEP2XNSAV4M4VJ7QCBOJMOD/"
            },
            {
              "name": "FEDORA-2019-7a0b45fdc4",
              "tags": [
                "vendor-advisory",
                "x_refsource_FEDORA"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/POPAEC4FWL4UU4LDEGPY5NPALU24FFQD/"
            },
            {
              "name": "openSUSE-SU-2019:2120",
              "tags": [
                "vendor-advisory",
                "x_refsource_SUSE"
              ],
              "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00035.html"
            },
            {
              "name": "openSUSE-SU-2019:2114",
              "tags": [
                "vendor-advisory",
                "x_refsource_SUSE"
              ],
              "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00032.html"
            },
            {
              "name": "openSUSE-SU-2019:2115",
              "tags": [
                "vendor-advisory",
                "x_refsource_SUSE"
              ],
              "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00031.html"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10296"
            },
            {
              "name": "RHSA-2019:2745",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:2745"
            },
            {
              "name": "RHSA-2019:2746",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:2746"
            },
            {
              "name": "RHSA-2019:2775",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:2775"
            },
            {
              "name": "RHSA-2019:2799",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:2799"
            },
            {
              "name": "RHSA-2019:2925",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:2925"
            },
            {
              "name": "RHSA-2019:2939",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:2939"
            },
            {
              "name": "RHSA-2019:2946",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:2946"
            },
            {
              "name": "RHSA-2019:2950",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:2950"
            },
            {
              "name": "RHSA-2019:2955",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:2955"
            },
            {
              "name": "RHSA-2019:2966",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:2966"
            },
            {
              "name": "openSUSE-SU-2019:2264",
              "tags": [
                "vendor-advisory",
                "x_refsource_SUSE"
              ],
              "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00014.html"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://support.f5.com/csp/article/K02591030?utm_source=f5support\u0026amp%3Butm_medium=RSS"
            },
            {
              "name": "RHSA-2019:3933",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:3933"
            },
            {
              "name": "RHSA-2019:3935",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:3935"
            },
            {
              "name": "RHSA-2019:3932",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:3932"
            },
            {
              "name": "FEDORA-2021-d5b2c18fe6",
              "tags": [
                "vendor-advisory",
                "x_refsource_FEDORA"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H472D5HPXN6RRXCNFML3BK5OYC52CXF2/"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Some HTTP/2 implementations are vulnerable to a header leak, potentially leading to a denial of service",
          "x_generator": {
            "engine": "Vulnogram 0.0.7"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "AKA": "HTTP/2 0-Length Headers Leak",
              "ASSIGNER": "cert@cert.org",
              "ID": "CVE-2019-9516",
              "STATE": "PUBLIC",
              "TITLE": "Some HTTP/2 implementations are vulnerable to a header leak, potentially leading to a denial of service"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "n/a",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "n/a"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "n/a"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "Thanks to Jonathan Looney of Netflix for reporting this vulnerability."
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Some HTTP/2 implementations are vulnerable to a header leak, potentially leading to a denial of service. The attacker sends a stream of headers with a 0-length header name and 0-length header value, optionally Huffman encoded into 1-byte or greater headers. Some implementations allocate memory for these headers and keep the allocation alive until the session dies. This can consume excess memory."
                }
              ]
            },
            "generator": {
              "engine": "Vulnogram 0.0.7"
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.0"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-400 Uncontrolled Resource Consumption"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "VU#605641",
                  "refsource": "CERT-VN",
                  "url": "https://kb.cert.org/vuls/id/605641/"
                },
                {
                  "name": "https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md",
                  "refsource": "MISC",
                  "url": "https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md"
                },
                {
                  "name": "20190814 APPLE-SA-2019-08-13-5 SwiftNIO HTTP/2 1.5.0",
                  "refsource": "BUGTRAQ",
                  "url": "https://seclists.org/bugtraq/2019/Aug/24"
                },
                {
                  "name": "USN-4099-1",
                  "refsource": "UBUNTU",
                  "url": "https://usn.ubuntu.com/4099-1/"
                },
                {
                  "name": "20190816 APPLE-SA-2019-08-13-5 SwiftNIO HTTP/2 1.5.0",
                  "refsource": "FULLDISC",
                  "url": "http://seclists.org/fulldisclosure/2019/Aug/16"
                },
                {
                  "name": "https://www.synology.com/security/advisory/Synology_SA_19_33",
                  "refsource": "CONFIRM",
                  "url": "https://www.synology.com/security/advisory/Synology_SA_19_33"
                },
                {
                  "name": "https://support.f5.com/csp/article/K02591030",
                  "refsource": "CONFIRM",
                  "url": "https://support.f5.com/csp/article/K02591030"
                },
                {
                  "name": "FEDORA-2019-befd924cfe",
                  "refsource": "FEDORA",
                  "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TAZZEVTCN2B4WT6AIBJ7XGYJMBTORJU5/"
                },
                {
                  "name": "20190822 [SECURITY] [DSA 4505-1] nginx security update",
                  "refsource": "BUGTRAQ",
                  "url": "https://seclists.org/bugtraq/2019/Aug/40"
                },
                {
                  "name": "DSA-4505",
                  "refsource": "DEBIAN",
                  "url": "https://www.debian.org/security/2019/dsa-4505"
                },
                {
                  "name": "https://security.netapp.com/advisory/ntap-20190823-0002/",
                  "refsource": "CONFIRM",
                  "url": "https://security.netapp.com/advisory/ntap-20190823-0002/"
                },
                {
                  "name": "https://security.netapp.com/advisory/ntap-20190823-0005/",
                  "refsource": "CONFIRM",
                  "url": "https://security.netapp.com/advisory/ntap-20190823-0005/"
                },
                {
                  "name": "FEDORA-2019-5a6a7bc12c",
                  "refsource": "FEDORA",
                  "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CMNFX5MNYRWWIMO4BTKYQCGUDMHO3AXP/"
                },
                {
                  "name": "FEDORA-2019-6a2980de56",
                  "refsource": "FEDORA",
                  "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4ZQGHE3WTYLYAYJEIDJVF2FIGQTAYPMC/"
                },
                {
                  "name": "FEDORA-2019-4427fd65be",
                  "refsource": "FEDORA",
                  "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BP556LEG3WENHZI5TAQ6ZEBFTJB4E2IS/"
                },
                {
                  "name": "FEDORA-2019-63ba15cc83",
                  "refsource": "FEDORA",
                  "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XHTKU7YQ5EEP2XNSAV4M4VJ7QCBOJMOD/"
                },
                {
                  "name": "FEDORA-2019-7a0b45fdc4",
                  "refsource": "FEDORA",
                  "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/POPAEC4FWL4UU4LDEGPY5NPALU24FFQD/"
                },
                {
                  "name": "openSUSE-SU-2019:2120",
                  "refsource": "SUSE",
                  "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00035.html"
                },
                {
                  "name": "openSUSE-SU-2019:2114",
                  "refsource": "SUSE",
                  "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00032.html"
                },
                {
                  "name": "openSUSE-SU-2019:2115",
                  "refsource": "SUSE",
                  "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00031.html"
                },
                {
                  "name": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10296",
                  "refsource": "CONFIRM",
                  "url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10296"
                },
                {
                  "name": "RHSA-2019:2745",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2019:2745"
                },
                {
                  "name": "RHSA-2019:2746",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2019:2746"
                },
                {
                  "name": "RHSA-2019:2775",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2019:2775"
                },
                {
                  "name": "RHSA-2019:2799",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2019:2799"
                },
                {
                  "name": "RHSA-2019:2925",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2019:2925"
                },
                {
                  "name": "RHSA-2019:2939",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2019:2939"
                },
                {
                  "name": "RHSA-2019:2946",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2019:2946"
                },
                {
                  "name": "RHSA-2019:2950",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2019:2950"
                },
                {
                  "name": "RHSA-2019:2955",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2019:2955"
                },
                {
                  "name": "RHSA-2019:2966",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2019:2966"
                },
                {
                  "name": "openSUSE-SU-2019:2264",
                  "refsource": "SUSE",
                  "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00014.html"
                },
                {
                  "name": "https://support.f5.com/csp/article/K02591030?utm_source=f5support\u0026amp;utm_medium=RSS",
                  "refsource": "CONFIRM",
                  "url": "https://support.f5.com/csp/article/K02591030?utm_source=f5support\u0026amp;utm_medium=RSS"
                },
                {
                  "name": "RHSA-2019:3933",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2019:3933"
                },
                {
                  "name": "RHSA-2019:3935",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2019:3935"
                },
                {
                  "name": "RHSA-2019:3932",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2019:3932"
                },
                {
                  "name": "FEDORA-2021-d5b2c18fe6",
                  "refsource": "FEDORA",
                  "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/H472D5HPXN6RRXCNFML3BK5OYC52CXF2/"
                }
              ]
            },
            "source": {
              "discovery": "UNKNOWN"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
        "assignerShortName": "certcc",
        "cveId": "CVE-2019-9516",
        "datePublished": "2019-08-13T20:50:59.000Z",
        "dateReserved": "2019-03-01T00:00:00.000Z",
        "dateUpdated": "2024-08-04T21:54:44.285Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2019-9515 (GCVE-0-2019-9515)

    Vulnerability from nvd – Published: 2019-08-13 20:50 – Updated: 2024-08-04 21:54
    VLAI
    Title
    Some HTTP/2 implementations are vulnerable to a settings flood, potentially leading to a denial of service
    Summary
    Some HTTP/2 implementations are vulnerable to a settings flood, potentially leading to a denial of service. The attacker sends a stream of SETTINGS frames to the peer. Since the RFC requires that the peer reply with one acknowledgement per SETTINGS frame, an empty SETTINGS frame is almost equivalent in behavior to a ping. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both.
    CWE
    • CWE-400 - Uncontrolled Resource Consumption
    Assigner
    References
    URL Tags
    https://kb.cert.org/vuls/id/605641/ third-party-advisoryx_refsource_CERT-VN
    https://github.com/Netflix/security-bulletins/blo… x_refsource_MISC
    https://lists.apache.org/thread.html/bde52309316a… mailing-listx_refsource_MLIST
    https://lists.apache.org/thread.html/392108390cef… mailing-listx_refsource_MLIST
    https://lists.apache.org/thread.html/ad3d01e76719… mailing-listx_refsource_MLIST
    https://seclists.org/bugtraq/2019/Aug/24 mailing-listx_refsource_BUGTRAQ
    http://seclists.org/fulldisclosure/2019/Aug/16 mailing-listx_refsource_FULLDISC
    https://www.synology.com/security/advisory/Synolo… x_refsource_CONFIRM
    https://support.f5.com/csp/article/K50233772 x_refsource_CONFIRM
    https://security.netapp.com/advisory/ntap-2019082… x_refsource_CONFIRM
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisoryx_refsource_FEDORA
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisoryx_refsource_FEDORA
    https://seclists.org/bugtraq/2019/Aug/43 mailing-listx_refsource_BUGTRAQ
    https://www.debian.org/security/2019/dsa-4508 vendor-advisoryx_refsource_DEBIAN
    https://www.debian.org/security/2019/dsa-4520 vendor-advisoryx_refsource_DEBIAN
    https://seclists.org/bugtraq/2019/Sep/18 mailing-listx_refsource_BUGTRAQ
    http://lists.opensuse.org/opensuse-security-annou… vendor-advisoryx_refsource_SUSE
    http://lists.opensuse.org/opensuse-security-annou… vendor-advisoryx_refsource_SUSE
    https://kc.mcafee.com/corporate/index?page=conten… x_refsource_CONFIRM
    https://access.redhat.com/errata/RHSA-2019:2766 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2019:2796 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2019:2861 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2019:2925 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2019:2939 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2019:2955 vendor-advisoryx_refsource_REDHAT
    https://support.f5.com/csp/article/K50233772?utm_… x_refsource_CONFIRM
    https://access.redhat.com/errata/RHSA-2019:3892 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2019:4018 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2019:4019 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2019:4021 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2019:4020 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2019:4045 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2019:4042 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2019:4040 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2019:4041 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2019:4352 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2020:0727 vendor-advisoryx_refsource_REDHAT
    https://usn.ubuntu.com/4308-1/ vendor-advisoryx_refsource_UBUNTU
    Credits
    Thanks to Jonathan Looney of Netflix for reporting this vulnerability.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T21:54:44.327Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "VU#605641",
                "tags": [
                  "third-party-advisory",
                  "x_refsource_CERT-VN",
                  "x_transferred"
                ],
                "url": "https://kb.cert.org/vuls/id/605641/"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md"
              },
              {
                "name": "[trafficserver-dev] 20190813 Apache Traffic Server is vulnerable to various HTTP/2 attacks",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/bde52309316ae798186d783a5e29f4ad1527f61c9219a289d0eee0a7%40%3Cdev.trafficserver.apache.org%3E"
              },
              {
                "name": "[trafficserver-users] 20190813 Apache Traffic Server is vulnerable to various HTTP/2 attacks",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/392108390cef48af647a2e47b7fd5380e050e35ae8d1aa2030254c04%40%3Cusers.trafficserver.apache.org%3E"
              },
              {
                "name": "[trafficserver-announce] 20190813 Apache Traffic Server is vulnerable to various HTTP/2 attacks",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/ad3d01e767199c1aed8033bb6b3f5bf98c011c7c536f07a5d34b3c19%40%3Cannounce.trafficserver.apache.org%3E"
              },
              {
                "name": "20190814 APPLE-SA-2019-08-13-5 SwiftNIO HTTP/2 1.5.0",
                "tags": [
                  "mailing-list",
                  "x_refsource_BUGTRAQ",
                  "x_transferred"
                ],
                "url": "https://seclists.org/bugtraq/2019/Aug/24"
              },
              {
                "name": "20190816 APPLE-SA-2019-08-13-5 SwiftNIO HTTP/2 1.5.0",
                "tags": [
                  "mailing-list",
                  "x_refsource_FULLDISC",
                  "x_transferred"
                ],
                "url": "http://seclists.org/fulldisclosure/2019/Aug/16"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.synology.com/security/advisory/Synology_SA_19_33"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://support.f5.com/csp/article/K50233772"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://security.netapp.com/advisory/ntap-20190823-0005/"
              },
              {
                "name": "FEDORA-2019-5a6a7bc12c",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_FEDORA",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CMNFX5MNYRWWIMO4BTKYQCGUDMHO3AXP/"
              },
              {
                "name": "FEDORA-2019-6a2980de56",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_FEDORA",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4ZQGHE3WTYLYAYJEIDJVF2FIGQTAYPMC/"
              },
              {
                "name": "20190825 [SECURITY] [DSA 4508-1] h2o security update",
                "tags": [
                  "mailing-list",
                  "x_refsource_BUGTRAQ",
                  "x_transferred"
                ],
                "url": "https://seclists.org/bugtraq/2019/Aug/43"
              },
              {
                "name": "DSA-4508",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_DEBIAN",
                  "x_transferred"
                ],
                "url": "https://www.debian.org/security/2019/dsa-4508"
              },
              {
                "name": "DSA-4520",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_DEBIAN",
                  "x_transferred"
                ],
                "url": "https://www.debian.org/security/2019/dsa-4520"
              },
              {
                "name": "20190910 [SECURITY] [DSA 4520-1] trafficserver security update",
                "tags": [
                  "mailing-list",
                  "x_refsource_BUGTRAQ",
                  "x_transferred"
                ],
                "url": "https://seclists.org/bugtraq/2019/Sep/18"
              },
              {
                "name": "openSUSE-SU-2019:2114",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_SUSE",
                  "x_transferred"
                ],
                "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00032.html"
              },
              {
                "name": "openSUSE-SU-2019:2115",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_SUSE",
                  "x_transferred"
                ],
                "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00031.html"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10296"
              },
              {
                "name": "RHSA-2019:2766",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:2766"
              },
              {
                "name": "RHSA-2019:2796",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:2796"
              },
              {
                "name": "RHSA-2019:2861",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:2861"
              },
              {
                "name": "RHSA-2019:2925",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:2925"
              },
              {
                "name": "RHSA-2019:2939",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:2939"
              },
              {
                "name": "RHSA-2019:2955",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:2955"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://support.f5.com/csp/article/K50233772?utm_source=f5support\u0026amp%3Butm_medium=RSS"
              },
              {
                "name": "RHSA-2019:3892",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:3892"
              },
              {
                "name": "RHSA-2019:4018",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:4018"
              },
              {
                "name": "RHSA-2019:4019",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:4019"
              },
              {
                "name": "RHSA-2019:4021",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:4021"
              },
              {
                "name": "RHSA-2019:4020",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:4020"
              },
              {
                "name": "RHSA-2019:4045",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:4045"
              },
              {
                "name": "RHSA-2019:4042",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:4042"
              },
              {
                "name": "RHSA-2019:4040",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:4040"
              },
              {
                "name": "RHSA-2019:4041",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:4041"
              },
              {
                "name": "RHSA-2019:4352",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:4352"
              },
              {
                "name": "RHSA-2020:0727",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2020:0727"
              },
              {
                "name": "USN-4308-1",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_UBUNTU",
                  "x_transferred"
                ],
                "url": "https://usn.ubuntu.com/4308-1/"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Thanks to Jonathan Looney of Netflix for reporting this vulnerability."
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Some HTTP/2 implementations are vulnerable to a settings flood, potentially leading to a denial of service. The attacker sends a stream of SETTINGS frames to the peer. Since the RFC requires that the peer reply with one acknowledgement per SETTINGS frame, an empty SETTINGS frame is almost equivalent in behavior to a ping. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-400",
                  "description": "CWE-400 Uncontrolled Resource Consumption",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2020-03-30T21:06:04.000Z",
            "orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
            "shortName": "certcc"
          },
          "references": [
            {
              "name": "VU#605641",
              "tags": [
                "third-party-advisory",
                "x_refsource_CERT-VN"
              ],
              "url": "https://kb.cert.org/vuls/id/605641/"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md"
            },
            {
              "name": "[trafficserver-dev] 20190813 Apache Traffic Server is vulnerable to various HTTP/2 attacks",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/bde52309316ae798186d783a5e29f4ad1527f61c9219a289d0eee0a7%40%3Cdev.trafficserver.apache.org%3E"
            },
            {
              "name": "[trafficserver-users] 20190813 Apache Traffic Server is vulnerable to various HTTP/2 attacks",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/392108390cef48af647a2e47b7fd5380e050e35ae8d1aa2030254c04%40%3Cusers.trafficserver.apache.org%3E"
            },
            {
              "name": "[trafficserver-announce] 20190813 Apache Traffic Server is vulnerable to various HTTP/2 attacks",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/ad3d01e767199c1aed8033bb6b3f5bf98c011c7c536f07a5d34b3c19%40%3Cannounce.trafficserver.apache.org%3E"
            },
            {
              "name": "20190814 APPLE-SA-2019-08-13-5 SwiftNIO HTTP/2 1.5.0",
              "tags": [
                "mailing-list",
                "x_refsource_BUGTRAQ"
              ],
              "url": "https://seclists.org/bugtraq/2019/Aug/24"
            },
            {
              "name": "20190816 APPLE-SA-2019-08-13-5 SwiftNIO HTTP/2 1.5.0",
              "tags": [
                "mailing-list",
                "x_refsource_FULLDISC"
              ],
              "url": "http://seclists.org/fulldisclosure/2019/Aug/16"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.synology.com/security/advisory/Synology_SA_19_33"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://support.f5.com/csp/article/K50233772"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://security.netapp.com/advisory/ntap-20190823-0005/"
            },
            {
              "name": "FEDORA-2019-5a6a7bc12c",
              "tags": [
                "vendor-advisory",
                "x_refsource_FEDORA"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CMNFX5MNYRWWIMO4BTKYQCGUDMHO3AXP/"
            },
            {
              "name": "FEDORA-2019-6a2980de56",
              "tags": [
                "vendor-advisory",
                "x_refsource_FEDORA"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4ZQGHE3WTYLYAYJEIDJVF2FIGQTAYPMC/"
            },
            {
              "name": "20190825 [SECURITY] [DSA 4508-1] h2o security update",
              "tags": [
                "mailing-list",
                "x_refsource_BUGTRAQ"
              ],
              "url": "https://seclists.org/bugtraq/2019/Aug/43"
            },
            {
              "name": "DSA-4508",
              "tags": [
                "vendor-advisory",
                "x_refsource_DEBIAN"
              ],
              "url": "https://www.debian.org/security/2019/dsa-4508"
            },
            {
              "name": "DSA-4520",
              "tags": [
                "vendor-advisory",
                "x_refsource_DEBIAN"
              ],
              "url": "https://www.debian.org/security/2019/dsa-4520"
            },
            {
              "name": "20190910 [SECURITY] [DSA 4520-1] trafficserver security update",
              "tags": [
                "mailing-list",
                "x_refsource_BUGTRAQ"
              ],
              "url": "https://seclists.org/bugtraq/2019/Sep/18"
            },
            {
              "name": "openSUSE-SU-2019:2114",
              "tags": [
                "vendor-advisory",
                "x_refsource_SUSE"
              ],
              "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00032.html"
            },
            {
              "name": "openSUSE-SU-2019:2115",
              "tags": [
                "vendor-advisory",
                "x_refsource_SUSE"
              ],
              "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00031.html"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10296"
            },
            {
              "name": "RHSA-2019:2766",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:2766"
            },
            {
              "name": "RHSA-2019:2796",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:2796"
            },
            {
              "name": "RHSA-2019:2861",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:2861"
            },
            {
              "name": "RHSA-2019:2925",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:2925"
            },
            {
              "name": "RHSA-2019:2939",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:2939"
            },
            {
              "name": "RHSA-2019:2955",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:2955"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://support.f5.com/csp/article/K50233772?utm_source=f5support\u0026amp%3Butm_medium=RSS"
            },
            {
              "name": "RHSA-2019:3892",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:3892"
            },
            {
              "name": "RHSA-2019:4018",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:4018"
            },
            {
              "name": "RHSA-2019:4019",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:4019"
            },
            {
              "name": "RHSA-2019:4021",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:4021"
            },
            {
              "name": "RHSA-2019:4020",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:4020"
            },
            {
              "name": "RHSA-2019:4045",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:4045"
            },
            {
              "name": "RHSA-2019:4042",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:4042"
            },
            {
              "name": "RHSA-2019:4040",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:4040"
            },
            {
              "name": "RHSA-2019:4041",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:4041"
            },
            {
              "name": "RHSA-2019:4352",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:4352"
            },
            {
              "name": "RHSA-2020:0727",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2020:0727"
            },
            {
              "name": "USN-4308-1",
              "tags": [
                "vendor-advisory",
                "x_refsource_UBUNTU"
              ],
              "url": "https://usn.ubuntu.com/4308-1/"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Some HTTP/2 implementations are vulnerable to a settings flood, potentially leading to a denial of service",
          "x_generator": {
            "engine": "Vulnogram 0.0.7"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "AKA": "HTTP/2 Settings Flood",
              "ASSIGNER": "cert@cert.org",
              "ID": "CVE-2019-9515",
              "STATE": "PUBLIC",
              "TITLE": "Some HTTP/2 implementations are vulnerable to a settings flood, potentially leading to a denial of service"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "n/a",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "n/a"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "n/a"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "Thanks to Jonathan Looney of Netflix for reporting this vulnerability."
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Some HTTP/2 implementations are vulnerable to a settings flood, potentially leading to a denial of service. The attacker sends a stream of SETTINGS frames to the peer. Since the RFC requires that the peer reply with one acknowledgement per SETTINGS frame, an empty SETTINGS frame is almost equivalent in behavior to a ping. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both."
                }
              ]
            },
            "generator": {
              "engine": "Vulnogram 0.0.7"
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.0"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-400 Uncontrolled Resource Consumption"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "VU#605641",
                  "refsource": "CERT-VN",
                  "url": "https://kb.cert.org/vuls/id/605641/"
                },
                {
                  "name": "https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md",
                  "refsource": "MISC",
                  "url": "https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md"
                },
                {
                  "name": "[trafficserver-dev] 20190813 Apache Traffic Server is vulnerable to various HTTP/2 attacks",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/bde52309316ae798186d783a5e29f4ad1527f61c9219a289d0eee0a7@%3Cdev.trafficserver.apache.org%3E"
                },
                {
                  "name": "[trafficserver-users] 20190813 Apache Traffic Server is vulnerable to various HTTP/2 attacks",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/392108390cef48af647a2e47b7fd5380e050e35ae8d1aa2030254c04@%3Cusers.trafficserver.apache.org%3E"
                },
                {
                  "name": "[trafficserver-announce] 20190813 Apache Traffic Server is vulnerable to various HTTP/2 attacks",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/ad3d01e767199c1aed8033bb6b3f5bf98c011c7c536f07a5d34b3c19@%3Cannounce.trafficserver.apache.org%3E"
                },
                {
                  "name": "20190814 APPLE-SA-2019-08-13-5 SwiftNIO HTTP/2 1.5.0",
                  "refsource": "BUGTRAQ",
                  "url": "https://seclists.org/bugtraq/2019/Aug/24"
                },
                {
                  "name": "20190816 APPLE-SA-2019-08-13-5 SwiftNIO HTTP/2 1.5.0",
                  "refsource": "FULLDISC",
                  "url": "http://seclists.org/fulldisclosure/2019/Aug/16"
                },
                {
                  "name": "https://www.synology.com/security/advisory/Synology_SA_19_33",
                  "refsource": "CONFIRM",
                  "url": "https://www.synology.com/security/advisory/Synology_SA_19_33"
                },
                {
                  "name": "https://support.f5.com/csp/article/K50233772",
                  "refsource": "CONFIRM",
                  "url": "https://support.f5.com/csp/article/K50233772"
                },
                {
                  "name": "https://security.netapp.com/advisory/ntap-20190823-0005/",
                  "refsource": "CONFIRM",
                  "url": "https://security.netapp.com/advisory/ntap-20190823-0005/"
                },
                {
                  "name": "FEDORA-2019-5a6a7bc12c",
                  "refsource": "FEDORA",
                  "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CMNFX5MNYRWWIMO4BTKYQCGUDMHO3AXP/"
                },
                {
                  "name": "FEDORA-2019-6a2980de56",
                  "refsource": "FEDORA",
                  "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4ZQGHE3WTYLYAYJEIDJVF2FIGQTAYPMC/"
                },
                {
                  "name": "20190825 [SECURITY] [DSA 4508-1] h2o security update",
                  "refsource": "BUGTRAQ",
                  "url": "https://seclists.org/bugtraq/2019/Aug/43"
                },
                {
                  "name": "DSA-4508",
                  "refsource": "DEBIAN",
                  "url": "https://www.debian.org/security/2019/dsa-4508"
                },
                {
                  "name": "DSA-4520",
                  "refsource": "DEBIAN",
                  "url": "https://www.debian.org/security/2019/dsa-4520"
                },
                {
                  "name": "20190910 [SECURITY] [DSA 4520-1] trafficserver security update",
                  "refsource": "BUGTRAQ",
                  "url": "https://seclists.org/bugtraq/2019/Sep/18"
                },
                {
                  "name": "openSUSE-SU-2019:2114",
                  "refsource": "SUSE",
                  "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00032.html"
                },
                {
                  "name": "openSUSE-SU-2019:2115",
                  "refsource": "SUSE",
                  "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00031.html"
                },
                {
                  "name": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10296",
                  "refsource": "CONFIRM",
                  "url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10296"
                },
                {
                  "name": "RHSA-2019:2766",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2019:2766"
                },
                {
                  "name": "RHSA-2019:2796",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2019:2796"
                },
                {
                  "name": "RHSA-2019:2861",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2019:2861"
                },
                {
                  "name": "RHSA-2019:2925",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2019:2925"
                },
                {
                  "name": "RHSA-2019:2939",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2019:2939"
                },
                {
                  "name": "RHSA-2019:2955",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2019:2955"
                },
                {
                  "name": "https://support.f5.com/csp/article/K50233772?utm_source=f5support\u0026amp;utm_medium=RSS",
                  "refsource": "CONFIRM",
                  "url": "https://support.f5.com/csp/article/K50233772?utm_source=f5support\u0026amp;utm_medium=RSS"
                },
                {
                  "name": "RHSA-2019:3892",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2019:3892"
                },
                {
                  "name": "RHSA-2019:4018",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2019:4018"
                },
                {
                  "name": "RHSA-2019:4019",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2019:4019"
                },
                {
                  "name": "RHSA-2019:4021",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2019:4021"
                },
                {
                  "name": "RHSA-2019:4020",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2019:4020"
                },
                {
                  "name": "RHSA-2019:4045",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2019:4045"
                },
                {
                  "name": "RHSA-2019:4042",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2019:4042"
                },
                {
                  "name": "RHSA-2019:4040",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2019:4040"
                },
                {
                  "name": "RHSA-2019:4041",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2019:4041"
                },
                {
                  "name": "RHSA-2019:4352",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2019:4352"
                },
                {
                  "name": "RHSA-2020:0727",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2020:0727"
                },
                {
                  "name": "USN-4308-1",
                  "refsource": "UBUNTU",
                  "url": "https://usn.ubuntu.com/4308-1/"
                }
              ]
            },
            "source": {
              "discovery": "UNKNOWN"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
        "assignerShortName": "certcc",
        "cveId": "CVE-2019-9515",
        "datePublished": "2019-08-13T20:50:59.000Z",
        "dateReserved": "2019-03-01T00:00:00.000Z",
        "dateUpdated": "2024-08-04T21:54:44.327Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-0752 (GCVE-0-2025-0752)

    Vulnerability from cvelistv5 – Published: 2025-01-28 09:29 – Updated: 2026-02-24 08:03
    VLAI
    Title
    Envoyproxy: openshift service mesh envoy http header sanitization bypass leading to dos and unauthorized access
    Summary
    A flaw was found in OpenShift Service Mesh 2.6.3 and 2.5.6. Rate-limiter avoidance, access-control bypass, CPU and memory exhaustion, and replay attacks may be possible due to improper HTTP header sanitization in Envoy.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
    Assigner
    References
    URL Tags
    https://access.redhat.com/security/cve/CVE-2025-0752 vdb-entryx_refsource_REDHAT
    https://bugzilla.redhat.com/show_bug.cgi?id=2339115 issue-trackingx_refsource_REDHAT
    Impacted products
    Vendor Product Version
    Affected: 2.6.3 (semver)
    Affected: 2.5.6 (semver)
    Red Hat OpenShift Service Mesh 2     cpe:/a:redhat:service_mesh:2
    Create a notification for this product.
    Date Public
    2025-01-21 00:00
    Credits
    Red Hat would like to thank Antony Di Scala and Michael Whale for reporting this issue.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-0752",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-01-28T14:35:14.655204Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-01-28T14:35:24.738Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://github.com/openshift-service-mesh/proxy",
              "defaultStatus": "unaffected",
              "packageName": "envoyproxy",
              "versions": [
                {
                  "status": "affected",
                  "version": "2.6.3",
                  "versionType": "semver"
                },
                {
                  "status": "affected",
                  "version": "2.5.6",
                  "versionType": "semver"
                }
              ]
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:service_mesh:2"
              ],
              "defaultStatus": "affected",
              "packageName": "openshift-service-mesh/proxyv2-rhel8",
              "product": "OpenShift Service Mesh 2",
              "vendor": "Red Hat"
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:service_mesh:2"
              ],
              "defaultStatus": "unaffected",
              "packageName": "openshift-service-mesh/proxyv2-rhel9",
              "product": "OpenShift Service Mesh 2",
              "vendor": "Red Hat"
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Red Hat would like to thank Antony Di Scala and Michael Whale for reporting this issue."
            }
          ],
          "datePublic": "2025-01-21T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "A flaw was found in OpenShift Service Mesh 2.6.3 and 2.5.6. Rate-limiter avoidance, access-control bypass, CPU and memory exhaustion, and replay attacks may be possible due to improper HTTP header sanitization in Envoy."
            }
          ],
          "metrics": [
            {
              "other": {
                "content": {
                  "namespace": "https://access.redhat.com/security/updates/classification/",
                  "value": "Important"
                },
                "type": "Red Hat severity rating"
              }
            },
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.1,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H",
                "version": "3.1"
              },
              "format": "CVSS"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-444",
                  "description": "Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-02-24T08:03:27.631Z",
            "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
            "shortName": "redhat"
          },
          "references": [
            {
              "tags": [
                "vdb-entry",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/security/cve/CVE-2025-0752"
            },
            {
              "name": "RHBZ#2339115",
              "tags": [
                "issue-tracking",
                "x_refsource_REDHAT"
              ],
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2339115"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2025-01-21T12:07:54.692Z",
              "value": "Reported to Red Hat."
            },
            {
              "lang": "en",
              "time": "2025-01-21T00:00:00.000Z",
              "value": "Made public."
            }
          ],
          "title": "Envoyproxy: openshift service mesh envoy http header sanitization bypass leading to dos and unauthorized access",
          "workarounds": [
            {
              "lang": "en",
              "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."
            }
          ],
          "x_generator": {
            "engine": "cvelib 1.8.0"
          },
          "x_redhatCweChain": "CWE-444: Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "assignerShortName": "redhat",
        "cveId": "CVE-2025-0752",
        "datePublished": "2025-01-28T09:29:33.073Z",
        "dateReserved": "2025-01-27T14:16:01.506Z",
        "dateUpdated": "2026-02-24T08:03:27.631Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2023-44487 (GCVE-0-2023-44487)

    Vulnerability from cvelistv5 – Published: 2023-10-10 00:00 – Updated: 2026-05-12 10:52
    VLAI CISA KEVIntel
    Summary
    The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
    SSVC
    Exploitation: active Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • n/a
    • CWE-400 - Uncontrolled Resource Consumption
    Assigner
    References
    URL Tags
    https://github.com/dotnet/core/blob/e4613450ea0da…
    https://blog.cloudflare.com/technical-breakdown-h…
    https://aws.amazon.com/security/security-bulletin…
    https://cloud.google.com/blog/products/identity-s…
    https://www.nginx.com/blog/http-2-rapid-reset-att…
    https://cloud.google.com/blog/products/identity-s…
    https://news.ycombinator.com/item?id=37831062
    https://blog.cloudflare.com/zero-day-rapid-reset-…
    https://www.phoronix.com/news/HTTP2-Rapid-Reset-Attack
    https://github.com/envoyproxy/envoy/pull/30055
    https://github.com/haproxy/haproxy/issues/2312
    https://github.com/eclipse/jetty.project/issues/10679
    https://forums.swift.org/t/swift-nio-http2-securi…
    https://github.com/nghttp2/nghttp2/pull/1961
    https://github.com/netty/netty/commit/58f75f665aa…
    https://github.com/alibaba/tengine/issues/1872
    https://github.com/apache/tomcat/tree/main/java/o…
    https://news.ycombinator.com/item?id=37830987
    https://news.ycombinator.com/item?id=37830998
    https://github.com/caddyserver/caddy/issues/5877
    https://www.bleepingcomputer.com/news/security/ne…
    https://github.com/bcdannyboy/CVE-2023-44487
    https://github.com/grpc/grpc-go/pull/6703
    https://github.com/icing/mod_h2/blob/0a864782af0a…
    https://github.com/nghttp2/nghttp2/releases/tag/v1.57.0
    https://mailman.nginx.org/pipermail/nginx-devel/2…
    https://my.f5.com/manage/s/article/K000137106
    https://msrc.microsoft.com/blog/2023/10/microsoft…
    https://bugzilla.proxmox.com/show_bug.cgi?id=4988
    https://cgit.freebsd.org/ports/commit/?id=c64c329…
    http://www.openwall.com/lists/oss-security/2023/10/10/7 mailing-list
    http://www.openwall.com/lists/oss-security/2023/10/10/6 mailing-list
    https://seanmonstar.com/post/730794151136935936/h…
    https://github.com/microsoft/CBL-Mariner/pull/6381
    https://groups.google.com/g/golang-announce/c/iNN…
    https://github.com/facebook/proxygen/pull/466
    https://gist.github.com/adulau/7c2bfb8e9cdbe4b35a…
    https://github.com/micrictor/http2-rst-stream
    https://edg.io/lp/blog/resets-leaks-ddos-and-the-…
    https://openssf.org/blog/2023/10/10/http-2-rapid-…
    https://github.com/h2o/h2o/security/advisories/GH…
    https://github.com/h2o/h2o/pull/3291
    https://github.com/nodejs/node/pull/50121
    https://github.com/dotnet/announcements/issues/277
    https://github.com/golang/go/issues/63417
    https://github.com/advisories/GHSA-vx74-f528-fxqg
    https://github.com/apache/trafficserver/pull/10564
    https://msrc.microsoft.com/update-guide/vulnerabi…
    https://tomcat.apache.org/security-10.html#Fixed_…
    https://lists.apache.org/thread/5py8h42mxfsn8l1wy…
    https://www.openwall.com/lists/oss-security/2023/…
    https://www.haproxy.com/blog/haproxy-is-not-affec…
    https://github.com/opensearch-project/data-preppe…
    https://github.com/kubernetes/kubernetes/pull/121120
    https://github.com/oqtane/oqtane.framework/discus…
    https://github.com/advisories/GHSA-xpw8-rcwv-8f8p
    https://netty.io/news/2023/10/10/4-1-100-Final.html
    https://www.cisa.gov/news-events/alerts/2023/10/1…
    https://www.theregister.com/2023/10/10/http2_rapi…
    https://blog.qualys.com/vulnerabilities-threat-re…
    https://news.ycombinator.com/item?id=37837043
    https://github.com/kazu-yamamoto/http2/issues/93
    https://martinthomson.github.io/h2-stream-limits/…
    https://github.com/kazu-yamamoto/http2/commit/f61…
    https://github.com/apache/httpd/blob/afcdbeebbff4…
    https://www.debian.org/security/2023/dsa-5522 vendor-advisory
    https://www.debian.org/security/2023/dsa-5521 vendor-advisory
    https://access.redhat.com/security/cve/cve-2023-44487
    https://github.com/ninenines/cowboy/issues/1615
    https://github.com/varnishcache/varnish-cache/iss…
    https://github.com/tempesta-tech/tempesta/issues/1986
    https://blog.vespa.ai/cve-2023-44487/
    https://github.com/etcd-io/etcd/issues/16740
    https://www.darkreading.com/cloud/internet-wide-z…
    https://istio.io/latest/news/security/istio-secur…
    https://github.com/junkurihara/rust-rpxy/issues/97
    https://bugzilla.suse.com/show_bug.cgi?id=1216123
    https://bugzilla.redhat.com/show_bug.cgi?id=2242803
    https://ubuntu.com/security/CVE-2023-44487
    https://community.traefik.io/t/is-traefik-vulnera…
    https://github.com/advisories/GHSA-qppj-fm5r-hxr3
    https://github.com/apache/httpd-site/pull/10
    https://github.com/projectcontour/contour/pull/5826
    https://github.com/linkerd/website/pull/1695/comm…
    https://github.com/line/armeria/pull/5232
    https://blog.litespeedtech.com/2023/10/11/rapid-r…
    https://security.paloaltonetworks.com/CVE-2023-44487
    https://github.com/akka/akka-http/issues/4323
    https://github.com/openresty/openresty/issues/930
    https://github.com/apache/apisix/issues/10320
    https://github.com/Azure/AKS/issues/3947
    https://github.com/Kong/kong/discussions/11741
    https://github.com/arkrwn/PoC/tree/main/CVE-2023-44487
    https://www.netlify.com/blog/netlify-successfully…
    https://github.com/caddyserver/caddy/releases/tag…
    https://lists.debian.org/debian-lts-announce/2023… mailing-list
    http://www.openwall.com/lists/oss-security/2023/10/13/4 mailing-list
    http://www.openwall.com/lists/oss-security/2023/10/13/9 mailing-list
    https://arstechnica.com/security/2023/10/how-ddos…
    https://lists.w3.org/Archives/Public/ietf-http-wg…
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisory
    https://linkerd.io/2023/10/12/linkerd-cve-2023-44487/
    https://lists.debian.org/debian-lts-announce/2023… mailing-list
    https://security.netapp.com/advisory/ntap-2023101…
    https://lists.debian.org/debian-lts-announce/2023… mailing-list
    http://www.openwall.com/lists/oss-security/2023/10/18/4 mailing-list
    http://www.openwall.com/lists/oss-security/2023/10/18/8 mailing-list
    http://www.openwall.com/lists/oss-security/2023/10/19/6 mailing-list
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisory
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisory
    http://www.openwall.com/lists/oss-security/2023/10/20/8 mailing-list
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisory
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisory
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisory
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisory
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisory
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisory
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisory
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisory
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisory
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisory
    https://lists.debian.org/debian-lts-announce/2023… mailing-list
    https://www.debian.org/security/2023/dsa-5540 vendor-advisory
    https://lists.debian.org/debian-lts-announce/2023… mailing-list
    https://discuss.hashicorp.com/t/hcsec-2023-32-vau…
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisory
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisory
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisory
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisory
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisory
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisory
    https://lists.debian.org/debian-lts-announce/2023… mailing-list
    https://www.debian.org/security/2023/dsa-5549 vendor-advisory
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisory
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisory
    https://www.debian.org/security/2023/dsa-5558 vendor-advisory
    https://lists.debian.org/debian-lts-announce/2023… mailing-list
    https://security.gentoo.org/glsa/202311-09 vendor-advisory
    https://www.debian.org/security/2023/dsa-5570 vendor-advisory
    https://security.netapp.com/advisory/ntap-2024042…
    https://security.netapp.com/advisory/ntap-2024062…
    https://security.netapp.com/advisory/ntap-2024062…
    https://github.com/grpc/grpc/releases/tag/v1.59.2
    https://sec.cloudapps.cisco.com/security/center/c…
    https://www.cisa.gov/known-exploited-vulnerabilit… government-resource
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisoryx_transferred
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisoryx_transferred
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisoryx_transferred
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisoryx_transferred
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisoryx_transferred
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisoryx_transferred
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisoryx_transferred
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisoryx_transferred
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisoryx_transferred
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisoryx_transferred
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisoryx_transferred
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisoryx_transferred
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisoryx_transferred
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisoryx_transferred
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisoryx_transferred
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisoryx_transferred
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisoryx_transferred
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisoryx_transferred
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisoryx_transferred
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisoryx_transferred
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisoryx_transferred
    https://www.vicarius.io/vsociety/posts/rapid-rese…
    http://www.openwall.com/lists/oss-security/2025/08/13/6
    https://cert-portal.siemens.com/productcert/html/…
    https://cert-portal.siemens.com/productcert/html/…
    https://cert-portal.siemens.com/productcert/html/…
    https://cert-portal.siemens.com/productcert/html/…
    https://cert-portal.siemens.com/productcert/html/…
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:ietf:http:2.0:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "http",
                "vendor": "ietf",
                "versions": [
                  {
                    "status": "affected",
                    "version": "2.0"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "HIGH",
                  "baseScore": 7.5,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "NONE",
                  "integrityImpact": "NONE",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-44487",
                    "options": [
                      {
                        "Exploitation": "active"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-07-23T20:34:21.334116Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              },
              {
                "other": {
                  "content": {
                    "dateAdded": "2023-10-10",
                    "reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-44487"
                  },
                  "type": "kev"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-400",
                    "description": "CWE-400 Uncontrolled Resource Consumption",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-10-21T23:05:35.187Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "government-resource"
                ],
                "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-44487"
              }
            ],
            "timeline": [
              {
                "lang": "en",
                "time": "2023-10-10T00:00:00.000Z",
                "value": "CVE-2023-44487 added to CISA KEV"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2025-11-04T21:08:27.383Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/dotnet/core/blob/e4613450ea0da7fd2fc6b61dfb2c1c1dec1ce9ec/release-notes/6.0/6.0.23/6.0.23.md?plain=1#L73"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://aws.amazon.com/security/security-bulletins/AWS-2023-011/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.nginx.com/blog/http-2-rapid-reset-attack-impacting-f5-nginx-products/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://cloud.google.com/blog/products/identity-security/google-cloud-mitigated-largest-ddos-attack-peaking-above-398-million-rps/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://news.ycombinator.com/item?id=37831062"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://blog.cloudflare.com/zero-day-rapid-reset-http2-record-breaking-ddos-attack/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.phoronix.com/news/HTTP2-Rapid-Reset-Attack"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/envoyproxy/envoy/pull/30055"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/haproxy/haproxy/issues/2312"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/eclipse/jetty.project/issues/10679"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://forums.swift.org/t/swift-nio-http2-security-update-cve-2023-44487-http-2-dos/67764"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/nghttp2/nghttp2/pull/1961"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/alibaba/tengine/issues/1872"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/apache/tomcat/tree/main/java/org/apache/coyote/http2"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://news.ycombinator.com/item?id=37830987"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://news.ycombinator.com/item?id=37830998"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/caddyserver/caddy/issues/5877"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.bleepingcomputer.com/news/security/new-http-2-rapid-reset-zero-day-attack-breaks-ddos-records/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/bcdannyboy/CVE-2023-44487"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/grpc/grpc-go/pull/6703"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/icing/mod_h2/blob/0a864782af0a942aa2ad4ed960a6b32cd35bcf0a/mod_http2/README.md?plain=1#L239-L244"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/nghttp2/nghttp2/releases/tag/v1.57.0"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://mailman.nginx.org/pipermail/nginx-devel/2023-October/S36Q5HBXR7CAIMPLLPRSSSYR4PCMWILK.html"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://my.f5.com/manage/s/article/K000137106"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://msrc.microsoft.com/blog/2023/10/microsoft-response-to-distributed-denial-of-service-ddos-attacks-against-http/2/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://bugzilla.proxmox.com/show_bug.cgi?id=4988"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://cgit.freebsd.org/ports/commit/?id=c64c329c2c1752f46b73e3e6ce9f4329be6629f9"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://seanmonstar.com/post/730794151136935936/hyper-http2-rapid-reset-unaffected"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/microsoft/CBL-Mariner/pull/6381"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://groups.google.com/g/golang-announce/c/iNNxDTCjZvo"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/facebook/proxygen/pull/466"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://gist.github.com/adulau/7c2bfb8e9cdbe4b35a5e131c66a0c088"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/micrictor/http2-rst-stream"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://edg.io/lp/blog/resets-leaks-ddos-and-the-tale-of-a-hidden-cve"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://openssf.org/blog/2023/10/10/http-2-rapid-reset-vulnerability-highlights-need-for-rapid-response/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/h2o/h2o/security/advisories/GHSA-2m7v-gc89-fjqf"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/h2o/h2o/pull/3291"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/nodejs/node/pull/50121"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/dotnet/announcements/issues/277"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/golang/go/issues/63417"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/advisories/GHSA-vx74-f528-fxqg"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/apache/trafficserver/pull/10564"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-44487"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.1.14"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread/5py8h42mxfsn8l1wy6o41xwhsjlsd87q"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.openwall.com/lists/oss-security/2023/10/10/6"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.haproxy.com/blog/haproxy-is-not-affected-by-the-http-2-rapid-reset-attack-cve-2023-44487"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/opensearch-project/data-prepper/issues/3474"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/kubernetes/kubernetes/pull/121120"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/oqtane/oqtane.framework/discussions/3367"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/advisories/GHSA-xpw8-rcwv-8f8p"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://netty.io/news/2023/10/10/4-1-100-Final.html"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.cisa.gov/news-events/alerts/2023/10/10/http2-rapid-reset-vulnerability-cve-2023-44487"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.theregister.com/2023/10/10/http2_rapid_reset_zeroday/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://blog.qualys.com/vulnerabilities-threat-research/2023/10/10/cve-2023-44487-http-2-rapid-reset-attack"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://news.ycombinator.com/item?id=37837043"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/kazu-yamamoto/http2/issues/93"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://martinthomson.github.io/h2-stream-limits/draft-thomson-httpbis-h2-stream-limits.html"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/kazu-yamamoto/http2/commit/f61d41a502bd0f60eb24e1ce14edc7b6df6722a1"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/apache/httpd/blob/afcdbeebbff4b0c50ea26cdd16e178c0d1f24152/modules/http2/h2_mplx.c#L1101-L1113"
              },
              {
                "name": "DSA-5522",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://www.debian.org/security/2023/dsa-5522"
              },
              {
                "name": "DSA-5521",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://www.debian.org/security/2023/dsa-5521"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/security/cve/cve-2023-44487"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/ninenines/cowboy/issues/1615"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/varnishcache/varnish-cache/issues/3996"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/tempesta-tech/tempesta/issues/1986"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://blog.vespa.ai/cve-2023-44487/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/etcd-io/etcd/issues/16740"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.darkreading.com/cloud/internet-wide-zero-day-bug-fuels-largest-ever-ddos-event"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://istio.io/latest/news/security/istio-security-2023-004/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/junkurihara/rust-rpxy/issues/97"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://bugzilla.suse.com/show_bug.cgi?id=1216123"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2242803"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://ubuntu.com/security/CVE-2023-44487"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://community.traefik.io/t/is-traefik-vulnerable-to-cve-2023-44487/20125"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/advisories/GHSA-qppj-fm5r-hxr3"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/apache/httpd-site/pull/10"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/projectcontour/contour/pull/5826"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/linkerd/website/pull/1695/commits/4b9c6836471bc8270ab48aae6fd2181bc73fd632"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/line/armeria/pull/5232"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://blog.litespeedtech.com/2023/10/11/rapid-reset-http-2-vulnerablilty/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://security.paloaltonetworks.com/CVE-2023-44487"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/akka/akka-http/issues/4323"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/openresty/openresty/issues/930"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/apache/apisix/issues/10320"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/Azure/AKS/issues/3947"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/Kong/kong/discussions/11741"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/arkrwn/PoC/tree/main/CVE-2023-44487"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.netlify.com/blog/netlify-successfully-mitigates-cve-2023-44487/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/caddyserver/caddy/releases/tag/v2.7.5"
              },
              {
                "name": "[debian-lts-announce] 20231013 [SECURITY] [DLA 3617-1] tomcat9 security update",
                "tags": [
                  "mailing-list",
                  "x_transferred"
                ],
                "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00020.html"
              },
              {
                "name": "[oss-security] 20231013 Re: CVE-2023-44487: HTTP/2 Rapid Reset attack against many implementations",
                "tags": [
                  "mailing-list",
                  "x_transferred"
                ],
                "url": "http://www.openwall.com/lists/oss-security/2023/10/13/4"
              },
              {
                "name": "[oss-security] 20231013 Re: CVE-2023-44487: HTTP/2 Rapid Reset attack against many implementations",
                "tags": [
                  "mailing-list",
                  "x_transferred"
                ],
                "url": "http://www.openwall.com/lists/oss-security/2023/10/13/9"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://arstechnica.com/security/2023/10/how-ddosers-used-the-http-2-protocol-to-deliver-attacks-of-unprecedented-size/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://lists.w3.org/Archives/Public/ietf-http-wg/2023OctDec/0025.html"
              },
              {
                "name": "FEDORA-2023-ed2642fd58",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JMEXY22BFG5Q64HQCM5CK2Q7KDKVV4TY/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://linkerd.io/2023/10/12/linkerd-cve-2023-44487/"
              },
              {
                "name": "[debian-lts-announce] 20231016 [SECURITY] [DLA 3621-1] nghttp2 security update",
                "tags": [
                  "mailing-list",
                  "x_transferred"
                ],
                "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00023.html"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://security.netapp.com/advisory/ntap-20231016-0001/"
              },
              {
                "name": "[debian-lts-announce] 20231016 [SECURITY] [DLA 3617-2] tomcat9 regression update",
                "tags": [
                  "mailing-list",
                  "x_transferred"
                ],
                "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00024.html"
              },
              {
                "name": "[oss-security] 20231018 Vulnerability in Jenkins",
                "tags": [
                  "mailing-list",
                  "x_transferred"
                ],
                "url": "http://www.openwall.com/lists/oss-security/2023/10/18/4"
              },
              {
                "name": "[oss-security] 20231018 Re: CVE-2023-44487: HTTP/2 Rapid Reset attack against many implementations",
                "tags": [
                  "mailing-list",
                  "x_transferred"
                ],
                "url": "http://www.openwall.com/lists/oss-security/2023/10/18/8"
              },
              {
                "name": "[oss-security] 20231019 CVE-2023-45802: Apache HTTP Server: HTTP/2 stream memory not reclaimed right away on RST",
                "tags": [
                  "mailing-list",
                  "x_transferred"
                ],
                "url": "http://www.openwall.com/lists/oss-security/2023/10/19/6"
              },
              {
                "name": "FEDORA-2023-54fadada12",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZKQSIKIAT5TJ3WSLU3RDBQ35YX4GY4V3/"
              },
              {
                "name": "FEDORA-2023-5ff7bf1dd8",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JIZSEFC3YKCGABA2BZW6ZJRMDZJMB7PJ/"
              },
              {
                "name": "[oss-security] 20231020 Re: CVE-2023-44487: HTTP/2 Rapid Reset attack against many implementations",
                "tags": [
                  "mailing-list",
                  "x_transferred"
                ],
                "url": "http://www.openwall.com/lists/oss-security/2023/10/20/8"
              },
              {
                "name": "FEDORA-2023-17efd3f2cd",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WLPRQ5TWUQQXYWBJM7ECYDAIL2YVKIUH/"
              },
              {
                "name": "FEDORA-2023-d5030c983c",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/E72T67UPDRXHIDLO3OROR25YAMN4GGW5/"
              },
              {
                "name": "FEDORA-2023-0259c3f26f",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BFQD3KUEMFBHPAPBGLWQC34L4OWL5HAZ/"
              },
              {
                "name": "FEDORA-2023-2a9214af5f",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZLU6U2R2IC2K64NDPNMV55AUAO65MAF4/"
              },
              {
                "name": "FEDORA-2023-e9c04d81c1",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X6QXN4ORIVF6XBW4WWFE7VNPVC74S45Y/"
              },
              {
                "name": "FEDORA-2023-f66fc0f62a",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LKYHSZQFDNR7RSA7LHVLLIAQMVYCUGBG/"
              },
              {
                "name": "FEDORA-2023-4d2fd884ea",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FNA62Q767CFAFHBCDKYNPBMZWB7TWYVU/"
              },
              {
                "name": "FEDORA-2023-b2c50535cb",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LNMZJCDHGLJJLXO4OXWJMTVQRNWOC7UL/"
              },
              {
                "name": "FEDORA-2023-fe53e13b5b",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KSEGD2IWKNUO3DWY4KQGUQM5BISRWHQE/"
              },
              {
                "name": "FEDORA-2023-4bf641255e",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CLB4TW7KALB3EEQWNWCN7OUIWWVWWCG2/"
              },
              {
                "name": "[debian-lts-announce] 20231030 [SECURITY] [DLA 3641-1] jetty9 security update",
                "tags": [
                  "mailing-list",
                  "x_transferred"
                ],
                "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00045.html"
              },
              {
                "name": "DSA-5540",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://www.debian.org/security/2023/dsa-5540"
              },
              {
                "name": "[debian-lts-announce] 20231031 [SECURITY] [DLA 3638-1] h2o security update",
                "tags": [
                  "mailing-list",
                  "x_transferred"
                ],
                "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00047.html"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://discuss.hashicorp.com/t/hcsec-2023-32-vault-consul-and-boundary-affected-by-http-2-rapid-reset-denial-of-service-vulnerability-cve-2023-44487/59715"
              },
              {
                "name": "FEDORA-2023-1caffb88af",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VHUHTSXLXGXS7JYKBXTA3VINUPHTNGVU/"
              },
              {
                "name": "FEDORA-2023-3f70b8d406",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VSRDIV77HNKUSM7SJC5BKE5JSHLHU2NK/"
              },
              {
                "name": "FEDORA-2023-7b52921cae",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3N4NJ7FR4X4FPZUGNTQAPSTVB2HB2Y4A/"
              },
              {
                "name": "FEDORA-2023-7934802344",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZB43REMKRQR62NJEI7I5NQ4FSXNLBKRT/"
              },
              {
                "name": "FEDORA-2023-dbe64661af",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HT7T2R4MQKLIF4ODV4BDLPARWFPCJ5CZ/"
              },
              {
                "name": "FEDORA-2023-822aab0a5a",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XFOIBB4YFICHDM7IBOP7PWXW3FX4HLL2/"
              },
              {
                "name": "[debian-lts-announce] 20231105 [SECURITY] [DLA 3645-1] trafficserver security update",
                "tags": [
                  "mailing-list",
                  "x_transferred"
                ],
                "url": "https://lists.debian.org/debian-lts-announce/2023/11/msg00001.html"
              },
              {
                "name": "DSA-5549",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://www.debian.org/security/2023/dsa-5549"
              },
              {
                "name": "FEDORA-2023-c0c6a91330",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2MBEPPC36UBVOZZNAXFHKLFGSLCMN5LI/"
              },
              {
                "name": "FEDORA-2023-492b7be466",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WE2I52RHNNU42PX6NZ2RBUHSFFJ2LVZX/"
              },
              {
                "name": "DSA-5558",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://www.debian.org/security/2023/dsa-5558"
              },
              {
                "name": "[debian-lts-announce] 20231119 [SECURITY] [DLA 3656-1] netty security update",
                "tags": [
                  "mailing-list",
                  "x_transferred"
                ],
                "url": "https://lists.debian.org/debian-lts-announce/2023/11/msg00012.html"
              },
              {
                "name": "GLSA-202311-09",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://security.gentoo.org/glsa/202311-09"
              },
              {
                "name": "DSA-5570",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://www.debian.org/security/2023/dsa-5570"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://security.netapp.com/advisory/ntap-20240426-0007/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://security.netapp.com/advisory/ntap-20240621-0006/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://security.netapp.com/advisory/ntap-20240621-0007/"
              },
              {
                "url": "https://www.vicarius.io/vsociety/posts/rapid-reset-cve-2023-44487-dos-in-http2-understanding-the-root-cause"
              },
              {
                "url": "http://www.openwall.com/lists/oss-security/2025/08/13/6"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "affected": [
              {
                "defaultStatus": "unknown",
                "product": "RUGGEDCOM APE1808",
                "vendor": "Siemens",
                "versions": [
                  {
                    "lessThan": "*",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              },
              {
                "defaultStatus": "unknown",
                "product": "SIMATIC S7-1500 CPU 1518-4 PN/DP MFP",
                "vendor": "Siemens",
                "versions": [
                  {
                    "lessThan": "*",
                    "status": "affected",
                    "version": "V3.1.5",
                    "versionType": "custom"
                  }
                ]
              },
              {
                "defaultStatus": "unknown",
                "product": "SIMATIC S7-1500 CPU 1518-4 PN/DP MFP",
                "vendor": "Siemens",
                "versions": [
                  {
                    "lessThan": "*",
                    "status": "affected",
                    "version": "V3.1.5",
                    "versionType": "custom"
                  }
                ]
              },
              {
                "defaultStatus": "unknown",
                "product": "SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP",
                "vendor": "Siemens",
                "versions": [
                  {
                    "lessThan": "*",
                    "status": "affected",
                    "version": "V3.1.5",
                    "versionType": "custom"
                  }
                ]
              },
              {
                "defaultStatus": "unknown",
                "product": "SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP",
                "vendor": "Siemens",
                "versions": [
                  {
                    "lessThan": "*",
                    "status": "affected",
                    "version": "V3.1.5",
                    "versionType": "custom"
                  }
                ]
              },
              {
                "defaultStatus": "unknown",
                "product": "SINEC NMS",
                "vendor": "Siemens",
                "versions": [
                  {
                    "lessThan": "V3.0",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              },
              {
                "defaultStatus": "unknown",
                "product": "SIPLUS S7-1500 CPU 1518-4 PN/DP MFP",
                "vendor": "Siemens",
                "versions": [
                  {
                    "lessThan": "*",
                    "status": "affected",
                    "version": "V3.1.5",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-12T10:52:23.784Z",
              "orgId": "0b142b55-0307-4c5a-b3c9-f314f3fb7c5e",
              "shortName": "siemens-SADP"
            },
            "references": [
              {
                "url": "https://cert-portal.siemens.com/productcert/html/ssa-832273.html"
              },
              {
                "url": "https://cert-portal.siemens.com/productcert/html/ssa-341067.html"
              },
              {
                "url": "https://cert-portal.siemens.com/productcert/html/ssa-784301.html"
              },
              {
                "url": "https://cert-portal.siemens.com/productcert/html/ssa-915275.html"
              },
              {
                "url": "https://cert-portal.siemens.com/productcert/html/ssa-082556.html"
              }
            ],
            "x_adpType": "supplier"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-06-07T20:05:34.376Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "url": "https://github.com/dotnet/core/blob/e4613450ea0da7fd2fc6b61dfb2c1c1dec1ce9ec/release-notes/6.0/6.0.23/6.0.23.md?plain=1#L73"
            },
            {
              "url": "https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/"
            },
            {
              "url": "https://aws.amazon.com/security/security-bulletins/AWS-2023-011/"
            },
            {
              "url": "https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack"
            },
            {
              "url": "https://www.nginx.com/blog/http-2-rapid-reset-attack-impacting-f5-nginx-products/"
            },
            {
              "url": "https://cloud.google.com/blog/products/identity-security/google-cloud-mitigated-largest-ddos-attack-peaking-above-398-million-rps/"
            },
            {
              "url": "https://news.ycombinator.com/item?id=37831062"
            },
            {
              "url": "https://blog.cloudflare.com/zero-day-rapid-reset-http2-record-breaking-ddos-attack/"
            },
            {
              "url": "https://www.phoronix.com/news/HTTP2-Rapid-Reset-Attack"
            },
            {
              "url": "https://github.com/envoyproxy/envoy/pull/30055"
            },
            {
              "url": "https://github.com/haproxy/haproxy/issues/2312"
            },
            {
              "url": "https://github.com/eclipse/jetty.project/issues/10679"
            },
            {
              "url": "https://forums.swift.org/t/swift-nio-http2-security-update-cve-2023-44487-http-2-dos/67764"
            },
            {
              "url": "https://github.com/nghttp2/nghttp2/pull/1961"
            },
            {
              "url": "https://github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61"
            },
            {
              "url": "https://github.com/alibaba/tengine/issues/1872"
            },
            {
              "url": "https://github.com/apache/tomcat/tree/main/java/org/apache/coyote/http2"
            },
            {
              "url": "https://news.ycombinator.com/item?id=37830987"
            },
            {
              "url": "https://news.ycombinator.com/item?id=37830998"
            },
            {
              "url": "https://github.com/caddyserver/caddy/issues/5877"
            },
            {
              "url": "https://www.bleepingcomputer.com/news/security/new-http-2-rapid-reset-zero-day-attack-breaks-ddos-records/"
            },
            {
              "url": "https://github.com/bcdannyboy/CVE-2023-44487"
            },
            {
              "url": "https://github.com/grpc/grpc-go/pull/6703"
            },
            {
              "url": "https://github.com/icing/mod_h2/blob/0a864782af0a942aa2ad4ed960a6b32cd35bcf0a/mod_http2/README.md?plain=1#L239-L244"
            },
            {
              "url": "https://github.com/nghttp2/nghttp2/releases/tag/v1.57.0"
            },
            {
              "url": "https://mailman.nginx.org/pipermail/nginx-devel/2023-October/S36Q5HBXR7CAIMPLLPRSSSYR4PCMWILK.html"
            },
            {
              "url": "https://my.f5.com/manage/s/article/K000137106"
            },
            {
              "url": "https://msrc.microsoft.com/blog/2023/10/microsoft-response-to-distributed-denial-of-service-ddos-attacks-against-http/2/"
            },
            {
              "url": "https://bugzilla.proxmox.com/show_bug.cgi?id=4988"
            },
            {
              "url": "https://cgit.freebsd.org/ports/commit/?id=c64c329c2c1752f46b73e3e6ce9f4329be6629f9"
            },
            {
              "name": "[oss-security] 20231010 Re: CVE-2023-44487: HTTP/2 Rapid Reset attack against many implementations",
              "tags": [
                "mailing-list"
              ],
              "url": "http://www.openwall.com/lists/oss-security/2023/10/10/7"
            },
            {
              "name": "[oss-security] 20231010 CVE-2023-44487: HTTP/2 Rapid Reset attack against many implementations",
              "tags": [
                "mailing-list"
              ],
              "url": "http://www.openwall.com/lists/oss-security/2023/10/10/6"
            },
            {
              "url": "https://seanmonstar.com/post/730794151136935936/hyper-http2-rapid-reset-unaffected"
            },
            {
              "url": "https://github.com/microsoft/CBL-Mariner/pull/6381"
            },
            {
              "url": "https://groups.google.com/g/golang-announce/c/iNNxDTCjZvo"
            },
            {
              "url": "https://github.com/facebook/proxygen/pull/466"
            },
            {
              "url": "https://gist.github.com/adulau/7c2bfb8e9cdbe4b35a5e131c66a0c088"
            },
            {
              "url": "https://github.com/micrictor/http2-rst-stream"
            },
            {
              "url": "https://edg.io/lp/blog/resets-leaks-ddos-and-the-tale-of-a-hidden-cve"
            },
            {
              "url": "https://openssf.org/blog/2023/10/10/http-2-rapid-reset-vulnerability-highlights-need-for-rapid-response/"
            },
            {
              "url": "https://github.com/h2o/h2o/security/advisories/GHSA-2m7v-gc89-fjqf"
            },
            {
              "url": "https://github.com/h2o/h2o/pull/3291"
            },
            {
              "url": "https://github.com/nodejs/node/pull/50121"
            },
            {
              "url": "https://github.com/dotnet/announcements/issues/277"
            },
            {
              "url": "https://github.com/golang/go/issues/63417"
            },
            {
              "url": "https://github.com/advisories/GHSA-vx74-f528-fxqg"
            },
            {
              "url": "https://github.com/apache/trafficserver/pull/10564"
            },
            {
              "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-44487"
            },
            {
              "url": "https://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.1.14"
            },
            {
              "url": "https://lists.apache.org/thread/5py8h42mxfsn8l1wy6o41xwhsjlsd87q"
            },
            {
              "url": "https://www.openwall.com/lists/oss-security/2023/10/10/6"
            },
            {
              "url": "https://www.haproxy.com/blog/haproxy-is-not-affected-by-the-http-2-rapid-reset-attack-cve-2023-44487"
            },
            {
              "url": "https://github.com/opensearch-project/data-prepper/issues/3474"
            },
            {
              "url": "https://github.com/kubernetes/kubernetes/pull/121120"
            },
            {
              "url": "https://github.com/oqtane/oqtane.framework/discussions/3367"
            },
            {
              "url": "https://github.com/advisories/GHSA-xpw8-rcwv-8f8p"
            },
            {
              "url": "https://netty.io/news/2023/10/10/4-1-100-Final.html"
            },
            {
              "url": "https://www.cisa.gov/news-events/alerts/2023/10/10/http2-rapid-reset-vulnerability-cve-2023-44487"
            },
            {
              "url": "https://www.theregister.com/2023/10/10/http2_rapid_reset_zeroday/"
            },
            {
              "url": "https://blog.qualys.com/vulnerabilities-threat-research/2023/10/10/cve-2023-44487-http-2-rapid-reset-attack"
            },
            {
              "url": "https://news.ycombinator.com/item?id=37837043"
            },
            {
              "url": "https://github.com/kazu-yamamoto/http2/issues/93"
            },
            {
              "url": "https://martinthomson.github.io/h2-stream-limits/draft-thomson-httpbis-h2-stream-limits.html"
            },
            {
              "url": "https://github.com/kazu-yamamoto/http2/commit/f61d41a502bd0f60eb24e1ce14edc7b6df6722a1"
            },
            {
              "url": "https://github.com/apache/httpd/blob/afcdbeebbff4b0c50ea26cdd16e178c0d1f24152/modules/http2/h2_mplx.c#L1101-L1113"
            },
            {
              "name": "DSA-5522",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.debian.org/security/2023/dsa-5522"
            },
            {
              "name": "DSA-5521",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.debian.org/security/2023/dsa-5521"
            },
            {
              "url": "https://access.redhat.com/security/cve/cve-2023-44487"
            },
            {
              "url": "https://github.com/ninenines/cowboy/issues/1615"
            },
            {
              "url": "https://github.com/varnishcache/varnish-cache/issues/3996"
            },
            {
              "url": "https://github.com/tempesta-tech/tempesta/issues/1986"
            },
            {
              "url": "https://blog.vespa.ai/cve-2023-44487/"
            },
            {
              "url": "https://github.com/etcd-io/etcd/issues/16740"
            },
            {
              "url": "https://www.darkreading.com/cloud/internet-wide-zero-day-bug-fuels-largest-ever-ddos-event"
            },
            {
              "url": "https://istio.io/latest/news/security/istio-security-2023-004/"
            },
            {
              "url": "https://github.com/junkurihara/rust-rpxy/issues/97"
            },
            {
              "url": "https://bugzilla.suse.com/show_bug.cgi?id=1216123"
            },
            {
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2242803"
            },
            {
              "url": "https://ubuntu.com/security/CVE-2023-44487"
            },
            {
              "url": "https://community.traefik.io/t/is-traefik-vulnerable-to-cve-2023-44487/20125"
            },
            {
              "url": "https://github.com/advisories/GHSA-qppj-fm5r-hxr3"
            },
            {
              "url": "https://github.com/apache/httpd-site/pull/10"
            },
            {
              "url": "https://github.com/projectcontour/contour/pull/5826"
            },
            {
              "url": "https://github.com/linkerd/website/pull/1695/commits/4b9c6836471bc8270ab48aae6fd2181bc73fd632"
            },
            {
              "url": "https://github.com/line/armeria/pull/5232"
            },
            {
              "url": "https://blog.litespeedtech.com/2023/10/11/rapid-reset-http-2-vulnerablilty/"
            },
            {
              "url": "https://security.paloaltonetworks.com/CVE-2023-44487"
            },
            {
              "url": "https://github.com/akka/akka-http/issues/4323"
            },
            {
              "url": "https://github.com/openresty/openresty/issues/930"
            },
            {
              "url": "https://github.com/apache/apisix/issues/10320"
            },
            {
              "url": "https://github.com/Azure/AKS/issues/3947"
            },
            {
              "url": "https://github.com/Kong/kong/discussions/11741"
            },
            {
              "url": "https://github.com/arkrwn/PoC/tree/main/CVE-2023-44487"
            },
            {
              "url": "https://www.netlify.com/blog/netlify-successfully-mitigates-cve-2023-44487/"
            },
            {
              "url": "https://github.com/caddyserver/caddy/releases/tag/v2.7.5"
            },
            {
              "name": "[debian-lts-announce] 20231013 [SECURITY] [DLA 3617-1] tomcat9 security update",
              "tags": [
                "mailing-list"
              ],
              "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00020.html"
            },
            {
              "name": "[oss-security] 20231013 Re: CVE-2023-44487: HTTP/2 Rapid Reset attack against many implementations",
              "tags": [
                "mailing-list"
              ],
              "url": "http://www.openwall.com/lists/oss-security/2023/10/13/4"
            },
            {
              "name": "[oss-security] 20231013 Re: CVE-2023-44487: HTTP/2 Rapid Reset attack against many implementations",
              "tags": [
                "mailing-list"
              ],
              "url": "http://www.openwall.com/lists/oss-security/2023/10/13/9"
            },
            {
              "url": "https://arstechnica.com/security/2023/10/how-ddosers-used-the-http-2-protocol-to-deliver-attacks-of-unprecedented-size/"
            },
            {
              "url": "https://lists.w3.org/Archives/Public/ietf-http-wg/2023OctDec/0025.html"
            },
            {
              "name": "FEDORA-2023-ed2642fd58",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JMEXY22BFG5Q64HQCM5CK2Q7KDKVV4TY/"
            },
            {
              "url": "https://linkerd.io/2023/10/12/linkerd-cve-2023-44487/"
            },
            {
              "name": "[debian-lts-announce] 20231016 [SECURITY] [DLA 3621-1] nghttp2 security update",
              "tags": [
                "mailing-list"
              ],
              "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00023.html"
            },
            {
              "url": "https://security.netapp.com/advisory/ntap-20231016-0001/"
            },
            {
              "name": "[debian-lts-announce] 20231016 [SECURITY] [DLA 3617-2] tomcat9 regression update",
              "tags": [
                "mailing-list"
              ],
              "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00024.html"
            },
            {
              "name": "[oss-security] 20231018 Vulnerability in Jenkins",
              "tags": [
                "mailing-list"
              ],
              "url": "http://www.openwall.com/lists/oss-security/2023/10/18/4"
            },
            {
              "name": "[oss-security] 20231018 Re: CVE-2023-44487: HTTP/2 Rapid Reset attack against many implementations",
              "tags": [
                "mailing-list"
              ],
              "url": "http://www.openwall.com/lists/oss-security/2023/10/18/8"
            },
            {
              "name": "[oss-security] 20231019 CVE-2023-45802: Apache HTTP Server: HTTP/2 stream memory not reclaimed right away on RST",
              "tags": [
                "mailing-list"
              ],
              "url": "http://www.openwall.com/lists/oss-security/2023/10/19/6"
            },
            {
              "name": "FEDORA-2023-54fadada12",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZKQSIKIAT5TJ3WSLU3RDBQ35YX4GY4V3/"
            },
            {
              "name": "FEDORA-2023-5ff7bf1dd8",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JIZSEFC3YKCGABA2BZW6ZJRMDZJMB7PJ/"
            },
            {
              "name": "[oss-security] 20231020 Re: CVE-2023-44487: HTTP/2 Rapid Reset attack against many implementations",
              "tags": [
                "mailing-list"
              ],
              "url": "http://www.openwall.com/lists/oss-security/2023/10/20/8"
            },
            {
              "name": "FEDORA-2023-17efd3f2cd",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WLPRQ5TWUQQXYWBJM7ECYDAIL2YVKIUH/"
            },
            {
              "name": "FEDORA-2023-d5030c983c",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/E72T67UPDRXHIDLO3OROR25YAMN4GGW5/"
            },
            {
              "name": "FEDORA-2023-0259c3f26f",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BFQD3KUEMFBHPAPBGLWQC34L4OWL5HAZ/"
            },
            {
              "name": "FEDORA-2023-2a9214af5f",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZLU6U2R2IC2K64NDPNMV55AUAO65MAF4/"
            },
            {
              "name": "FEDORA-2023-e9c04d81c1",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X6QXN4ORIVF6XBW4WWFE7VNPVC74S45Y/"
            },
            {
              "name": "FEDORA-2023-f66fc0f62a",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LKYHSZQFDNR7RSA7LHVLLIAQMVYCUGBG/"
            },
            {
              "name": "FEDORA-2023-4d2fd884ea",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FNA62Q767CFAFHBCDKYNPBMZWB7TWYVU/"
            },
            {
              "name": "FEDORA-2023-b2c50535cb",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LNMZJCDHGLJJLXO4OXWJMTVQRNWOC7UL/"
            },
            {
              "name": "FEDORA-2023-fe53e13b5b",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KSEGD2IWKNUO3DWY4KQGUQM5BISRWHQE/"
            },
            {
              "name": "FEDORA-2023-4bf641255e",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CLB4TW7KALB3EEQWNWCN7OUIWWVWWCG2/"
            },
            {
              "name": "[debian-lts-announce] 20231030 [SECURITY] [DLA 3641-1] jetty9 security update",
              "tags": [
                "mailing-list"
              ],
              "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00045.html"
            },
            {
              "name": "DSA-5540",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.debian.org/security/2023/dsa-5540"
            },
            {
              "name": "[debian-lts-announce] 20231031 [SECURITY] [DLA 3638-1] h2o security update",
              "tags": [
                "mailing-list"
              ],
              "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00047.html"
            },
            {
              "url": "https://discuss.hashicorp.com/t/hcsec-2023-32-vault-consul-and-boundary-affected-by-http-2-rapid-reset-denial-of-service-vulnerability-cve-2023-44487/59715"
            },
            {
              "name": "FEDORA-2023-1caffb88af",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VHUHTSXLXGXS7JYKBXTA3VINUPHTNGVU/"
            },
            {
              "name": "FEDORA-2023-3f70b8d406",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VSRDIV77HNKUSM7SJC5BKE5JSHLHU2NK/"
            },
            {
              "name": "FEDORA-2023-7b52921cae",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3N4NJ7FR4X4FPZUGNTQAPSTVB2HB2Y4A/"
            },
            {
              "name": "FEDORA-2023-7934802344",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZB43REMKRQR62NJEI7I5NQ4FSXNLBKRT/"
            },
            {
              "name": "FEDORA-2023-dbe64661af",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HT7T2R4MQKLIF4ODV4BDLPARWFPCJ5CZ/"
            },
            {
              "name": "FEDORA-2023-822aab0a5a",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XFOIBB4YFICHDM7IBOP7PWXW3FX4HLL2/"
            },
            {
              "name": "[debian-lts-announce] 20231105 [SECURITY] [DLA 3645-1] trafficserver security update",
              "tags": [
                "mailing-list"
              ],
              "url": "https://lists.debian.org/debian-lts-announce/2023/11/msg00001.html"
            },
            {
              "name": "DSA-5549",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.debian.org/security/2023/dsa-5549"
            },
            {
              "name": "FEDORA-2023-c0c6a91330",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2MBEPPC36UBVOZZNAXFHKLFGSLCMN5LI/"
            },
            {
              "name": "FEDORA-2023-492b7be466",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WE2I52RHNNU42PX6NZ2RBUHSFFJ2LVZX/"
            },
            {
              "name": "DSA-5558",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.debian.org/security/2023/dsa-5558"
            },
            {
              "name": "[debian-lts-announce] 20231119 [SECURITY] [DLA 3656-1] netty security update",
              "tags": [
                "mailing-list"
              ],
              "url": "https://lists.debian.org/debian-lts-announce/2023/11/msg00012.html"
            },
            {
              "name": "GLSA-202311-09",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://security.gentoo.org/glsa/202311-09"
            },
            {
              "name": "DSA-5570",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.debian.org/security/2023/dsa-5570"
            },
            {
              "url": "https://security.netapp.com/advisory/ntap-20240426-0007/"
            },
            {
              "url": "https://security.netapp.com/advisory/ntap-20240621-0006/"
            },
            {
              "url": "https://security.netapp.com/advisory/ntap-20240621-0007/"
            },
            {
              "url": "https://github.com/grpc/grpc/releases/tag/v1.59.2"
            },
            {
              "url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-http2-reset-d8Kf32vZ"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2023-44487",
        "datePublished": "2023-10-10T00:00:00.000Z",
        "dateReserved": "2023-09-29T00:00:00.000Z",
        "dateUpdated": "2026-05-12T10:52:23.784Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2022-3962 (GCVE-0-2022-3962)

    Vulnerability from cvelistv5 – Published: 2023-09-23 19:00 – Updated: 2024-08-03 01:27
    VLAI
    Title
    Kiali: error message spoofing in kiali ui
    Summary
    A content spoofing vulnerability was found in Kiali. It was discovered that Kiali does not implement error handling when the page or endpoint being accessed cannot be found. This issue allows an attacker to perform arbitrary text injection when an error response is retrieved from the URL being accessed.
    CWE
    • CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
    Assigner
    References
    URL Tags
    https://access.redhat.com/errata/RHSA-2023:0542 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/security/cve/CVE-2022-3962 vdb-entryx_refsource_REDHAT
    https://bugzilla.redhat.com/show_bug.cgi?id=2148661 issue-trackingx_refsource_REDHAT
    Impacted products
    Vendor Product Version
    Red Hat Red Hat OpenShift Service Mesh 2.3 for RHEL 8 Unaffected: 1.57.5-3 , < * (rpm)
        cpe:/a:redhat:service_mesh:2.3::el8
    Create a notification for this product.
    Red Hat OpenShift Service Mesh 2.1     cpe:/a:redhat:service_mesh:2.1
    Create a notification for this product.
    Date Public
    2022-11-22 00:00
    Credits
    This issue was discovered by John Mazzitelli (Red Hat).
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T01:27:53.126Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "RHSA-2023:0542",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2023:0542"
              },
              {
                "tags": [
                  "vdb-entry",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/security/cve/CVE-2022-3962"
              },
              {
                "name": "RHBZ#2148661",
                "tags": [
                  "issue-tracking",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2148661"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:service_mesh:2.3::el8"
              ],
              "defaultStatus": "affected",
              "packageName": "openshift-service-mesh/kiali-rhel8",
              "product": "Red Hat OpenShift Service Mesh 2.3 for RHEL 8",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "1.57.5-3",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:service_mesh:2.1"
              ],
              "defaultStatus": "affected",
              "packageName": "openshift-service-mesh/kiali-rhel8",
              "product": "OpenShift Service Mesh 2.1",
              "vendor": "Red Hat"
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "This issue was discovered by John Mazzitelli (Red Hat)."
            }
          ],
          "datePublic": "2022-11-22T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "A content spoofing vulnerability was found in Kiali. It was discovered that Kiali does not implement error handling when the page or endpoint being accessed cannot be found. This issue allows an attacker to perform arbitrary text injection when an error response is retrieved from the URL being accessed."
            }
          ],
          "metrics": [
            {
              "other": {
                "content": {
                  "namespace": "https://access.redhat.com/security/updates/classification/",
                  "value": "Low"
                },
                "type": "Red Hat severity rating"
              }
            },
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
                "version": "3.1"
              },
              "format": "CVSS"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-74",
                  "description": "Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-05-03T15:32:26.058Z",
            "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
            "shortName": "redhat"
          },
          "references": [
            {
              "name": "RHSA-2023:0542",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2023:0542"
            },
            {
              "tags": [
                "vdb-entry",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/security/cve/CVE-2022-3962"
            },
            {
              "name": "RHBZ#2148661",
              "tags": [
                "issue-tracking",
                "x_refsource_REDHAT"
              ],
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2148661"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2022-11-11T00:00:00.000Z",
              "value": "Reported to Red Hat."
            },
            {
              "lang": "en",
              "time": "2022-11-22T00:00:00.000Z",
              "value": "Made public."
            }
          ],
          "title": "Kiali: error message spoofing in kiali ui",
          "x_redhatCweChain": "CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "assignerShortName": "redhat",
        "cveId": "CVE-2022-3962",
        "datePublished": "2023-09-23T19:00:54.200Z",
        "dateReserved": "2022-11-12T00:20:34.872Z",
        "dateUpdated": "2024-08-03T01:27:53.126Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-3586 (GCVE-0-2021-3586)

    Vulnerability from cvelistv5 – Published: 2022-08-22 14:46 – Updated: 2024-08-03 17:01
    VLAI
    Summary
    A flaw was found in servicemesh-operator. The NetworkPolicy resources installed for Maistra do not properly specify which ports may be accessed, allowing access to all ports on these resources from any pod. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
    Severity
    No CVSS data available.
    CWE
    • CWE-1188 - - Insecure Default Initialization of Resource
    Assigner
    References
    Impacted products
    Vendor Product Version
    n/a servicemesh-operator Affected: Affects v2.0.5.1, Fixed in v2.0.5.2.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T17:01:07.389Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1967738"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/security/cve/CVE-2021-3586"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "servicemesh-operator",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "Affects v2.0.5.1, Fixed in v2.0.5.2."
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A flaw was found in servicemesh-operator. The NetworkPolicy resources installed for Maistra do not properly specify which ports may be accessed, allowing access to all ports on these resources from any pod. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-1188",
                  "description": "CWE-1188 - Insecure Default Initialization of Resource",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-08-22T14:46:32.000Z",
            "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
            "shortName": "redhat"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1967738"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://access.redhat.com/security/cve/CVE-2021-3586"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "secalert@redhat.com",
              "ID": "CVE-2021-3586",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "servicemesh-operator",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "Affects v2.0.5.1, Fixed in v2.0.5.2."
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "n/a"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "A flaw was found in servicemesh-operator. The NetworkPolicy resources installed for Maistra do not properly specify which ports may be accessed, allowing access to all ports on these resources from any pod. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-1188 - Insecure Default Initialization of Resource"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://bugzilla.redhat.com/show_bug.cgi?id=1967738",
                  "refsource": "MISC",
                  "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1967738"
                },
                {
                  "name": "https://access.redhat.com/security/cve/CVE-2021-3586",
                  "refsource": "MISC",
                  "url": "https://access.redhat.com/security/cve/CVE-2021-3586"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "assignerShortName": "redhat",
        "cveId": "CVE-2021-3586",
        "datePublished": "2022-08-22T14:46:32.000Z",
        "dateReserved": "2021-06-07T00:00:00.000Z",
        "dateUpdated": "2024-08-03T17:01:07.389Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-3495 (GCVE-0-2021-3495)

    Vulnerability from cvelistv5 – Published: 2021-06-01 13:31 – Updated: 2024-08-03 16:53
    VLAI
    Summary
    An incorrect access control flaw was found in the kiali-operator in versions before 1.33.0 and before 1.24.7. This flaw allows an attacker with a basic level of access to the cluster (to deploy a kiali operand) to use this vulnerability and deploy a given image to anywhere in the cluster, potentially gaining access to privileged service account tokens. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
    Severity
    No CVSS data available.
    CWE
    Assigner
    References
    Impacted products
    Vendor Product Version
    n/a kiali/kiali-operator Affected: kiali/kiali-operator 1.33.0, kiali/kiali-operator 1.24.7
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T16:53:17.829Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1947361"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://kiali.io/news/security-bulletins/kiali-security-003/"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "kiali/kiali-operator",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "kiali/kiali-operator 1.33.0, kiali/kiali-operator 1.24.7"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "An incorrect access control flaw was found in the kiali-operator in versions before 1.33.0 and before 1.24.7. This flaw allows an attacker with a basic level of access to the cluster (to deploy a kiali operand) to use this vulnerability and deploy a given image to anywhere in the cluster, potentially gaining access to privileged service account tokens. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-281",
                  "description": "CWE-281",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-06-01T13:31:32.000Z",
            "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
            "shortName": "redhat"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1947361"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://kiali.io/news/security-bulletins/kiali-security-003/"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "secalert@redhat.com",
              "ID": "CVE-2021-3495",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "kiali/kiali-operator",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "kiali/kiali-operator 1.33.0, kiali/kiali-operator 1.24.7"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "n/a"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "An incorrect access control flaw was found in the kiali-operator in versions before 1.33.0 and before 1.24.7. This flaw allows an attacker with a basic level of access to the cluster (to deploy a kiali operand) to use this vulnerability and deploy a given image to anywhere in the cluster, potentially gaining access to privileged service account tokens. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-281"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://bugzilla.redhat.com/show_bug.cgi?id=1947361",
                  "refsource": "MISC",
                  "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1947361"
                },
                {
                  "name": "https://kiali.io/news/security-bulletins/kiali-security-003/",
                  "refsource": "MISC",
                  "url": "https://kiali.io/news/security-bulletins/kiali-security-003/"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "assignerShortName": "redhat",
        "cveId": "CVE-2021-3495",
        "datePublished": "2021-06-01T13:31:32.000Z",
        "dateReserved": "2021-04-12T00:00:00.000Z",
        "dateUpdated": "2024-08-03T16:53:17.829Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2019-25014 (GCVE-0-2019-25014)

    Vulnerability from cvelistv5 – Published: 2021-01-29 06:00 – Updated: 2024-08-05 03:00
    VLAI
    Summary
    A NULL pointer dereference was found in pkg/proxy/envoy/v2/debug.go getResourceVersion in Istio pilot before 1.5.0-alpha.0. If a particular HTTP GET request is made to the pilot API endpoint, it is possible to cause the Go runtime to panic (resulting in a denial of service to the istio-pilot application).
    Severity
    No CVSS data available.
    CWE
    • n/a
    Assigner
    References
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-05T03:00:18.878Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/istio/istio/compare/1.4.2...1.5.0-alpha.0"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1919066"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A NULL pointer dereference was found in pkg/proxy/envoy/v2/debug.go getResourceVersion in Istio pilot before 1.5.0-alpha.0. If a particular HTTP GET request is made to the pilot API endpoint, it is possible to cause the Go runtime to panic (resulting in a denial of service to the istio-pilot application)."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-01-29T06:00:23.000Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/istio/istio/compare/1.4.2...1.5.0-alpha.0"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1919066"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "cve@mitre.org",
              "ID": "CVE-2019-25014",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "n/a",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "n/a"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "n/a"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "A NULL pointer dereference was found in pkg/proxy/envoy/v2/debug.go getResourceVersion in Istio pilot before 1.5.0-alpha.0. If a particular HTTP GET request is made to the pilot API endpoint, it is possible to cause the Go runtime to panic (resulting in a denial of service to the istio-pilot application)."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "n/a"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://github.com/istio/istio/compare/1.4.2...1.5.0-alpha.0",
                  "refsource": "MISC",
                  "url": "https://github.com/istio/istio/compare/1.4.2...1.5.0-alpha.0"
                },
                {
                  "name": "https://bugzilla.redhat.com/show_bug.cgi?id=1919066",
                  "refsource": "MISC",
                  "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1919066"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2019-25014",
        "datePublished": "2021-01-29T06:00:23.000Z",
        "dateReserved": "2021-01-21T00:00:00.000Z",
        "dateUpdated": "2024-08-05T03:00:18.878Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2020-27846 (GCVE-0-2020-27846)

    Vulnerability from cvelistv5 – Published: 2020-12-21 15:16 – Updated: 2024-08-04 16:25
    VLAI
    Summary
    A signature verification vulnerability exists in crewjam/saml. This flaw allows an attacker to bypass SAML Authentication. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.
    Severity
    No CVSS data available.
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    n/a crewjam/saml Affected: grafana-7.3.6, grafana-7.2.3, grafana-6.7.5, github.com/crewjam/saml-0.4.3
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T16:25:43.248Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1907670"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://mattermost.com/blog/coordinated-disclosure-go-xml-vulnerabilities/"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/crewjam/saml/security/advisories/GHSA-4hq8-gmxx-h6w9"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://grafana.com/blog/2020/12/17/grafana-6.7.5-7.2.3-and-7.3.6-released-with-important-security-fix-for-grafana-enterprise/"
              },
              {
                "name": "FEDORA-2020-968067abfa",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_FEDORA",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3YUTKIRWT6TWU7DS6GF3EOANVQBFQZYI/"
              },
              {
                "name": "FEDORA-2020-64e54abd9f",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_FEDORA",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ICP3YRY2VUCNCF2VFUSK77ZMRIC77FEM/"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://security.netapp.com/advisory/ntap-20210205-0002/"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "crewjam/saml",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "grafana-7.3.6, grafana-7.2.3, grafana-6.7.5, github.com/crewjam/saml-0.4.3"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A signature verification vulnerability exists in crewjam/saml. This flaw allows an attacker to bypass SAML Authentication. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-115",
                  "description": "CWE-115",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-02-05T11:06:13.000Z",
            "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
            "shortName": "redhat"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1907670"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://mattermost.com/blog/coordinated-disclosure-go-xml-vulnerabilities/"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/crewjam/saml/security/advisories/GHSA-4hq8-gmxx-h6w9"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://grafana.com/blog/2020/12/17/grafana-6.7.5-7.2.3-and-7.3.6-released-with-important-security-fix-for-grafana-enterprise/"
            },
            {
              "name": "FEDORA-2020-968067abfa",
              "tags": [
                "vendor-advisory",
                "x_refsource_FEDORA"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3YUTKIRWT6TWU7DS6GF3EOANVQBFQZYI/"
            },
            {
              "name": "FEDORA-2020-64e54abd9f",
              "tags": [
                "vendor-advisory",
                "x_refsource_FEDORA"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ICP3YRY2VUCNCF2VFUSK77ZMRIC77FEM/"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://security.netapp.com/advisory/ntap-20210205-0002/"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "secalert@redhat.com",
              "ID": "CVE-2020-27846",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "crewjam/saml",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "grafana-7.3.6, grafana-7.2.3, grafana-6.7.5, github.com/crewjam/saml-0.4.3"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "n/a"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "A signature verification vulnerability exists in crewjam/saml. This flaw allows an attacker to bypass SAML Authentication. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-115"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://bugzilla.redhat.com/show_bug.cgi?id=1907670",
                  "refsource": "MISC",
                  "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1907670"
                },
                {
                  "name": "https://mattermost.com/blog/coordinated-disclosure-go-xml-vulnerabilities/",
                  "refsource": "MISC",
                  "url": "https://mattermost.com/blog/coordinated-disclosure-go-xml-vulnerabilities/"
                },
                {
                  "name": "https://github.com/crewjam/saml/security/advisories/GHSA-4hq8-gmxx-h6w9",
                  "refsource": "MISC",
                  "url": "https://github.com/crewjam/saml/security/advisories/GHSA-4hq8-gmxx-h6w9"
                },
                {
                  "name": "https://grafana.com/blog/2020/12/17/grafana-6.7.5-7.2.3-and-7.3.6-released-with-important-security-fix-for-grafana-enterprise/",
                  "refsource": "MISC",
                  "url": "https://grafana.com/blog/2020/12/17/grafana-6.7.5-7.2.3-and-7.3.6-released-with-important-security-fix-for-grafana-enterprise/"
                },
                {
                  "name": "FEDORA-2020-968067abfa",
                  "refsource": "FEDORA",
                  "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3YUTKIRWT6TWU7DS6GF3EOANVQBFQZYI/"
                },
                {
                  "name": "FEDORA-2020-64e54abd9f",
                  "refsource": "FEDORA",
                  "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ICP3YRY2VUCNCF2VFUSK77ZMRIC77FEM/"
                },
                {
                  "name": "https://security.netapp.com/advisory/ntap-20210205-0002/",
                  "refsource": "CONFIRM",
                  "url": "https://security.netapp.com/advisory/ntap-20210205-0002/"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "assignerShortName": "redhat",
        "cveId": "CVE-2020-27846",
        "datePublished": "2020-12-21T15:16:14.000Z",
        "dateReserved": "2020-10-27T00:00:00.000Z",
        "dateUpdated": "2024-08-04T16:25:43.248Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2020-1762 (GCVE-0-2020-1762)

    Vulnerability from cvelistv5 – Published: 2020-04-27 20:41 – Updated: 2024-08-04 06:46
    VLAI
    Summary
    An insufficient JWT validation vulnerability was found in Kiali versions 0.4.0 to 1.15.0 and was fixed in Kiali version 1.15.1, wherein a remote attacker could abuse this flaw by stealing a valid JWT cookie and using that to spoof a user session, possibly gaining privileges to view and alter the Istio configuration.
    Assigner
    References
    Impacted products
    Vendor Product Version
    [Kiali] kiali Affected: >= 0.4.0, < 1.15.1
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T06:46:30.907Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://kiali.io/news/security-bulletins/kiali-security-001/"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1762"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "kiali",
              "vendor": "[Kiali]",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 0.4.0, \u003c 1.15.1"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "An insufficient JWT validation vulnerability was found in Kiali versions 0.4.0 to 1.15.0 and was fixed in Kiali version 1.15.1, wherein a remote attacker could abuse this flaw by stealing a valid JWT cookie and using that to spoof a user session, possibly gaining privileges to view and alter the Istio configuration."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-613",
                  "description": "CWE-613",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-384",
                  "description": "CWE-384",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2020-04-27T20:41:37.000Z",
            "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
            "shortName": "redhat"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://kiali.io/news/security-bulletins/kiali-security-001/"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1762"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "secalert@redhat.com",
              "ID": "CVE-2020-1762",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "kiali",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "\u003e= 0.4.0, \u003c 1.15.1"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "[Kiali]"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "An insufficient JWT validation vulnerability was found in Kiali versions 0.4.0 to 1.15.0 and was fixed in Kiali version 1.15.1, wherein a remote attacker could abuse this flaw by stealing a valid JWT cookie and using that to spoof a user session, possibly gaining privileges to view and alter the Istio configuration."
                }
              ]
            },
            "impact": {
              "cvss": [
                [
                  {
                    "vectorString": "7.0/CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H",
                    "version": "3.0"
                  }
                ]
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-613"
                    }
                  ]
                },
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-384"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://kiali.io/news/security-bulletins/kiali-security-001/",
                  "refsource": "MISC",
                  "url": "https://kiali.io/news/security-bulletins/kiali-security-001/"
                },
                {
                  "name": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1762",
                  "refsource": "CONFIRM",
                  "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1762"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "assignerShortName": "redhat",
        "cveId": "CVE-2020-1762",
        "datePublished": "2020-04-27T20:41:37.000Z",
        "dateReserved": "2019-11-27T00:00:00.000Z",
        "dateUpdated": "2024-08-04T06:46:30.907Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2020-1764 (GCVE-0-2020-1764)

    Vulnerability from cvelistv5 – Published: 2020-03-26 11:16 – Updated: 2024-08-04 06:46
    VLAI
    Summary
    A hard-coded cryptographic key vulnerability in the default configuration file was found in Kiali, all versions prior to 1.15.1. A remote attacker could abuse this flaw by creating their own JWT signed tokens and bypass Kiali authentication mechanisms, possibly gaining privileges to view and alter the Istio configuration.
    CWE
    Assigner
    References
    Impacted products
    Vendor Product Version
    Red Hat kiali Affected: all Kiali versions prior to 1.15.1
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T06:46:30.916Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://kiali.io/news/security-bulletins/kiali-security-001/"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1764"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "kiali",
              "vendor": "Red Hat",
              "versions": [
                {
                  "status": "affected",
                  "version": "all Kiali versions prior to 1.15.1"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A hard-coded cryptographic key vulnerability in the default configuration file was found in Kiali, all versions prior to 1.15.1. A remote attacker could abuse this flaw by creating their own JWT signed tokens and bypass Kiali authentication mechanisms, possibly gaining privileges to view and alter the Istio configuration."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8.6,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-321",
                  "description": "CWE-321",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2020-03-26T11:16:09.000Z",
            "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
            "shortName": "redhat"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://kiali.io/news/security-bulletins/kiali-security-001/"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1764"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "secalert@redhat.com",
              "ID": "CVE-2020-1764",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "kiali",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "all Kiali versions prior to 1.15.1"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Red Hat"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "A hard-coded cryptographic key vulnerability in the default configuration file was found in Kiali, all versions prior to 1.15.1. A remote attacker could abuse this flaw by creating their own JWT signed tokens and bypass Kiali authentication mechanisms, possibly gaining privileges to view and alter the Istio configuration."
                }
              ]
            },
            "impact": {
              "cvss": [
                [
                  {
                    "vectorString": "8.6/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H",
                    "version": "3.0"
                  }
                ]
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-321"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://kiali.io/news/security-bulletins/kiali-security-001/",
                  "refsource": "MISC",
                  "url": "https://kiali.io/news/security-bulletins/kiali-security-001/"
                },
                {
                  "name": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1764",
                  "refsource": "CONFIRM",
                  "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1764"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "assignerShortName": "redhat",
        "cveId": "CVE-2020-1764",
        "datePublished": "2020-03-26T11:16:09.000Z",
        "dateReserved": "2019-11-27T00:00:00.000Z",
        "dateUpdated": "2024-08-04T06:46:30.916Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2020-8661 (GCVE-0-2020-8661)

    Vulnerability from cvelistv5 – Published: 2020-03-04 20:48 – Updated: 2024-08-04 10:03
    VLAI
    Summary
    CNCF Envoy through 1.13.0 may consume excessive amounts of memory when responding internally to pipelined requests.
    Severity
    No CVSS data available.
    CWE
    • n/a
    Assigner
    References
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T10:03:46.322Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.envoyproxy.io/docs/envoy/v1.13.1/intro/version_history"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-36cq-ww7h-p4j7"
              },
              {
                "name": "RHSA-2020:0734",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2020:0734"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "CNCF Envoy through 1.13.0 may consume excessive amounts of memory when responding internally to pipelined requests."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2020-03-11T11:06:32.000Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.envoyproxy.io/docs/envoy/v1.13.1/intro/version_history"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-36cq-ww7h-p4j7"
            },
            {
              "name": "RHSA-2020:0734",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2020:0734"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "cve@mitre.org",
              "ID": "CVE-2020-8661",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "n/a",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "n/a"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "n/a"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "CNCF Envoy through 1.13.0 may consume excessive amounts of memory when responding internally to pipelined requests."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "n/a"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://www.envoyproxy.io/docs/envoy/v1.13.1/intro/version_history",
                  "refsource": "CONFIRM",
                  "url": "https://www.envoyproxy.io/docs/envoy/v1.13.1/intro/version_history"
                },
                {
                  "name": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-36cq-ww7h-p4j7",
                  "refsource": "MISC",
                  "url": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-36cq-ww7h-p4j7"
                },
                {
                  "name": "RHSA-2020:0734",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2020:0734"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2020-8661",
        "datePublished": "2020-03-04T20:48:16.000Z",
        "dateReserved": "2020-02-06T00:00:00.000Z",
        "dateUpdated": "2024-08-04T10:03:46.322Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2020-8659 (GCVE-0-2020-8659)

    Vulnerability from cvelistv5 – Published: 2020-03-04 20:43 – Updated: 2024-08-04 10:03
    VLAI
    Summary
    CNCF Envoy through 1.13.0 may consume excessive amounts of memory when proxying HTTP/1.1 requests or responses with many small (i.e. 1 byte) chunks.
    Severity
    No CVSS data available.
    CWE
    • n/a
    Assigner
    References
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T10:03:46.378Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.envoyproxy.io/docs/envoy/v1.13.1/intro/version_history"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-jwcm-4pwp-c2qv"
              },
              {
                "name": "RHSA-2020:0734",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2020:0734"
              },
              {
                "name": "[debian-lts-announce] 20220518 [SECURITY] [DLA 3014-1] elog security update",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.debian.org/debian-lts-announce/2022/05/msg00025.html"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "CNCF Envoy through 1.13.0 may consume excessive amounts of memory when proxying HTTP/1.1 requests or responses with many small (i.e. 1 byte) chunks."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-05-18T13:06:17.000Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.envoyproxy.io/docs/envoy/v1.13.1/intro/version_history"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-jwcm-4pwp-c2qv"
            },
            {
              "name": "RHSA-2020:0734",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2020:0734"
            },
            {
              "name": "[debian-lts-announce] 20220518 [SECURITY] [DLA 3014-1] elog security update",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.debian.org/debian-lts-announce/2022/05/msg00025.html"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "cve@mitre.org",
              "ID": "CVE-2020-8659",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "n/a",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "n/a"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "n/a"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "CNCF Envoy through 1.13.0 may consume excessive amounts of memory when proxying HTTP/1.1 requests or responses with many small (i.e. 1 byte) chunks."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "n/a"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://www.envoyproxy.io/docs/envoy/v1.13.1/intro/version_history",
                  "refsource": "CONFIRM",
                  "url": "https://www.envoyproxy.io/docs/envoy/v1.13.1/intro/version_history"
                },
                {
                  "name": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-jwcm-4pwp-c2qv",
                  "refsource": "MISC",
                  "url": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-jwcm-4pwp-c2qv"
                },
                {
                  "name": "RHSA-2020:0734",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2020:0734"
                },
                {
                  "name": "[debian-lts-announce] 20220518 [SECURITY] [DLA 3014-1] elog security update",
                  "refsource": "MLIST",
                  "url": "https://lists.debian.org/debian-lts-announce/2022/05/msg00025.html"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2020-8659",
        "datePublished": "2020-03-04T20:43:55.000Z",
        "dateReserved": "2020-02-06T00:00:00.000Z",
        "dateUpdated": "2024-08-04T10:03:46.378Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2020-1704 (GCVE-0-2020-1704)

    Vulnerability from cvelistv5 – Published: 2020-02-17 16:38 – Updated: 2024-08-04 06:46
    VLAI
    Summary
    An insecure modification vulnerability in the /etc/passwd file was found in all versions of OpenShift ServiceMesh (maistra) before 1.0.8 in the openshift/istio-kialia-rhel7-operator-container. An attacker with access to the container could use this flaw to modify /etc/passwd and escalate their privileges.
    CWE
    Assigner
    References
    Impacted products
    Vendor Product Version
    Red Hat openshift-service-mesh/kiali-rhel7-operator Affected: All maistra versions before 1.0.8
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T06:46:30.534Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1704"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "openshift-service-mesh/kiali-rhel7-operator",
              "vendor": "Red Hat",
              "versions": [
                {
                  "status": "affected",
                  "version": "All maistra versions before 1.0.8"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "An insecure modification vulnerability in the /etc/passwd file was found in all versions of OpenShift ServiceMesh (maistra) before 1.0.8 in the openshift/istio-kialia-rhel7-operator-container. An attacker with access to the container could use this flaw to modify /etc/passwd and escalate their privileges."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "LOCAL",
                "availabilityImpact": "HIGH",
                "baseScore": 7,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-266",
                  "description": "CWE-266",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2020-02-17T16:38:06.000Z",
            "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
            "shortName": "redhat"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1704"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "secalert@redhat.com",
              "ID": "CVE-2020-1704",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "openshift-service-mesh/kiali-rhel7-operator",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "All maistra versions before 1.0.8"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Red Hat"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "An insecure modification vulnerability in the /etc/passwd file was found in all versions of OpenShift ServiceMesh (maistra) before 1.0.8 in the openshift/istio-kialia-rhel7-operator-container. An attacker with access to the container could use this flaw to modify /etc/passwd and escalate their privileges."
                }
              ]
            },
            "impact": {
              "cvss": [
                [
                  {
                    "vectorString": "7/CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
                    "version": "3.0"
                  }
                ]
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-266"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1704",
                  "refsource": "CONFIRM",
                  "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1704"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "assignerShortName": "redhat",
        "cveId": "CVE-2020-1704",
        "datePublished": "2020-02-17T16:38:06.000Z",
        "dateReserved": "2019-11-27T00:00:00.000Z",
        "dateUpdated": "2024-08-04T06:46:30.534Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2020-8595 (GCVE-0-2020-8595)

    Vulnerability from cvelistv5 – Published: 2020-02-12 14:10 – Updated: 2024-08-04 10:03
    VLAI
    Summary
    Istio versions 1.2.10 (End of Life) and prior, 1.3 through 1.3.7, and 1.4 through 1.4.3 allows authentication bypass. The Authentication Policy exact-path matching logic can allow unauthorized access to HTTP paths even if they are configured to be only accessed after presenting a valid JWT token. For example, an attacker can add a ? or # character to a URI that would otherwise satisfy an exact-path match.
    Severity
    No CVSS data available.
    CWE
    • n/a
    Assigner
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T10:03:45.884Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/istio/istio/commits/master"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://istio.io/news/security/"
              },
              {
                "name": "RHSA-2020:0477",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2020:0477"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/security/cve/cve-2020-8595"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://istio.io/news/security/istio-security-2020-001/"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-8595"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Istio versions 1.2.10 (End of Life) and prior, 1.3 through 1.3.7, and 1.4 through 1.4.3 allows authentication bypass. The Authentication Policy exact-path matching logic can allow unauthorized access to HTTP paths even if they are configured to be only accessed after presenting a valid JWT token. For example, an attacker can add a ? or # character to a URI that would otherwise satisfy an exact-path match."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2020-02-20T15:54:35.000Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/istio/istio/commits/master"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://istio.io/news/security/"
            },
            {
              "name": "RHSA-2020:0477",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2020:0477"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://access.redhat.com/security/cve/cve-2020-8595"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://istio.io/news/security/istio-security-2020-001/"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-8595"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "cve@mitre.org",
              "ID": "CVE-2020-8595",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "n/a",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "n/a"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "n/a"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Istio versions 1.2.10 (End of Life) and prior, 1.3 through 1.3.7, and 1.4 through 1.4.3 allows authentication bypass. The Authentication Policy exact-path matching logic can allow unauthorized access to HTTP paths even if they are configured to be only accessed after presenting a valid JWT token. For example, an attacker can add a ? or # character to a URI that would otherwise satisfy an exact-path match."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "n/a"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://github.com/istio/istio/commits/master",
                  "refsource": "MISC",
                  "url": "https://github.com/istio/istio/commits/master"
                },
                {
                  "name": "https://istio.io/news/security/",
                  "refsource": "MISC",
                  "url": "https://istio.io/news/security/"
                },
                {
                  "name": "RHSA-2020:0477",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2020:0477"
                },
                {
                  "name": "https://access.redhat.com/security/cve/cve-2020-8595",
                  "refsource": "CONFIRM",
                  "url": "https://access.redhat.com/security/cve/cve-2020-8595"
                },
                {
                  "name": "https://istio.io/news/security/istio-security-2020-001/",
                  "refsource": "CONFIRM",
                  "url": "https://istio.io/news/security/istio-security-2020-001/"
                },
                {
                  "name": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-8595",
                  "refsource": "MISC",
                  "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-8595"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2020-8595",
        "datePublished": "2020-02-12T14:10:15.000Z",
        "dateReserved": "2020-02-03T00:00:00.000Z",
        "dateUpdated": "2024-08-04T10:03:45.884Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }