Search

Find a vulnerability

Search criteria

    44 vulnerabilities found for vs960hd_firmware by synology

    CVE-2021-26567 (GCVE-0-2021-26567)

    Vulnerability from nvd – Published: 2021-02-26 21:45 – Updated: 2024-09-16 19:56
    VLAI
    Summary
    Stack-based buffer overflow vulnerability in frontend/main.c in faad2 before 2.2.7.1 allow local attackers to execute arbitrary code via filename and pathname options.
    Severity
    No CVSS data available.
    CWE
    • CWE-121 - Stack-based Buffer Overflow
    Assigner
    References
    Impacted products
    Vendor Product Version
    github/knik0 faad2 Affected: unspecified , < 2.2.7.1 (custom)
    Create a notification for this product.
    Date Public
    2021-02-26 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T20:26:25.524Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.synology.com/security/advisory/Synology_SA_20_26"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/knik0/faad2/commit/720f7004d6c4aabee19aad16e7c456ed76a3ebfa"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "faad2",
              "vendor": "github/knik0",
              "versions": [
                {
                  "lessThan": "2.2.7.1",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2021-02-26T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Stack-based buffer overflow vulnerability in frontend/main.c in faad2 before 2.2.7.1 allow local attackers to execute arbitrary code via filename and pathname options."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-121",
                  "description": "CWE-121: Stack-based Buffer Overflow",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-03-12T13:40:10.000Z",
            "orgId": "db201096-a0cc-46c7-9a55-61d9e221bf01",
            "shortName": "synology"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.synology.com/security/advisory/Synology_SA_20_26"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/knik0/faad2/commit/720f7004d6c4aabee19aad16e7c456ed76a3ebfa"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@synology.com",
              "DATE_PUBLIC": "2021-02-26T00:00:00",
              "ID": "CVE-2021-26567",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "faad2",
                          "version": {
                            "version_data": [
                              {
                                "affected": "\u003c",
                                "version_affected": "\u003c",
                                "version_value": "2.2.7.1"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "github/knik0"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Stack-based buffer overflow vulnerability in frontend/main.c in faad2 before 2.2.7.1 allow local attackers to execute arbitrary code via filename and pathname options."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-121: Stack-based Buffer Overflow"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://www.synology.com/security/advisory/Synology_SA_20_26",
                  "refsource": "CONFIRM",
                  "url": "https://www.synology.com/security/advisory/Synology_SA_20_26"
                },
                {
                  "name": "https://github.com/knik0/faad2/commit/720f7004d6c4aabee19aad16e7c456ed76a3ebfa",
                  "refsource": "MISC",
                  "url": "https://github.com/knik0/faad2/commit/720f7004d6c4aabee19aad16e7c456ed76a3ebfa"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "db201096-a0cc-46c7-9a55-61d9e221bf01",
        "assignerShortName": "synology",
        "cveId": "CVE-2021-26567",
        "datePublished": "2021-02-26T21:45:35.788Z",
        "dateReserved": "2021-02-02T00:00:00.000Z",
        "dateUpdated": "2024-09-16T19:56:15.211Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-26566 (GCVE-0-2021-26566)

    Vulnerability from nvd – Published: 2021-02-26 21:45 – Updated: 2024-09-17 03:23
    VLAI
    Summary
    Insertion of sensitive information into sent data vulnerability in synorelayd in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows man-in-the-middle attackers to execute arbitrary commands via inbound QuickConnect traffic.
    CWE
    • CWE-201 - Insertion of Sensitive Information Into Sent Data
    Assigner
    References
    Impacted products
    Vendor Product Version
    Synology Synology DiskStation Manager (DSM) Affected: unspecified , < 6.2.3-25426-3 (custom)
    Create a notification for this product.
    Date Public
    2021-02-26 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T20:26:25.445Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.synology.com/security/advisory/Synology_SA_20_26"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2020-1160"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Synology DiskStation Manager (DSM)",
              "vendor": "Synology",
              "versions": [
                {
                  "lessThan": "6.2.3-25426-3",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2021-02-26T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Insertion of sensitive information into sent data vulnerability in synorelayd in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows man-in-the-middle attackers to execute arbitrary commands via inbound QuickConnect traffic."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8.3,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-201",
                  "description": "CWE-201: Insertion of Sensitive Information Into Sent Data",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-04-19T19:06:25.000Z",
            "orgId": "db201096-a0cc-46c7-9a55-61d9e221bf01",
            "shortName": "synology"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.synology.com/security/advisory/Synology_SA_20_26"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2020-1160"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@synology.com",
              "DATE_PUBLIC": "2021-02-26T00:00:00",
              "ID": "CVE-2021-26566",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Synology DiskStation Manager (DSM)",
                          "version": {
                            "version_data": [
                              {
                                "affected": "\u003c",
                                "version_affected": "\u003c",
                                "version_value": "6.2.3-25426-3"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Synology"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Insertion of sensitive information into sent data vulnerability in synorelayd in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows man-in-the-middle attackers to execute arbitrary commands via inbound QuickConnect traffic."
                }
              ]
            },
            "impact": {
              "cvss": {
                "baseScore": "8.3",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-201: Insertion of Sensitive Information Into Sent Data"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://www.synology.com/security/advisory/Synology_SA_20_26",
                  "refsource": "CONFIRM",
                  "url": "https://www.synology.com/security/advisory/Synology_SA_20_26"
                },
                {
                  "name": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2020-1160",
                  "refsource": "MISC",
                  "url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2020-1160"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "db201096-a0cc-46c7-9a55-61d9e221bf01",
        "assignerShortName": "synology",
        "cveId": "CVE-2021-26566",
        "datePublished": "2021-02-26T21:45:35.118Z",
        "dateReserved": "2021-02-02T00:00:00.000Z",
        "dateUpdated": "2024-09-17T03:23:15.693Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-26565 (GCVE-0-2021-26565)

    Vulnerability from nvd – Published: 2021-02-26 21:45 – Updated: 2024-09-17 01:27
    VLAI
    Summary
    Cleartext transmission of sensitive information vulnerability in synorelayd in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows man-in-the-middle attackers to obtain sensitive information via an HTTP session.
    CWE
    • CWE-319 - Cleartext Transmission of Sensitive Information
    Assigner
    References
    Impacted products
    Vendor Product Version
    Synology Synology DiskStation Manager (DSM) Affected: unspecified , < 6.2.3-25426-3 (custom)
    Create a notification for this product.
    Date Public
    2021-02-26 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T20:26:25.468Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.synology.com/security/advisory/Synology_SA_20_26"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2020-1160"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Synology DiskStation Manager (DSM)",
              "vendor": "Synology",
              "versions": [
                {
                  "lessThan": "6.2.3-25426-3",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2021-02-26T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Cleartext transmission of sensitive information vulnerability in synorelayd in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows man-in-the-middle attackers to obtain sensitive information via an HTTP session."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8.3,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-319",
                  "description": "CWE-319: Cleartext Transmission of Sensitive Information",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-04-19T19:06:24.000Z",
            "orgId": "db201096-a0cc-46c7-9a55-61d9e221bf01",
            "shortName": "synology"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.synology.com/security/advisory/Synology_SA_20_26"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2020-1160"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@synology.com",
              "DATE_PUBLIC": "2021-02-26T00:00:00",
              "ID": "CVE-2021-26565",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Synology DiskStation Manager (DSM)",
                          "version": {
                            "version_data": [
                              {
                                "affected": "\u003c",
                                "version_affected": "\u003c",
                                "version_value": "6.2.3-25426-3"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Synology"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Cleartext transmission of sensitive information vulnerability in synorelayd in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows man-in-the-middle attackers to obtain sensitive information via an HTTP session."
                }
              ]
            },
            "impact": {
              "cvss": {
                "baseScore": "8.3",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-319: Cleartext Transmission of Sensitive Information"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://www.synology.com/security/advisory/Synology_SA_20_26",
                  "refsource": "CONFIRM",
                  "url": "https://www.synology.com/security/advisory/Synology_SA_20_26"
                },
                {
                  "name": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2020-1160",
                  "refsource": "MISC",
                  "url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2020-1160"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "db201096-a0cc-46c7-9a55-61d9e221bf01",
        "assignerShortName": "synology",
        "cveId": "CVE-2021-26565",
        "datePublished": "2021-02-26T21:45:34.345Z",
        "dateReserved": "2021-02-02T00:00:00.000Z",
        "dateUpdated": "2024-09-17T01:27:07.136Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-26564 (GCVE-0-2021-26564)

    Vulnerability from nvd – Published: 2021-02-26 21:45 – Updated: 2024-09-17 00:46
    VLAI
    Summary
    Cleartext transmission of sensitive information vulnerability in synorelayd in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows man-in-the-middle attackers to spoof servers via an HTTP session.
    CWE
    • CWE-319 - Cleartext Transmission of Sensitive Information
    Assigner
    References
    Impacted products
    Vendor Product Version
    Synology Synology DiskStation Manager (DSM) Affected: unspecified , < 6.2.3-25426-3 (custom)
    Create a notification for this product.
    Date Public
    2021-02-26 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T20:26:25.479Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.synology.com/security/advisory/Synology_SA_20_26"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2020-1160"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Synology DiskStation Manager (DSM)",
              "vendor": "Synology",
              "versions": [
                {
                  "lessThan": "6.2.3-25426-3",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2021-02-26T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Cleartext transmission of sensitive information vulnerability in synorelayd in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows man-in-the-middle attackers to spoof servers via an HTTP session."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8.3,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-319",
                  "description": "CWE-319: Cleartext Transmission of Sensitive Information",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-05-12T12:50:50.000Z",
            "orgId": "db201096-a0cc-46c7-9a55-61d9e221bf01",
            "shortName": "synology"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.synology.com/security/advisory/Synology_SA_20_26"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2020-1160"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@synology.com",
              "DATE_PUBLIC": "2021-02-26T00:00:00",
              "ID": "CVE-2021-26564",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Synology DiskStation Manager (DSM)",
                          "version": {
                            "version_data": [
                              {
                                "affected": "\u003c",
                                "version_affected": "\u003c",
                                "version_value": "6.2.3-25426-3"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Synology"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Cleartext transmission of sensitive information vulnerability in synorelayd in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows man-in-the-middle attackers to spoof servers via an HTTP session."
                }
              ]
            },
            "impact": {
              "cvss": {
                "baseScore": "8.3",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-319: Cleartext Transmission of Sensitive Information"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://www.synology.com/security/advisory/Synology_SA_20_26",
                  "refsource": "CONFIRM",
                  "url": "https://www.synology.com/security/advisory/Synology_SA_20_26"
                },
                {
                  "name": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2020-1160",
                  "refsource": "MISC",
                  "url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2020-1160"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "db201096-a0cc-46c7-9a55-61d9e221bf01",
        "assignerShortName": "synology",
        "cveId": "CVE-2021-26564",
        "datePublished": "2021-02-26T21:45:33.663Z",
        "dateReserved": "2021-02-02T00:00:00.000Z",
        "dateUpdated": "2024-09-17T00:46:03.051Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-26563 (GCVE-0-2021-26563)

    Vulnerability from nvd – Published: 2021-02-26 21:45 – Updated: 2024-09-16 16:23
    VLAI
    Summary
    Incorrect authorization vulnerability in synoagentregisterd in Synology DiskStation Manager (DSM) before 6.2.4-25553 allows local users to execute arbitrary code via unspecified vectors.
    CWE
    • CWE-863 - Incorrect Authorization
    Assigner
    References
    Impacted products
    Vendor Product Version
    Synology DiskStation Manager (DSM) Affected: unspecified , < 6.2.4-25553 (custom)
    Create a notification for this product.
    Date Public
    2021-06-17 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T20:26:25.477Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2020-1158"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.synology.com/security/advisory/Synology_SA_21_03"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "DiskStation Manager (DSM)",
              "vendor": "Synology",
              "versions": [
                {
                  "lessThan": "6.2.4-25553",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2021-06-17T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Incorrect authorization vulnerability in synoagentregisterd in Synology DiskStation Manager (DSM) before 6.2.4-25553 allows local users to execute arbitrary code via unspecified vectors."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "HIGH",
                "baseScore": 8.2,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "HIGH",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-863",
                  "description": "CWE-863: Incorrect Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-06-18T10:18:29.000Z",
            "orgId": "db201096-a0cc-46c7-9a55-61d9e221bf01",
            "shortName": "synology"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2020-1158"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.synology.com/security/advisory/Synology_SA_21_03"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@synology.com",
              "DATE_PUBLIC": "2021-06-17T07:07:06.548759",
              "ID": "CVE-2021-26563",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "DiskStation Manager (DSM)",
                          "version": {
                            "version_data": [
                              {
                                "affected": "\u003c",
                                "version_affected": "\u003c",
                                "version_value": "6.2.4-25553"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Synology"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Incorrect authorization vulnerability in synoagentregisterd in Synology DiskStation Manager (DSM) before 6.2.4-25553 allows local users to execute arbitrary code via unspecified vectors."
                }
              ]
            },
            "impact": {
              "cvss": {
                "baseScore": "8.2",
                "vectorString": "AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-863: Incorrect Authorization"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2020-1158",
                  "refsource": "MISC",
                  "url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2020-1158"
                },
                {
                  "name": "https://www.synology.com/security/advisory/Synology_SA_21_03",
                  "refsource": "CONFIRM",
                  "url": "https://www.synology.com/security/advisory/Synology_SA_21_03"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "db201096-a0cc-46c7-9a55-61d9e221bf01",
        "assignerShortName": "synology",
        "cveId": "CVE-2021-26563",
        "datePublished": "2021-02-26T21:45:33.039Z",
        "dateReserved": "2021-02-02T00:00:00.000Z",
        "dateUpdated": "2024-09-16T16:23:45.140Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-26562 (GCVE-0-2021-26562)

    Vulnerability from nvd – Published: 2021-02-26 21:45 – Updated: 2024-09-17 04:08
    VLAI
    Summary
    Out-of-bounds write vulnerability in synoagentregisterd in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows man-in-the-middle attackers to execute arbitrary code via syno_finder_site HTTP header.
    CWE
    Assigner
    References
    Impacted products
    Vendor Product Version
    Synology Synology DiskStation Manager (DSM) Affected: unspecified , < 6.2.3-25426-3 (custom)
    Create a notification for this product.
    Date Public
    2021-02-26 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T20:26:25.470Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.synology.com/security/advisory/Synology_SA_20_26"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2020-1159"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Synology DiskStation Manager (DSM)",
              "vendor": "Synology",
              "versions": [
                {
                  "lessThan": "6.2.3-25426-3",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2021-02-26T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Out-of-bounds write vulnerability in synoagentregisterd in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows man-in-the-middle attackers to execute arbitrary code via syno_finder_site HTTP header."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 9,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-787",
                  "description": "CWE-787: Out-of-bounds Write",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-04-19T18:06:15.000Z",
            "orgId": "db201096-a0cc-46c7-9a55-61d9e221bf01",
            "shortName": "synology"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.synology.com/security/advisory/Synology_SA_20_26"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2020-1159"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@synology.com",
              "DATE_PUBLIC": "2021-02-26T00:00:00",
              "ID": "CVE-2021-26562",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Synology DiskStation Manager (DSM)",
                          "version": {
                            "version_data": [
                              {
                                "affected": "\u003c",
                                "version_affected": "\u003c",
                                "version_value": "6.2.3-25426-3"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Synology"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Out-of-bounds write vulnerability in synoagentregisterd in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows man-in-the-middle attackers to execute arbitrary code via syno_finder_site HTTP header."
                }
              ]
            },
            "impact": {
              "cvss": {
                "baseScore": "9.0",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-787: Out-of-bounds Write"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://www.synology.com/security/advisory/Synology_SA_20_26",
                  "refsource": "CONFIRM",
                  "url": "https://www.synology.com/security/advisory/Synology_SA_20_26"
                },
                {
                  "name": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2020-1159",
                  "refsource": "MISC",
                  "url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2020-1159"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "db201096-a0cc-46c7-9a55-61d9e221bf01",
        "assignerShortName": "synology",
        "cveId": "CVE-2021-26562",
        "datePublished": "2021-02-26T21:45:31.818Z",
        "dateReserved": "2021-02-02T00:00:00.000Z",
        "dateUpdated": "2024-09-17T04:08:58.655Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-26561 (GCVE-0-2021-26561)

    Vulnerability from nvd – Published: 2021-02-26 21:45 – Updated: 2024-09-16 23:06
    VLAI
    Summary
    Stack-based buffer overflow vulnerability in synoagentregisterd in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows man-in-the-middle attackers to execute arbitrary code via syno_finder_site HTTP header.
    CWE
    • CWE-121 - Stack-based Buffer Overflow
    Assigner
    References
    Impacted products
    Vendor Product Version
    Synology Synology DiskStation Manager (DSM) Affected: unspecified , < 6.2.3-25426-3 (custom)
    Create a notification for this product.
    Date Public
    2021-02-26 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T20:26:25.449Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.synology.com/security/advisory/Synology_SA_20_26"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2020-1159"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Synology DiskStation Manager (DSM)",
              "vendor": "Synology",
              "versions": [
                {
                  "lessThan": "6.2.3-25426-3",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2021-02-26T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Stack-based buffer overflow vulnerability in synoagentregisterd in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows man-in-the-middle attackers to execute arbitrary code via syno_finder_site HTTP header."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 9,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-121",
                  "description": "CWE-121: Stack-based Buffer Overflow",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-04-19T18:06:13.000Z",
            "orgId": "db201096-a0cc-46c7-9a55-61d9e221bf01",
            "shortName": "synology"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.synology.com/security/advisory/Synology_SA_20_26"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2020-1159"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@synology.com",
              "DATE_PUBLIC": "2021-02-26T00:00:00",
              "ID": "CVE-2021-26561",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Synology DiskStation Manager (DSM)",
                          "version": {
                            "version_data": [
                              {
                                "affected": "\u003c",
                                "version_affected": "\u003c",
                                "version_value": "6.2.3-25426-3"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Synology"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Stack-based buffer overflow vulnerability in synoagentregisterd in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows man-in-the-middle attackers to execute arbitrary code via syno_finder_site HTTP header."
                }
              ]
            },
            "impact": {
              "cvss": {
                "baseScore": "9.0",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-121: Stack-based Buffer Overflow"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://www.synology.com/security/advisory/Synology_SA_20_26",
                  "refsource": "CONFIRM",
                  "url": "https://www.synology.com/security/advisory/Synology_SA_20_26"
                },
                {
                  "name": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2020-1159",
                  "refsource": "MISC",
                  "url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2020-1159"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "db201096-a0cc-46c7-9a55-61d9e221bf01",
        "assignerShortName": "synology",
        "cveId": "CVE-2021-26561",
        "datePublished": "2021-02-26T21:45:31.206Z",
        "dateReserved": "2021-02-02T00:00:00.000Z",
        "dateUpdated": "2024-09-16T23:06:05.777Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-26560 (GCVE-0-2021-26560)

    Vulnerability from nvd – Published: 2021-02-26 21:45 – Updated: 2024-09-17 01:30
    VLAI
    Summary
    Cleartext transmission of sensitive information vulnerability in synoagentregisterd in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows man-in-the-middle attackers to spoof servers via an HTTP session.
    CWE
    • CWE-319 - Cleartext Transmission of Sensitive Information
    Assigner
    References
    Impacted products
    Vendor Product Version
    Synology Synology DiskStation Manager (DSM) Affected: unspecified , < 6.2.3-25426-3 (custom)
    Create a notification for this product.
    Date Public
    2021-02-26 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T20:26:25.473Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.synology.com/security/advisory/Synology_SA_20_26"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2020-1159"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Synology DiskStation Manager (DSM)",
              "vendor": "Synology",
              "versions": [
                {
                  "lessThan": "6.2.3-25426-3",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2021-02-26T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Cleartext transmission of sensitive information vulnerability in synoagentregisterd in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows man-in-the-middle attackers to spoof servers via an HTTP session."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 9,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-319",
                  "description": "CWE-319: Cleartext Transmission of Sensitive Information",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-05-12T12:50:50.000Z",
            "orgId": "db201096-a0cc-46c7-9a55-61d9e221bf01",
            "shortName": "synology"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.synology.com/security/advisory/Synology_SA_20_26"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2020-1159"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@synology.com",
              "DATE_PUBLIC": "2021-02-26T00:00:00",
              "ID": "CVE-2021-26560",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Synology DiskStation Manager (DSM)",
                          "version": {
                            "version_data": [
                              {
                                "affected": "\u003c",
                                "version_affected": "\u003c",
                                "version_value": "6.2.3-25426-3"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Synology"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Cleartext transmission of sensitive information vulnerability in synoagentregisterd in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows man-in-the-middle attackers to spoof servers via an HTTP session."
                }
              ]
            },
            "impact": {
              "cvss": {
                "baseScore": "9.0",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-319: Cleartext Transmission of Sensitive Information"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://www.synology.com/security/advisory/Synology_SA_20_26",
                  "refsource": "CONFIRM",
                  "url": "https://www.synology.com/security/advisory/Synology_SA_20_26"
                },
                {
                  "name": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2020-1159",
                  "refsource": "MISC",
                  "url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2020-1159"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "db201096-a0cc-46c7-9a55-61d9e221bf01",
        "assignerShortName": "synology",
        "cveId": "CVE-2021-26560",
        "datePublished": "2021-02-26T21:45:30.498Z",
        "dateReserved": "2021-02-02T00:00:00.000Z",
        "dateUpdated": "2024-09-17T01:30:56.188Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-3156 (GCVE-0-2021-3156)

    Vulnerability from nvd – Published: 2021-01-26 00:00 – Updated: 2025-10-21 23:35
    VLAI CISA KEVIntel
    Summary
    Sudo before 1.9.5p2 contains an off-by-one error that can result in a heap-based buffer overflow, which allows privilege escalation to root via "sudoedit -s" and a command-line argument that ends with a single backslash character.
    SSVC
    Exploitation: active Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    References
    URL Tags
    https://lists.debian.org/debian-lts-announce/2021… mailing-list
    http://seclists.org/fulldisclosure/2021/Jan/79 mailing-list
    http://www.openwall.com/lists/oss-security/2021/01/26/3 mailing-list
    https://security.gentoo.org/glsa/202101-33 vendor-advisory
    https://www.debian.org/security/2021/dsa-4839 vendor-advisory
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisory
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisory
    http://www.openwall.com/lists/oss-security/2021/01/27/1 mailing-list
    http://www.openwall.com/lists/oss-security/2021/01/27/2 mailing-list
    https://tools.cisco.com/security/center/content/C… vendor-advisory
    https://www.kb.cert.org/vuls/id/794544 third-party-advisory
    http://seclists.org/fulldisclosure/2021/Feb/42 mailing-list
    http://www.openwall.com/lists/oss-security/2021/02/15/1 mailing-list
    https://www.oracle.com//security-alerts/cpujul2021.html
    https://www.sudo.ws/stable.html#1.9.5p2
    https://www.openwall.com/lists/oss-security/2021/…
    http://packetstormsecurity.com/files/161160/Sudo-…
    https://security.netapp.com/advisory/ntap-2021012…
    https://security.netapp.com/advisory/ntap-2021012…
    http://packetstormsecurity.com/files/161230/Sudo-…
    http://packetstormsecurity.com/files/161270/Sudo-…
    http://packetstormsecurity.com/files/161293/Sudo-…
    https://support.apple.com/kb/HT212177
    https://kc.mcafee.com/corporate/index?page=conten…
    https://www.beyondtrust.com/blog/entry/security-a…
    https://www.synology.com/security/advisory/Synolo…
    http://www.openwall.com/lists/oss-security/2021/09/14/2 mailing-list
    https://www.oracle.com/security-alerts/cpuoct2021.html
    https://www.oracle.com/security-alerts/cpuapr2022.html
    http://www.openwall.com/lists/oss-security/2024/01/30/8 mailing-list
    http://www.openwall.com/lists/oss-security/2024/01/30/6 mailing-list
    http://packetstormsecurity.com/files/176932/glibc…
    http://seclists.org/fulldisclosure/2024/Feb/3 mailing-list
    https://www.vicarius.io/vsociety/posts/sudoedit-p…
    https://www.cisa.gov/known-exploited-vulnerabilit… government-resource
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T16:45:51.408Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "[debian-lts-announce] 20210126 [SECURITY] [DLA 2534-1] sudo security update",
                "tags": [
                  "mailing-list",
                  "x_transferred"
                ],
                "url": "https://lists.debian.org/debian-lts-announce/2021/01/msg00022.html"
              },
              {
                "name": "20210126 Baron Samedit: Heap-based buffer overflow in Sudo (CVE-2021-3156)",
                "tags": [
                  "mailing-list",
                  "x_transferred"
                ],
                "url": "http://seclists.org/fulldisclosure/2021/Jan/79"
              },
              {
                "name": "[oss-security] 20210126 Baron Samedit: Heap-based buffer overflow in Sudo (CVE-2021-3156)",
                "tags": [
                  "mailing-list",
                  "x_transferred"
                ],
                "url": "http://www.openwall.com/lists/oss-security/2021/01/26/3"
              },
              {
                "name": "GLSA-202101-33",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://security.gentoo.org/glsa/202101-33"
              },
              {
                "name": "DSA-4839",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://www.debian.org/security/2021/dsa-4839"
              },
              {
                "name": "FEDORA-2021-2cb63d912a",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LHXK6ICO5AYLGFK2TAX5MZKUXTUKWOJY/"
              },
              {
                "name": "FEDORA-2021-8840cbdccd",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CALA5FTXIQBRRYUA2ZQNJXB6OQMAXEII/"
              },
              {
                "name": "[oss-security] 20210127 Re: Baron Samedit: Heap-based buffer overflow in Sudo (CVE-2021-3156)",
                "tags": [
                  "mailing-list",
                  "x_transferred"
                ],
                "url": "http://www.openwall.com/lists/oss-security/2021/01/27/1"
              },
              {
                "name": "[oss-security] 20210127 Re: Baron Samedit: Heap-based buffer overflow in Sudo (CVE-2021-3156)",
                "tags": [
                  "mailing-list",
                  "x_transferred"
                ],
                "url": "http://www.openwall.com/lists/oss-security/2021/01/27/2"
              },
              {
                "name": "20210129 Sudo Privilege Escalation Vulnerability Affecting Cisco Products: January 2021",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sudo-privesc-jan2021-qnYQfcM"
              },
              {
                "name": "VU#794544",
                "tags": [
                  "third-party-advisory",
                  "x_transferred"
                ],
                "url": "https://www.kb.cert.org/vuls/id/794544"
              },
              {
                "name": "20210211 APPLE-SA-2021-02-09-1 macOS Big Sur 11.2.1, macOS Catalina 10.15.7 Supplemental Update, and macOS Mojave 10.14.6 Security Update 2021-002",
                "tags": [
                  "mailing-list",
                  "x_transferred"
                ],
                "url": "http://seclists.org/fulldisclosure/2021/Feb/42"
              },
              {
                "name": "[oss-security] 20210215 Re: sudo: Ineffective NO_ROOT_MAILER and Baron Samedit",
                "tags": [
                  "mailing-list",
                  "x_transferred"
                ],
                "url": "http://www.openwall.com/lists/oss-security/2021/02/15/1"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.oracle.com//security-alerts/cpujul2021.html"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.sudo.ws/stable.html#1.9.5p2"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.openwall.com/lists/oss-security/2021/01/26/3"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "http://packetstormsecurity.com/files/161160/Sudo-Heap-Based-Buffer-Overflow.html"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://security.netapp.com/advisory/ntap-20210128-0002/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://security.netapp.com/advisory/ntap-20210128-0001/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "http://packetstormsecurity.com/files/161230/Sudo-Buffer-Overflow-Privilege-Escalation.html"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "http://packetstormsecurity.com/files/161270/Sudo-1.9.5p1-Buffer-Overflow-Privilege-Escalation.html"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "http://packetstormsecurity.com/files/161293/Sudo-1.8.31p2-1.9.5p1-Buffer-Overflow.html"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://support.apple.com/kb/HT212177"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10348"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.beyondtrust.com/blog/entry/security-advisory-privilege-management-for-unix-linux-pmul-basic-and-privilege-management-for-mac-pmm-affected-by-sudo-vulnerability"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.synology.com/security/advisory/Synology_SA_21_02"
              },
              {
                "name": "[oss-security] 20210914 Re: Oracle Solaris membership in the distros list",
                "tags": [
                  "mailing-list",
                  "x_transferred"
                ],
                "url": "http://www.openwall.com/lists/oss-security/2021/09/14/2"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
              },
              {
                "name": "[oss-security] 20240130 Re: CVE-2023-6246: Heap-based buffer overflow in the glibc\u0027s syslog()",
                "tags": [
                  "mailing-list",
                  "x_transferred"
                ],
                "url": "http://www.openwall.com/lists/oss-security/2024/01/30/8"
              },
              {
                "name": "[oss-security] 20240130 CVE-2023-6246: Heap-based buffer overflow in the glibc\u0027s syslog()",
                "tags": [
                  "mailing-list",
                  "x_transferred"
                ],
                "url": "http://www.openwall.com/lists/oss-security/2024/01/30/6"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "http://packetstormsecurity.com/files/176932/glibc-syslog-Heap-Based-Buffer-Overflow.html"
              },
              {
                "name": "20240204 CVE-2023-6246: Heap-based buffer overflow in the glibc\u0027s syslog()",
                "tags": [
                  "mailing-list",
                  "x_transferred"
                ],
                "url": "http://seclists.org/fulldisclosure/2024/Feb/3"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "LOCAL",
                  "availabilityImpact": "HIGH",
                  "baseScore": 7.8,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "LOW",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2021-3156",
                    "options": [
                      {
                        "Exploitation": "active"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-02-03T15:43:52.658146Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              },
              {
                "other": {
                  "content": {
                    "dateAdded": "2022-04-06",
                    "reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-3156"
                  },
                  "type": "kev"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-193",
                    "description": "CWE-193 Off-by-one Error",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-10-21T23:35:29.600Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "government-resource"
                ],
                "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-3156"
              }
            ],
            "timeline": [
              {
                "lang": "en",
                "time": "2022-04-06T00:00:00.000Z",
                "value": "CVE-2021-3156 added to CISA KEV"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Sudo before 1.9.5p2 contains an off-by-one error that can result in a heap-based buffer overflow, which allows privilege escalation to root via \"sudoedit -s\" and a command-line argument that ends with a single backslash character."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-09-18T16:41:27.031Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "name": "[debian-lts-announce] 20210126 [SECURITY] [DLA 2534-1] sudo security update",
              "tags": [
                "mailing-list"
              ],
              "url": "https://lists.debian.org/debian-lts-announce/2021/01/msg00022.html"
            },
            {
              "name": "20210126 Baron Samedit: Heap-based buffer overflow in Sudo (CVE-2021-3156)",
              "tags": [
                "mailing-list"
              ],
              "url": "http://seclists.org/fulldisclosure/2021/Jan/79"
            },
            {
              "name": "[oss-security] 20210126 Baron Samedit: Heap-based buffer overflow in Sudo (CVE-2021-3156)",
              "tags": [
                "mailing-list"
              ],
              "url": "http://www.openwall.com/lists/oss-security/2021/01/26/3"
            },
            {
              "name": "GLSA-202101-33",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://security.gentoo.org/glsa/202101-33"
            },
            {
              "name": "DSA-4839",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.debian.org/security/2021/dsa-4839"
            },
            {
              "name": "FEDORA-2021-2cb63d912a",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LHXK6ICO5AYLGFK2TAX5MZKUXTUKWOJY/"
            },
            {
              "name": "FEDORA-2021-8840cbdccd",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CALA5FTXIQBRRYUA2ZQNJXB6OQMAXEII/"
            },
            {
              "name": "[oss-security] 20210127 Re: Baron Samedit: Heap-based buffer overflow in Sudo (CVE-2021-3156)",
              "tags": [
                "mailing-list"
              ],
              "url": "http://www.openwall.com/lists/oss-security/2021/01/27/1"
            },
            {
              "name": "[oss-security] 20210127 Re: Baron Samedit: Heap-based buffer overflow in Sudo (CVE-2021-3156)",
              "tags": [
                "mailing-list"
              ],
              "url": "http://www.openwall.com/lists/oss-security/2021/01/27/2"
            },
            {
              "name": "20210129 Sudo Privilege Escalation Vulnerability Affecting Cisco Products: January 2021",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sudo-privesc-jan2021-qnYQfcM"
            },
            {
              "name": "VU#794544",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://www.kb.cert.org/vuls/id/794544"
            },
            {
              "name": "20210211 APPLE-SA-2021-02-09-1 macOS Big Sur 11.2.1, macOS Catalina 10.15.7 Supplemental Update, and macOS Mojave 10.14.6 Security Update 2021-002",
              "tags": [
                "mailing-list"
              ],
              "url": "http://seclists.org/fulldisclosure/2021/Feb/42"
            },
            {
              "name": "[oss-security] 20210215 Re: sudo: Ineffective NO_ROOT_MAILER and Baron Samedit",
              "tags": [
                "mailing-list"
              ],
              "url": "http://www.openwall.com/lists/oss-security/2021/02/15/1"
            },
            {
              "url": "https://www.oracle.com//security-alerts/cpujul2021.html"
            },
            {
              "url": "https://www.sudo.ws/stable.html#1.9.5p2"
            },
            {
              "url": "https://www.openwall.com/lists/oss-security/2021/01/26/3"
            },
            {
              "url": "http://packetstormsecurity.com/files/161160/Sudo-Heap-Based-Buffer-Overflow.html"
            },
            {
              "url": "https://security.netapp.com/advisory/ntap-20210128-0002/"
            },
            {
              "url": "https://security.netapp.com/advisory/ntap-20210128-0001/"
            },
            {
              "url": "http://packetstormsecurity.com/files/161230/Sudo-Buffer-Overflow-Privilege-Escalation.html"
            },
            {
              "url": "http://packetstormsecurity.com/files/161270/Sudo-1.9.5p1-Buffer-Overflow-Privilege-Escalation.html"
            },
            {
              "url": "http://packetstormsecurity.com/files/161293/Sudo-1.8.31p2-1.9.5p1-Buffer-Overflow.html"
            },
            {
              "url": "https://support.apple.com/kb/HT212177"
            },
            {
              "url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10348"
            },
            {
              "url": "https://www.beyondtrust.com/blog/entry/security-advisory-privilege-management-for-unix-linux-pmul-basic-and-privilege-management-for-mac-pmm-affected-by-sudo-vulnerability"
            },
            {
              "url": "https://www.synology.com/security/advisory/Synology_SA_21_02"
            },
            {
              "name": "[oss-security] 20210914 Re: Oracle Solaris membership in the distros list",
              "tags": [
                "mailing-list"
              ],
              "url": "http://www.openwall.com/lists/oss-security/2021/09/14/2"
            },
            {
              "url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
            },
            {
              "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
            },
            {
              "name": "[oss-security] 20240130 Re: CVE-2023-6246: Heap-based buffer overflow in the glibc\u0027s syslog()",
              "tags": [
                "mailing-list"
              ],
              "url": "http://www.openwall.com/lists/oss-security/2024/01/30/8"
            },
            {
              "name": "[oss-security] 20240130 CVE-2023-6246: Heap-based buffer overflow in the glibc\u0027s syslog()",
              "tags": [
                "mailing-list"
              ],
              "url": "http://www.openwall.com/lists/oss-security/2024/01/30/6"
            },
            {
              "url": "http://packetstormsecurity.com/files/176932/glibc-syslog-Heap-Based-Buffer-Overflow.html"
            },
            {
              "name": "20240204 CVE-2023-6246: Heap-based buffer overflow in the glibc\u0027s syslog()",
              "tags": [
                "mailing-list"
              ],
              "url": "http://seclists.org/fulldisclosure/2024/Feb/3"
            },
            {
              "url": "https://www.vicarius.io/vsociety/posts/sudoedit-pwned-cve-2021-3156"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2021-3156",
        "datePublished": "2021-01-26T00:00:00.000Z",
        "dateReserved": "2021-01-15T00:00:00.000Z",
        "dateUpdated": "2025-10-21T23:35:29.600Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2019-9518 (GCVE-0-2019-9518)

    Vulnerability from nvd – Published: 2019-08-13 20:50 – Updated: 2024-08-04 21:54
    VLAI
    Title
    Some HTTP/2 implementations are vulnerable to a flood of empty frames, potentially leading to a denial of service
    Summary
    Some HTTP/2 implementations are vulnerable to a flood of empty frames, potentially leading to a denial of service. The attacker sends a stream of frames with an empty payload and without the end-of-stream flag. These frames can be DATA, HEADERS, CONTINUATION and/or PUSH_PROMISE. The peer spends time processing each frame disproportionate to attack bandwidth. This can consume excess CPU.
    CWE
    • CWE-400 - Uncontrolled Resource Consumption
    Assigner
    References
    URL Tags
    https://kb.cert.org/vuls/id/605641/ third-party-advisoryx_refsource_CERT-VN
    https://github.com/Netflix/security-bulletins/blo… x_refsource_MISC
    https://seclists.org/bugtraq/2019/Aug/24 mailing-listx_refsource_BUGTRAQ
    http://seclists.org/fulldisclosure/2019/Aug/16 mailing-listx_refsource_FULLDISC
    https://www.synology.com/security/advisory/Synolo… x_refsource_CONFIRM
    https://support.f5.com/csp/article/K46011592 x_refsource_CONFIRM
    https://lists.apache.org/thread.html/2653c5654557… mailing-listx_refsource_MLIST
    https://lists.apache.org/thread.html/091b518265bc… mailing-listx_refsource_MLIST
    https://lists.apache.org/thread.html/ff5b0821a698… mailing-listx_refsource_MLIST
    https://security.netapp.com/advisory/ntap-2019082… x_refsource_CONFIRM
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisoryx_refsource_FEDORA
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisoryx_refsource_FEDORA
    https://www.debian.org/security/2019/dsa-4520 vendor-advisoryx_refsource_DEBIAN
    https://seclists.org/bugtraq/2019/Sep/18 mailing-listx_refsource_BUGTRAQ
    http://lists.opensuse.org/opensuse-security-annou… vendor-advisoryx_refsource_SUSE
    http://lists.opensuse.org/opensuse-security-annou… vendor-advisoryx_refsource_SUSE
    https://kc.mcafee.com/corporate/index?page=conten… x_refsource_CONFIRM
    https://access.redhat.com/errata/RHSA-2019:2925 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2019:2939 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2019:2955 vendor-advisoryx_refsource_REDHAT
    https://support.f5.com/csp/article/K46011592?utm_… x_refsource_CONFIRM
    https://access.redhat.com/errata/RHSA-2019:3892 vendor-advisoryx_refsource_REDHAT
    https://lists.apache.org/thread.html/9317fd092b25… mailing-listx_refsource_MLIST
    https://access.redhat.com/errata/RHSA-2019:4352 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2020:0727 vendor-advisoryx_refsource_REDHAT
    https://lists.apache.org/thread.html/r99a625fb170… mailing-listx_refsource_MLIST
    https://lists.apache.org/thread.html/rd31230d01fa… mailing-listx_refsource_MLIST
    Credits
    Thanks to Piotr Sikora of Google for reporting this vulnerability.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T21:54:44.510Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "VU#605641",
                "tags": [
                  "third-party-advisory",
                  "x_refsource_CERT-VN",
                  "x_transferred"
                ],
                "url": "https://kb.cert.org/vuls/id/605641/"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md"
              },
              {
                "name": "20190814 APPLE-SA-2019-08-13-5 SwiftNIO HTTP/2 1.5.0",
                "tags": [
                  "mailing-list",
                  "x_refsource_BUGTRAQ",
                  "x_transferred"
                ],
                "url": "https://seclists.org/bugtraq/2019/Aug/24"
              },
              {
                "name": "20190816 APPLE-SA-2019-08-13-5 SwiftNIO HTTP/2 1.5.0",
                "tags": [
                  "mailing-list",
                  "x_refsource_FULLDISC",
                  "x_transferred"
                ],
                "url": "http://seclists.org/fulldisclosure/2019/Aug/16"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.synology.com/security/advisory/Synology_SA_19_33"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://support.f5.com/csp/article/K46011592"
              },
              {
                "name": "[trafficserver-announce] 20190820 ATS is vulnerable to a HTTP/2 attack with empty frames",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/2653c56545573b528f3f6352a29eccaf498bd6fb2a6a59568d81a61d%40%3Cannounce.trafficserver.apache.org%3E"
              },
              {
                "name": "[trafficserver-users] 20190820 ATS is vulnerable to a HTTP/2 attack with empty frames",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/091b518265bce56a16af87b77c8cfacda902a02079e866f9fdf13b61%40%3Cusers.trafficserver.apache.org%3E"
              },
              {
                "name": "[trafficserver-dev] 20190820 ATS is vulnerable to a HTTP/2 attack with empty frames",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/ff5b0821a6985159a832ff6d1a4bd311ac07ecc7db1e2d8bab619107%40%3Cdev.trafficserver.apache.org%3E"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://security.netapp.com/advisory/ntap-20190823-0005/"
              },
              {
                "name": "FEDORA-2019-5a6a7bc12c",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_FEDORA",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CMNFX5MNYRWWIMO4BTKYQCGUDMHO3AXP/"
              },
              {
                "name": "FEDORA-2019-6a2980de56",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_FEDORA",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4ZQGHE3WTYLYAYJEIDJVF2FIGQTAYPMC/"
              },
              {
                "name": "DSA-4520",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_DEBIAN",
                  "x_transferred"
                ],
                "url": "https://www.debian.org/security/2019/dsa-4520"
              },
              {
                "name": "20190910 [SECURITY] [DSA 4520-1] trafficserver security update",
                "tags": [
                  "mailing-list",
                  "x_refsource_BUGTRAQ",
                  "x_transferred"
                ],
                "url": "https://seclists.org/bugtraq/2019/Sep/18"
              },
              {
                "name": "openSUSE-SU-2019:2114",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_SUSE",
                  "x_transferred"
                ],
                "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00032.html"
              },
              {
                "name": "openSUSE-SU-2019:2115",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_SUSE",
                  "x_transferred"
                ],
                "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00031.html"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10296"
              },
              {
                "name": "RHSA-2019:2925",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:2925"
              },
              {
                "name": "RHSA-2019:2939",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:2939"
              },
              {
                "name": "RHSA-2019:2955",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:2955"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://support.f5.com/csp/article/K46011592?utm_source=f5support\u0026amp%3Butm_medium=RSS"
              },
              {
                "name": "RHSA-2019:3892",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:3892"
              },
              {
                "name": "[druid-commits] 20191115 [GitHub] [incubator-druid] ccaominh opened a new pull request #8878: Address security vulnerabilities",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe%40%3Ccommits.druid.apache.org%3E"
              },
              {
                "name": "RHSA-2019:4352",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:4352"
              },
              {
                "name": "RHSA-2020:0727",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2020:0727"
              },
              {
                "name": "[cassandra-commits] 20210526 [jira] [Created] (CASSANDRA-16698) Security vulnerability CVE-2019-9518 for Netty",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/r99a625fb17032646d96cd23dec49603ff630e9318e44a686d63046bc%40%3Ccommits.cassandra.apache.org%3E"
              },
              {
                "name": "[cassandra-commits] 20210526 [jira] [Updated] (CASSANDRA-16698) Security vulnerability CVE-2019-9518 for Netty",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/rd31230d01fa6aad18bdadc0720acd1747e53690bd35f73a48e7a9b75%40%3Ccommits.cassandra.apache.org%3E"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Thanks to Piotr Sikora of Google for reporting this vulnerability."
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Some HTTP/2 implementations are vulnerable to a flood of empty frames, potentially leading to a denial of service. The attacker sends a stream of frames with an empty payload and without the end-of-stream flag. These frames can be DATA, HEADERS, CONTINUATION and/or PUSH_PROMISE. The peer spends time processing each frame disproportionate to attack bandwidth. This can consume excess CPU."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-400",
                  "description": "CWE-400 Uncontrolled Resource Consumption",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-05-26T16:06:12.000Z",
            "orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
            "shortName": "certcc"
          },
          "references": [
            {
              "name": "VU#605641",
              "tags": [
                "third-party-advisory",
                "x_refsource_CERT-VN"
              ],
              "url": "https://kb.cert.org/vuls/id/605641/"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md"
            },
            {
              "name": "20190814 APPLE-SA-2019-08-13-5 SwiftNIO HTTP/2 1.5.0",
              "tags": [
                "mailing-list",
                "x_refsource_BUGTRAQ"
              ],
              "url": "https://seclists.org/bugtraq/2019/Aug/24"
            },
            {
              "name": "20190816 APPLE-SA-2019-08-13-5 SwiftNIO HTTP/2 1.5.0",
              "tags": [
                "mailing-list",
                "x_refsource_FULLDISC"
              ],
              "url": "http://seclists.org/fulldisclosure/2019/Aug/16"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.synology.com/security/advisory/Synology_SA_19_33"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://support.f5.com/csp/article/K46011592"
            },
            {
              "name": "[trafficserver-announce] 20190820 ATS is vulnerable to a HTTP/2 attack with empty frames",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/2653c56545573b528f3f6352a29eccaf498bd6fb2a6a59568d81a61d%40%3Cannounce.trafficserver.apache.org%3E"
            },
            {
              "name": "[trafficserver-users] 20190820 ATS is vulnerable to a HTTP/2 attack with empty frames",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/091b518265bce56a16af87b77c8cfacda902a02079e866f9fdf13b61%40%3Cusers.trafficserver.apache.org%3E"
            },
            {
              "name": "[trafficserver-dev] 20190820 ATS is vulnerable to a HTTP/2 attack with empty frames",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/ff5b0821a6985159a832ff6d1a4bd311ac07ecc7db1e2d8bab619107%40%3Cdev.trafficserver.apache.org%3E"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://security.netapp.com/advisory/ntap-20190823-0005/"
            },
            {
              "name": "FEDORA-2019-5a6a7bc12c",
              "tags": [
                "vendor-advisory",
                "x_refsource_FEDORA"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CMNFX5MNYRWWIMO4BTKYQCGUDMHO3AXP/"
            },
            {
              "name": "FEDORA-2019-6a2980de56",
              "tags": [
                "vendor-advisory",
                "x_refsource_FEDORA"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4ZQGHE3WTYLYAYJEIDJVF2FIGQTAYPMC/"
            },
            {
              "name": "DSA-4520",
              "tags": [
                "vendor-advisory",
                "x_refsource_DEBIAN"
              ],
              "url": "https://www.debian.org/security/2019/dsa-4520"
            },
            {
              "name": "20190910 [SECURITY] [DSA 4520-1] trafficserver security update",
              "tags": [
                "mailing-list",
                "x_refsource_BUGTRAQ"
              ],
              "url": "https://seclists.org/bugtraq/2019/Sep/18"
            },
            {
              "name": "openSUSE-SU-2019:2114",
              "tags": [
                "vendor-advisory",
                "x_refsource_SUSE"
              ],
              "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00032.html"
            },
            {
              "name": "openSUSE-SU-2019:2115",
              "tags": [
                "vendor-advisory",
                "x_refsource_SUSE"
              ],
              "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00031.html"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10296"
            },
            {
              "name": "RHSA-2019:2925",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:2925"
            },
            {
              "name": "RHSA-2019:2939",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:2939"
            },
            {
              "name": "RHSA-2019:2955",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:2955"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://support.f5.com/csp/article/K46011592?utm_source=f5support\u0026amp%3Butm_medium=RSS"
            },
            {
              "name": "RHSA-2019:3892",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:3892"
            },
            {
              "name": "[druid-commits] 20191115 [GitHub] [incubator-druid] ccaominh opened a new pull request #8878: Address security vulnerabilities",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe%40%3Ccommits.druid.apache.org%3E"
            },
            {
              "name": "RHSA-2019:4352",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:4352"
            },
            {
              "name": "RHSA-2020:0727",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2020:0727"
            },
            {
              "name": "[cassandra-commits] 20210526 [jira] [Created] (CASSANDRA-16698) Security vulnerability CVE-2019-9518 for Netty",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/r99a625fb17032646d96cd23dec49603ff630e9318e44a686d63046bc%40%3Ccommits.cassandra.apache.org%3E"
            },
            {
              "name": "[cassandra-commits] 20210526 [jira] [Updated] (CASSANDRA-16698) Security vulnerability CVE-2019-9518 for Netty",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/rd31230d01fa6aad18bdadc0720acd1747e53690bd35f73a48e7a9b75%40%3Ccommits.cassandra.apache.org%3E"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Some HTTP/2 implementations are vulnerable to a flood of empty frames, potentially leading to a denial of service",
          "x_generator": {
            "engine": "Vulnogram 0.0.7"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "AKA": "HTTP/2 Empty Frame Flooding",
              "ASSIGNER": "cert@cert.org",
              "ID": "CVE-2019-9518",
              "STATE": "PUBLIC",
              "TITLE": "Some HTTP/2 implementations are vulnerable to a flood of empty frames, potentially leading to a denial of service"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "n/a",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "n/a"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "n/a"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "Thanks to Piotr Sikora of Google for reporting this vulnerability."
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Some HTTP/2 implementations are vulnerable to a flood of empty frames, potentially leading to a denial of service. The attacker sends a stream of frames with an empty payload and without the end-of-stream flag. These frames can be DATA, HEADERS, CONTINUATION and/or PUSH_PROMISE. The peer spends time processing each frame disproportionate to attack bandwidth. This can consume excess CPU."
                }
              ]
            },
            "generator": {
              "engine": "Vulnogram 0.0.7"
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.0"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-400 Uncontrolled Resource Consumption"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "VU#605641",
                  "refsource": "CERT-VN",
                  "url": "https://kb.cert.org/vuls/id/605641/"
                },
                {
                  "name": "https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md",
                  "refsource": "MISC",
                  "url": "https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md"
                },
                {
                  "name": "20190814 APPLE-SA-2019-08-13-5 SwiftNIO HTTP/2 1.5.0",
                  "refsource": "BUGTRAQ",
                  "url": "https://seclists.org/bugtraq/2019/Aug/24"
                },
                {
                  "name": "20190816 APPLE-SA-2019-08-13-5 SwiftNIO HTTP/2 1.5.0",
                  "refsource": "FULLDISC",
                  "url": "http://seclists.org/fulldisclosure/2019/Aug/16"
                },
                {
                  "name": "https://www.synology.com/security/advisory/Synology_SA_19_33",
                  "refsource": "CONFIRM",
                  "url": "https://www.synology.com/security/advisory/Synology_SA_19_33"
                },
                {
                  "name": "https://support.f5.com/csp/article/K46011592",
                  "refsource": "CONFIRM",
                  "url": "https://support.f5.com/csp/article/K46011592"
                },
                {
                  "name": "[trafficserver-announce] 20190820 ATS is vulnerable to a HTTP/2 attack with empty frames",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/2653c56545573b528f3f6352a29eccaf498bd6fb2a6a59568d81a61d@%3Cannounce.trafficserver.apache.org%3E"
                },
                {
                  "name": "[trafficserver-users] 20190820 ATS is vulnerable to a HTTP/2 attack with empty frames",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/091b518265bce56a16af87b77c8cfacda902a02079e866f9fdf13b61@%3Cusers.trafficserver.apache.org%3E"
                },
                {
                  "name": "[trafficserver-dev] 20190820 ATS is vulnerable to a HTTP/2 attack with empty frames",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/ff5b0821a6985159a832ff6d1a4bd311ac07ecc7db1e2d8bab619107@%3Cdev.trafficserver.apache.org%3E"
                },
                {
                  "name": "https://security.netapp.com/advisory/ntap-20190823-0005/",
                  "refsource": "CONFIRM",
                  "url": "https://security.netapp.com/advisory/ntap-20190823-0005/"
                },
                {
                  "name": "FEDORA-2019-5a6a7bc12c",
                  "refsource": "FEDORA",
                  "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CMNFX5MNYRWWIMO4BTKYQCGUDMHO3AXP/"
                },
                {
                  "name": "FEDORA-2019-6a2980de56",
                  "refsource": "FEDORA",
                  "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4ZQGHE3WTYLYAYJEIDJVF2FIGQTAYPMC/"
                },
                {
                  "name": "DSA-4520",
                  "refsource": "DEBIAN",
                  "url": "https://www.debian.org/security/2019/dsa-4520"
                },
                {
                  "name": "20190910 [SECURITY] [DSA 4520-1] trafficserver security update",
                  "refsource": "BUGTRAQ",
                  "url": "https://seclists.org/bugtraq/2019/Sep/18"
                },
                {
                  "name": "openSUSE-SU-2019:2114",
                  "refsource": "SUSE",
                  "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00032.html"
                },
                {
                  "name": "openSUSE-SU-2019:2115",
                  "refsource": "SUSE",
                  "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00031.html"
                },
                {
                  "name": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10296",
                  "refsource": "CONFIRM",
                  "url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10296"
                },
                {
                  "name": "RHSA-2019:2925",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2019:2925"
                },
                {
                  "name": "RHSA-2019:2939",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2019:2939"
                },
                {
                  "name": "RHSA-2019:2955",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2019:2955"
                },
                {
                  "name": "https://support.f5.com/csp/article/K46011592?utm_source=f5support\u0026amp;utm_medium=RSS",
                  "refsource": "CONFIRM",
                  "url": "https://support.f5.com/csp/article/K46011592?utm_source=f5support\u0026amp;utm_medium=RSS"
                },
                {
                  "name": "RHSA-2019:3892",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2019:3892"
                },
                {
                  "name": "[druid-commits] 20191115 [GitHub] [incubator-druid] ccaominh opened a new pull request #8878: Address security vulnerabilities",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe@%3Ccommits.druid.apache.org%3E"
                },
                {
                  "name": "RHSA-2019:4352",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2019:4352"
                },
                {
                  "name": "RHSA-2020:0727",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2020:0727"
                },
                {
                  "name": "[cassandra-commits] 20210526 [jira] [Created] (CASSANDRA-16698) Security vulnerability CVE-2019-9518 for Netty",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/r99a625fb17032646d96cd23dec49603ff630e9318e44a686d63046bc@%3Ccommits.cassandra.apache.org%3E"
                },
                {
                  "name": "[cassandra-commits] 20210526 [jira] [Updated] (CASSANDRA-16698) Security vulnerability CVE-2019-9518 for Netty",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/rd31230d01fa6aad18bdadc0720acd1747e53690bd35f73a48e7a9b75@%3Ccommits.cassandra.apache.org%3E"
                }
              ]
            },
            "source": {
              "discovery": "UNKNOWN"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
        "assignerShortName": "certcc",
        "cveId": "CVE-2019-9518",
        "datePublished": "2019-08-13T20:50:59.000Z",
        "dateReserved": "2019-03-01T00:00:00.000Z",
        "dateUpdated": "2024-08-04T21:54:44.510Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2019-9517 (GCVE-0-2019-9517)

    Vulnerability from nvd – Published: 2019-08-13 20:50 – Updated: 2024-08-04 21:54
    VLAI
    Title
    Some HTTP/2 implementations are vulnerable to unconstrained interal data buffering, potentially leading to a denial of service
    Summary
    Some HTTP/2 implementations are vulnerable to unconstrained interal data buffering, potentially leading to a denial of service. The attacker opens the HTTP/2 window so the peer can send without constraint; however, they leave the TCP window closed so the peer cannot actually write (many of) the bytes on the wire. The attacker then sends a stream of requests for a large response object. Depending on how the servers queue the responses, this can consume excess memory, CPU, or both.
    CWE
    • CWE-400 - Uncontrolled Resource Consumption
    Assigner
    References
    URL Tags
    https://kb.cert.org/vuls/id/605641/ third-party-advisoryx_refsource_CERT-VN
    https://github.com/Netflix/security-bulletins/blo… x_refsource_MISC
    https://lists.apache.org/thread.html/461076245664… mailing-listx_refsource_MLIST
    https://lists.apache.org/thread.html/56c2e7cc9deb… mailing-listx_refsource_MLIST
    http://www.openwall.com/lists/oss-security/2019/08/15/7 mailing-listx_refsource_MLIST
    https://lists.apache.org/thread.html/ec97fdfc1a85… mailing-listx_refsource_MLIST
    https://lists.apache.org/thread.html/d89f999e26df… mailing-listx_refsource_MLIST
    https://www.synology.com/security/advisory/Synolo… x_refsource_CONFIRM
    https://support.f5.com/csp/article/K02591030 x_refsource_CONFIRM
    https://security.netapp.com/advisory/ntap-2019082… x_refsource_CONFIRM
    https://security.netapp.com/advisory/ntap-2019082… x_refsource_CONFIRM
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisoryx_refsource_FEDORA
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisoryx_refsource_FEDORA
    https://www.debian.org/security/2019/dsa-4509 vendor-advisoryx_refsource_DEBIAN
    https://seclists.org/bugtraq/2019/Aug/47 mailing-listx_refsource_BUGTRAQ
    https://usn.ubuntu.com/4113-1/ vendor-advisoryx_refsource_UBUNTU
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisoryx_refsource_FEDORA
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisoryx_refsource_FEDORA
    http://lists.opensuse.org/opensuse-security-annou… vendor-advisoryx_refsource_SUSE
    https://security.netapp.com/advisory/ntap-2019090… x_refsource_CONFIRM
    https://security.gentoo.org/glsa/201909-04 vendor-advisoryx_refsource_GENTOO
    http://lists.opensuse.org/opensuse-security-annou… vendor-advisoryx_refsource_SUSE
    http://lists.opensuse.org/opensuse-security-annou… vendor-advisoryx_refsource_SUSE
    https://kc.mcafee.com/corporate/index?page=conten… x_refsource_CONFIRM
    https://access.redhat.com/errata/RHSA-2019:2893 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2019:2925 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2019:2939 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2019:2946 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2019:2950 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2019:2949 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2019:2955 vendor-advisoryx_refsource_REDHAT
    https://support.f5.com/csp/article/K02591030?utm_… x_refsource_CONFIRM
    https://www.oracle.com/technetwork/security-advis… x_refsource_MISC
    https://access.redhat.com/errata/RHSA-2019:3933 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2019:3935 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2019:3932 vendor-advisoryx_refsource_REDHAT
    https://lists.apache.org/thread.html/rd18c3c43602… mailing-listx_refsource_MLIST
    https://lists.apache.org/thread.html/re3d27b6250a… mailing-listx_refsource_MLIST
    https://www.oracle.com/security-alerts/cpuapr2020.html x_refsource_MISC
    https://lists.apache.org/thread.html/rf6449464fd8… mailing-listx_refsource_MLIST
    https://lists.apache.org/thread.html/r06f0d87ebb6… mailing-listx_refsource_MLIST
    https://lists.apache.org/thread.html/rc998b18880d… mailing-listx_refsource_MLIST
    https://lists.apache.org/thread.html/r03ee478b3dd… mailing-listx_refsource_MLIST
    https://lists.apache.org/thread.html/rd2fb621142e… mailing-listx_refsource_MLIST
    https://lists.apache.org/thread.html/r9f93cf6dde3… mailing-listx_refsource_MLIST
    https://lists.apache.org/thread.html/r3c5c3104813… mailing-listx_refsource_MLIST
    https://lists.apache.org/thread.html/r76142b8c511… mailing-listx_refsource_MLIST
    Credits
    Thanks to Jonathan Looney of Netflix for reporting this vulnerability.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T21:54:44.675Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "VU#605641",
                "tags": [
                  "third-party-advisory",
                  "x_refsource_CERT-VN",
                  "x_transferred"
                ],
                "url": "https://kb.cert.org/vuls/id/605641/"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md"
              },
              {
                "name": "[httpd-announce] 20190814 CVE-2019-9517: mod_http2, DoS attack by exhausting h2 workers",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/4610762456644181b267c846423b3a990bd4aaea1886ecc7d51febdb%40%3Cannounce.httpd.apache.org%3E"
              },
              {
                "name": "[httpd-cvs] 20190815 svn commit: r1048743 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/56c2e7cc9deb1c12a843d0dc251ea7fd3e7e80293cde02fcd65286ba%40%3Ccvs.httpd.apache.org%3E"
              },
              {
                "name": "[oss-security] 20190814 CVE-2019-9517: mod_http2, DoS attack by exhausting h2 workers",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "http://www.openwall.com/lists/oss-security/2019/08/15/7"
              },
              {
                "name": "[httpd-dev] 20190817 CVE-2019-10097 vs. CHANGEs entry",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/ec97fdfc1a859266e56fef084353a34e0a0b08901b3c1aa317a43c8c%40%3Cdev.httpd.apache.org%3E"
              },
              {
                "name": "[httpd-dev] 20190817 Re: CVE-2019-10097 vs. CHANGEs entry",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/d89f999e26dfb1d50f247ead1fe8538014eb412b2dbe5be4b1a9ef50%40%3Cdev.httpd.apache.org%3E"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.synology.com/security/advisory/Synology_SA_19_33"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://support.f5.com/csp/article/K02591030"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://security.netapp.com/advisory/ntap-20190823-0005/"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://security.netapp.com/advisory/ntap-20190823-0003/"
              },
              {
                "name": "FEDORA-2019-5a6a7bc12c",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_FEDORA",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CMNFX5MNYRWWIMO4BTKYQCGUDMHO3AXP/"
              },
              {
                "name": "FEDORA-2019-6a2980de56",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_FEDORA",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4ZQGHE3WTYLYAYJEIDJVF2FIGQTAYPMC/"
              },
              {
                "name": "DSA-4509",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_DEBIAN",
                  "x_transferred"
                ],
                "url": "https://www.debian.org/security/2019/dsa-4509"
              },
              {
                "name": "20190826 [SECURITY] [DSA 4509-1] apache2 security update",
                "tags": [
                  "mailing-list",
                  "x_refsource_BUGTRAQ",
                  "x_transferred"
                ],
                "url": "https://seclists.org/bugtraq/2019/Aug/47"
              },
              {
                "name": "USN-4113-1",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_UBUNTU",
                  "x_transferred"
                ],
                "url": "https://usn.ubuntu.com/4113-1/"
              },
              {
                "name": "FEDORA-2019-4427fd65be",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_FEDORA",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BP556LEG3WENHZI5TAQ6ZEBFTJB4E2IS/"
              },
              {
                "name": "FEDORA-2019-63ba15cc83",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_FEDORA",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XHTKU7YQ5EEP2XNSAV4M4VJ7QCBOJMOD/"
              },
              {
                "name": "openSUSE-SU-2019:2051",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_SUSE",
                  "x_transferred"
                ],
                "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00004.html"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://security.netapp.com/advisory/ntap-20190905-0003/"
              },
              {
                "name": "GLSA-201909-04",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_GENTOO",
                  "x_transferred"
                ],
                "url": "https://security.gentoo.org/glsa/201909-04"
              },
              {
                "name": "openSUSE-SU-2019:2114",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_SUSE",
                  "x_transferred"
                ],
                "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00032.html"
              },
              {
                "name": "openSUSE-SU-2019:2115",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_SUSE",
                  "x_transferred"
                ],
                "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00031.html"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10296"
              },
              {
                "name": "RHSA-2019:2893",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:2893"
              },
              {
                "name": "RHSA-2019:2925",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:2925"
              },
              {
                "name": "RHSA-2019:2939",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:2939"
              },
              {
                "name": "RHSA-2019:2946",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:2946"
              },
              {
                "name": "RHSA-2019:2950",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:2950"
              },
              {
                "name": "RHSA-2019:2949",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:2949"
              },
              {
                "name": "RHSA-2019:2955",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:2955"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://support.f5.com/csp/article/K02591030?utm_source=f5support\u0026amp%3Butm_medium=RSS"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html"
              },
              {
                "name": "RHSA-2019:3933",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:3933"
              },
              {
                "name": "RHSA-2019:3935",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:3935"
              },
              {
                "name": "RHSA-2019:3932",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:3932"
              },
              {
                "name": "[httpd-cvs] 20200401 svn commit: r1058586 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/rd18c3c43602e66f9cdcf09f1de233804975b9572b0456cc582390b6f%40%3Ccvs.httpd.apache.org%3E"
              },
              {
                "name": "[httpd-cvs] 20200401 svn commit: r1058587 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/re3d27b6250aa8548b8845d314bb8a350b3df326cacbbfdfe4d455234%40%3Ccvs.httpd.apache.org%3E"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.oracle.com/security-alerts/cpuapr2020.html"
              },
              {
                "name": "[httpd-cvs] 20210330 svn commit: r1073139 [1/13] - in /websites/staging/httpd/trunk/content: ./ security/json/",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9%40%3Ccvs.httpd.apache.org%3E"
              },
              {
                "name": "[httpd-cvs] 20210330 svn commit: r1073143 [3/3] - in /websites/staging/httpd/trunk/content: ./ security/",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/r06f0d87ebb6d59ed8379633f36f72f5b1f79cadfda72ede0830b42cf%40%3Ccvs.httpd.apache.org%3E"
              },
              {
                "name": "[httpd-cvs] 20210330 svn commit: r1073140 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/cvejsontohtml.py security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/rc998b18880df98bafaade071346690c2bc1444adaa1a1ea464b93f0a%40%3Ccvs.httpd.apache.org%3E"
              },
              {
                "name": "[httpd-cvs] 20210330 svn commit: r1073139 [12/13] - in /websites/staging/httpd/trunk/content: ./ security/json/",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/r03ee478b3dda3e381fd6189366fa7af97c980d2f602846eef935277d%40%3Ccvs.httpd.apache.org%3E"
              },
              {
                "name": "[httpd-cvs] 20210330 svn commit: r1888194 [12/13] - /httpd/site/trunk/content/security/json/",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/rd2fb621142e7fa187cfe12d7137bf66e7234abcbbcd800074c84a538%40%3Ccvs.httpd.apache.org%3E"
              },
              {
                "name": "[httpd-cvs] 20210330 svn commit: r1073149 [1/13] - in /websites/staging/httpd/trunk/content: ./ security/ security/json/",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920%40%3Ccvs.httpd.apache.org%3E"
              },
              {
                "name": "[httpd-cvs] 20210330 svn commit: r1073149 [13/13] - in /websites/staging/httpd/trunk/content: ./ security/ security/json/",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/r3c5c3104813c1c5508b55564b66546933079250a46ce50eee90b2e36%40%3Ccvs.httpd.apache.org%3E"
              },
              {
                "name": "[httpd-cvs] 20210606 svn commit: r1075470 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/json/CVE-2020-13938.json security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/r76142b8c5119df2178be7c2dba88fde552eedeec37ea993dfce68d1d%40%3Ccvs.httpd.apache.org%3E"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Thanks to Jonathan Looney of Netflix for reporting this vulnerability."
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Some HTTP/2 implementations are vulnerable to unconstrained interal data buffering, potentially leading to a denial of service. The attacker opens the HTTP/2 window so the peer can send without constraint; however, they leave the TCP window closed so the peer cannot actually write (many of) the bytes on the wire. The attacker then sends a stream of requests for a large response object. Depending on how the servers queue the responses, this can consume excess memory, CPU, or both."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-400",
                  "description": "CWE-400 Uncontrolled Resource Consumption",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-06-06T10:10:48.000Z",
            "orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
            "shortName": "certcc"
          },
          "references": [
            {
              "name": "VU#605641",
              "tags": [
                "third-party-advisory",
                "x_refsource_CERT-VN"
              ],
              "url": "https://kb.cert.org/vuls/id/605641/"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md"
            },
            {
              "name": "[httpd-announce] 20190814 CVE-2019-9517: mod_http2, DoS attack by exhausting h2 workers",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/4610762456644181b267c846423b3a990bd4aaea1886ecc7d51febdb%40%3Cannounce.httpd.apache.org%3E"
            },
            {
              "name": "[httpd-cvs] 20190815 svn commit: r1048743 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/56c2e7cc9deb1c12a843d0dc251ea7fd3e7e80293cde02fcd65286ba%40%3Ccvs.httpd.apache.org%3E"
            },
            {
              "name": "[oss-security] 20190814 CVE-2019-9517: mod_http2, DoS attack by exhausting h2 workers",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "http://www.openwall.com/lists/oss-security/2019/08/15/7"
            },
            {
              "name": "[httpd-dev] 20190817 CVE-2019-10097 vs. CHANGEs entry",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/ec97fdfc1a859266e56fef084353a34e0a0b08901b3c1aa317a43c8c%40%3Cdev.httpd.apache.org%3E"
            },
            {
              "name": "[httpd-dev] 20190817 Re: CVE-2019-10097 vs. CHANGEs entry",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/d89f999e26dfb1d50f247ead1fe8538014eb412b2dbe5be4b1a9ef50%40%3Cdev.httpd.apache.org%3E"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.synology.com/security/advisory/Synology_SA_19_33"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://support.f5.com/csp/article/K02591030"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://security.netapp.com/advisory/ntap-20190823-0005/"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://security.netapp.com/advisory/ntap-20190823-0003/"
            },
            {
              "name": "FEDORA-2019-5a6a7bc12c",
              "tags": [
                "vendor-advisory",
                "x_refsource_FEDORA"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CMNFX5MNYRWWIMO4BTKYQCGUDMHO3AXP/"
            },
            {
              "name": "FEDORA-2019-6a2980de56",
              "tags": [
                "vendor-advisory",
                "x_refsource_FEDORA"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4ZQGHE3WTYLYAYJEIDJVF2FIGQTAYPMC/"
            },
            {
              "name": "DSA-4509",
              "tags": [
                "vendor-advisory",
                "x_refsource_DEBIAN"
              ],
              "url": "https://www.debian.org/security/2019/dsa-4509"
            },
            {
              "name": "20190826 [SECURITY] [DSA 4509-1] apache2 security update",
              "tags": [
                "mailing-list",
                "x_refsource_BUGTRAQ"
              ],
              "url": "https://seclists.org/bugtraq/2019/Aug/47"
            },
            {
              "name": "USN-4113-1",
              "tags": [
                "vendor-advisory",
                "x_refsource_UBUNTU"
              ],
              "url": "https://usn.ubuntu.com/4113-1/"
            },
            {
              "name": "FEDORA-2019-4427fd65be",
              "tags": [
                "vendor-advisory",
                "x_refsource_FEDORA"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BP556LEG3WENHZI5TAQ6ZEBFTJB4E2IS/"
            },
            {
              "name": "FEDORA-2019-63ba15cc83",
              "tags": [
                "vendor-advisory",
                "x_refsource_FEDORA"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XHTKU7YQ5EEP2XNSAV4M4VJ7QCBOJMOD/"
            },
            {
              "name": "openSUSE-SU-2019:2051",
              "tags": [
                "vendor-advisory",
                "x_refsource_SUSE"
              ],
              "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00004.html"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://security.netapp.com/advisory/ntap-20190905-0003/"
            },
            {
              "name": "GLSA-201909-04",
              "tags": [
                "vendor-advisory",
                "x_refsource_GENTOO"
              ],
              "url": "https://security.gentoo.org/glsa/201909-04"
            },
            {
              "name": "openSUSE-SU-2019:2114",
              "tags": [
                "vendor-advisory",
                "x_refsource_SUSE"
              ],
              "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00032.html"
            },
            {
              "name": "openSUSE-SU-2019:2115",
              "tags": [
                "vendor-advisory",
                "x_refsource_SUSE"
              ],
              "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00031.html"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10296"
            },
            {
              "name": "RHSA-2019:2893",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:2893"
            },
            {
              "name": "RHSA-2019:2925",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:2925"
            },
            {
              "name": "RHSA-2019:2939",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:2939"
            },
            {
              "name": "RHSA-2019:2946",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:2946"
            },
            {
              "name": "RHSA-2019:2950",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:2950"
            },
            {
              "name": "RHSA-2019:2949",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:2949"
            },
            {
              "name": "RHSA-2019:2955",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:2955"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://support.f5.com/csp/article/K02591030?utm_source=f5support\u0026amp%3Butm_medium=RSS"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html"
            },
            {
              "name": "RHSA-2019:3933",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:3933"
            },
            {
              "name": "RHSA-2019:3935",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:3935"
            },
            {
              "name": "RHSA-2019:3932",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:3932"
            },
            {
              "name": "[httpd-cvs] 20200401 svn commit: r1058586 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/rd18c3c43602e66f9cdcf09f1de233804975b9572b0456cc582390b6f%40%3Ccvs.httpd.apache.org%3E"
            },
            {
              "name": "[httpd-cvs] 20200401 svn commit: r1058587 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/re3d27b6250aa8548b8845d314bb8a350b3df326cacbbfdfe4d455234%40%3Ccvs.httpd.apache.org%3E"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.oracle.com/security-alerts/cpuapr2020.html"
            },
            {
              "name": "[httpd-cvs] 20210330 svn commit: r1073139 [1/13] - in /websites/staging/httpd/trunk/content: ./ security/json/",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9%40%3Ccvs.httpd.apache.org%3E"
            },
            {
              "name": "[httpd-cvs] 20210330 svn commit: r1073143 [3/3] - in /websites/staging/httpd/trunk/content: ./ security/",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/r06f0d87ebb6d59ed8379633f36f72f5b1f79cadfda72ede0830b42cf%40%3Ccvs.httpd.apache.org%3E"
            },
            {
              "name": "[httpd-cvs] 20210330 svn commit: r1073140 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/cvejsontohtml.py security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/rc998b18880df98bafaade071346690c2bc1444adaa1a1ea464b93f0a%40%3Ccvs.httpd.apache.org%3E"
            },
            {
              "name": "[httpd-cvs] 20210330 svn commit: r1073139 [12/13] - in /websites/staging/httpd/trunk/content: ./ security/json/",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/r03ee478b3dda3e381fd6189366fa7af97c980d2f602846eef935277d%40%3Ccvs.httpd.apache.org%3E"
            },
            {
              "name": "[httpd-cvs] 20210330 svn commit: r1888194 [12/13] - /httpd/site/trunk/content/security/json/",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/rd2fb621142e7fa187cfe12d7137bf66e7234abcbbcd800074c84a538%40%3Ccvs.httpd.apache.org%3E"
            },
            {
              "name": "[httpd-cvs] 20210330 svn commit: r1073149 [1/13] - in /websites/staging/httpd/trunk/content: ./ security/ security/json/",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920%40%3Ccvs.httpd.apache.org%3E"
            },
            {
              "name": "[httpd-cvs] 20210330 svn commit: r1073149 [13/13] - in /websites/staging/httpd/trunk/content: ./ security/ security/json/",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/r3c5c3104813c1c5508b55564b66546933079250a46ce50eee90b2e36%40%3Ccvs.httpd.apache.org%3E"
            },
            {
              "name": "[httpd-cvs] 20210606 svn commit: r1075470 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/json/CVE-2020-13938.json security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/r76142b8c5119df2178be7c2dba88fde552eedeec37ea993dfce68d1d%40%3Ccvs.httpd.apache.org%3E"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Some HTTP/2 implementations are vulnerable to unconstrained interal data buffering, potentially leading to a denial of service",
          "x_generator": {
            "engine": "Vulnogram 0.0.7"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "AKA": "HTTP/2 Internal Data Buffering",
              "ASSIGNER": "cert@cert.org",
              "ID": "CVE-2019-9517",
              "STATE": "PUBLIC",
              "TITLE": "Some HTTP/2 implementations are vulnerable to unconstrained interal data buffering, potentially leading to a denial of service"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "n/a",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "n/a"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "n/a"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "Thanks to Jonathan Looney of Netflix for reporting this vulnerability."
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Some HTTP/2 implementations are vulnerable to unconstrained interal data buffering, potentially leading to a denial of service. The attacker opens the HTTP/2 window so the peer can send without constraint; however, they leave the TCP window closed so the peer cannot actually write (many of) the bytes on the wire. The attacker then sends a stream of requests for a large response object. Depending on how the servers queue the responses, this can consume excess memory, CPU, or both."
                }
              ]
            },
            "generator": {
              "engine": "Vulnogram 0.0.7"
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.0"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-400 Uncontrolled Resource Consumption"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "VU#605641",
                  "refsource": "CERT-VN",
                  "url": "https://kb.cert.org/vuls/id/605641/"
                },
                {
                  "name": "https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md",
                  "refsource": "MISC",
                  "url": "https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md"
                },
                {
                  "name": "[httpd-announce] 20190814 CVE-2019-9517: mod_http2, DoS attack by exhausting h2 workers",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/4610762456644181b267c846423b3a990bd4aaea1886ecc7d51febdb@%3Cannounce.httpd.apache.org%3E"
                },
                {
                  "name": "[httpd-cvs] 20190815 svn commit: r1048743 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/56c2e7cc9deb1c12a843d0dc251ea7fd3e7e80293cde02fcd65286ba@%3Ccvs.httpd.apache.org%3E"
                },
                {
                  "name": "[oss-security] 20190814 CVE-2019-9517: mod_http2, DoS attack by exhausting h2 workers",
                  "refsource": "MLIST",
                  "url": "http://www.openwall.com/lists/oss-security/2019/08/15/7"
                },
                {
                  "name": "[httpd-dev] 20190817 CVE-2019-10097 vs. CHANGEs entry",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/ec97fdfc1a859266e56fef084353a34e0a0b08901b3c1aa317a43c8c@%3Cdev.httpd.apache.org%3E"
                },
                {
                  "name": "[httpd-dev] 20190817 Re: CVE-2019-10097 vs. CHANGEs entry",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/d89f999e26dfb1d50f247ead1fe8538014eb412b2dbe5be4b1a9ef50@%3Cdev.httpd.apache.org%3E"
                },
                {
                  "name": "https://www.synology.com/security/advisory/Synology_SA_19_33",
                  "refsource": "CONFIRM",
                  "url": "https://www.synology.com/security/advisory/Synology_SA_19_33"
                },
                {
                  "name": "https://support.f5.com/csp/article/K02591030",
                  "refsource": "CONFIRM",
                  "url": "https://support.f5.com/csp/article/K02591030"
                },
                {
                  "name": "https://security.netapp.com/advisory/ntap-20190823-0005/",
                  "refsource": "CONFIRM",
                  "url": "https://security.netapp.com/advisory/ntap-20190823-0005/"
                },
                {
                  "name": "https://security.netapp.com/advisory/ntap-20190823-0003/",
                  "refsource": "CONFIRM",
                  "url": "https://security.netapp.com/advisory/ntap-20190823-0003/"
                },
                {
                  "name": "FEDORA-2019-5a6a7bc12c",
                  "refsource": "FEDORA",
                  "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CMNFX5MNYRWWIMO4BTKYQCGUDMHO3AXP/"
                },
                {
                  "name": "FEDORA-2019-6a2980de56",
                  "refsource": "FEDORA",
                  "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4ZQGHE3WTYLYAYJEIDJVF2FIGQTAYPMC/"
                },
                {
                  "name": "DSA-4509",
                  "refsource": "DEBIAN",
                  "url": "https://www.debian.org/security/2019/dsa-4509"
                },
                {
                  "name": "20190826 [SECURITY] [DSA 4509-1] apache2 security update",
                  "refsource": "BUGTRAQ",
                  "url": "https://seclists.org/bugtraq/2019/Aug/47"
                },
                {
                  "name": "USN-4113-1",
                  "refsource": "UBUNTU",
                  "url": "https://usn.ubuntu.com/4113-1/"
                },
                {
                  "name": "FEDORA-2019-4427fd65be",
                  "refsource": "FEDORA",
                  "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BP556LEG3WENHZI5TAQ6ZEBFTJB4E2IS/"
                },
                {
                  "name": "FEDORA-2019-63ba15cc83",
                  "refsource": "FEDORA",
                  "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XHTKU7YQ5EEP2XNSAV4M4VJ7QCBOJMOD/"
                },
                {
                  "name": "openSUSE-SU-2019:2051",
                  "refsource": "SUSE",
                  "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00004.html"
                },
                {
                  "name": "https://security.netapp.com/advisory/ntap-20190905-0003/",
                  "refsource": "CONFIRM",
                  "url": "https://security.netapp.com/advisory/ntap-20190905-0003/"
                },
                {
                  "name": "GLSA-201909-04",
                  "refsource": "GENTOO",
                  "url": "https://security.gentoo.org/glsa/201909-04"
                },
                {
                  "name": "openSUSE-SU-2019:2114",
                  "refsource": "SUSE",
                  "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00032.html"
                },
                {
                  "name": "openSUSE-SU-2019:2115",
                  "refsource": "SUSE",
                  "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00031.html"
                },
                {
                  "name": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10296",
                  "refsource": "CONFIRM",
                  "url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10296"
                },
                {
                  "name": "RHSA-2019:2893",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2019:2893"
                },
                {
                  "name": "RHSA-2019:2925",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2019:2925"
                },
                {
                  "name": "RHSA-2019:2939",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2019:2939"
                },
                {
                  "name": "RHSA-2019:2946",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2019:2946"
                },
                {
                  "name": "RHSA-2019:2950",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2019:2950"
                },
                {
                  "name": "RHSA-2019:2949",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2019:2949"
                },
                {
                  "name": "RHSA-2019:2955",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2019:2955"
                },
                {
                  "name": "https://support.f5.com/csp/article/K02591030?utm_source=f5support\u0026amp;utm_medium=RSS",
                  "refsource": "CONFIRM",
                  "url": "https://support.f5.com/csp/article/K02591030?utm_source=f5support\u0026amp;utm_medium=RSS"
                },
                {
                  "name": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html",
                  "refsource": "MISC",
                  "url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html"
                },
                {
                  "name": "RHSA-2019:3933",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2019:3933"
                },
                {
                  "name": "RHSA-2019:3935",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2019:3935"
                },
                {
                  "name": "RHSA-2019:3932",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2019:3932"
                },
                {
                  "name": "[httpd-cvs] 20200401 svn commit: r1058586 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/rd18c3c43602e66f9cdcf09f1de233804975b9572b0456cc582390b6f@%3Ccvs.httpd.apache.org%3E"
                },
                {
                  "name": "[httpd-cvs] 20200401 svn commit: r1058587 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/re3d27b6250aa8548b8845d314bb8a350b3df326cacbbfdfe4d455234@%3Ccvs.httpd.apache.org%3E"
                },
                {
                  "name": "https://www.oracle.com/security-alerts/cpuapr2020.html",
                  "refsource": "MISC",
                  "url": "https://www.oracle.com/security-alerts/cpuapr2020.html"
                },
                {
                  "name": "[httpd-cvs] 20210330 svn commit: r1073139 [1/13] - in /websites/staging/httpd/trunk/content: ./ security/json/",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9@%3Ccvs.httpd.apache.org%3E"
                },
                {
                  "name": "[httpd-cvs] 20210330 svn commit: r1073143 [3/3] - in /websites/staging/httpd/trunk/content: ./ security/",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/r06f0d87ebb6d59ed8379633f36f72f5b1f79cadfda72ede0830b42cf@%3Ccvs.httpd.apache.org%3E"
                },
                {
                  "name": "[httpd-cvs] 20210330 svn commit: r1073140 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/cvejsontohtml.py security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/rc998b18880df98bafaade071346690c2bc1444adaa1a1ea464b93f0a@%3Ccvs.httpd.apache.org%3E"
                },
                {
                  "name": "[httpd-cvs] 20210330 svn commit: r1073139 [12/13] - in /websites/staging/httpd/trunk/content: ./ security/json/",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/r03ee478b3dda3e381fd6189366fa7af97c980d2f602846eef935277d@%3Ccvs.httpd.apache.org%3E"
                },
                {
                  "name": "[httpd-cvs] 20210330 svn commit: r1888194 [12/13] - /httpd/site/trunk/content/security/json/",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/rd2fb621142e7fa187cfe12d7137bf66e7234abcbbcd800074c84a538@%3Ccvs.httpd.apache.org%3E"
                },
                {
                  "name": "[httpd-cvs] 20210330 svn commit: r1073149 [1/13] - in /websites/staging/httpd/trunk/content: ./ security/ security/json/",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920@%3Ccvs.httpd.apache.org%3E"
                },
                {
                  "name": "[httpd-cvs] 20210330 svn commit: r1073149 [13/13] - in /websites/staging/httpd/trunk/content: ./ security/ security/json/",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/r3c5c3104813c1c5508b55564b66546933079250a46ce50eee90b2e36@%3Ccvs.httpd.apache.org%3E"
                },
                {
                  "name": "[httpd-cvs] 20210606 svn commit: r1075470 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/json/CVE-2020-13938.json security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/r76142b8c5119df2178be7c2dba88fde552eedeec37ea993dfce68d1d@%3Ccvs.httpd.apache.org%3E"
                }
              ]
            },
            "source": {
              "discovery": "UNKNOWN"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
        "assignerShortName": "certcc",
        "cveId": "CVE-2019-9517",
        "datePublished": "2019-08-13T20:50:59.000Z",
        "dateReserved": "2019-03-01T00:00:00.000Z",
        "dateUpdated": "2024-08-04T21:54:44.675Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2019-9516 (GCVE-0-2019-9516)

    Vulnerability from nvd – Published: 2019-08-13 20:50 – Updated: 2024-08-04 21:54
    VLAI
    Title
    Some HTTP/2 implementations are vulnerable to a header leak, potentially leading to a denial of service
    Summary
    Some HTTP/2 implementations are vulnerable to a header leak, potentially leading to a denial of service. The attacker sends a stream of headers with a 0-length header name and 0-length header value, optionally Huffman encoded into 1-byte or greater headers. Some implementations allocate memory for these headers and keep the allocation alive until the session dies. This can consume excess memory.
    CWE
    • CWE-400 - Uncontrolled Resource Consumption
    Assigner
    References
    URL Tags
    https://kb.cert.org/vuls/id/605641/ third-party-advisoryx_refsource_CERT-VN
    https://github.com/Netflix/security-bulletins/blo… x_refsource_MISC
    https://seclists.org/bugtraq/2019/Aug/24 mailing-listx_refsource_BUGTRAQ
    https://usn.ubuntu.com/4099-1/ vendor-advisoryx_refsource_UBUNTU
    http://seclists.org/fulldisclosure/2019/Aug/16 mailing-listx_refsource_FULLDISC
    https://www.synology.com/security/advisory/Synolo… x_refsource_CONFIRM
    https://support.f5.com/csp/article/K02591030 x_refsource_CONFIRM
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisoryx_refsource_FEDORA
    https://seclists.org/bugtraq/2019/Aug/40 mailing-listx_refsource_BUGTRAQ
    https://www.debian.org/security/2019/dsa-4505 vendor-advisoryx_refsource_DEBIAN
    https://security.netapp.com/advisory/ntap-2019082… x_refsource_CONFIRM
    https://security.netapp.com/advisory/ntap-2019082… x_refsource_CONFIRM
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisoryx_refsource_FEDORA
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisoryx_refsource_FEDORA
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisoryx_refsource_FEDORA
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisoryx_refsource_FEDORA
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisoryx_refsource_FEDORA
    http://lists.opensuse.org/opensuse-security-annou… vendor-advisoryx_refsource_SUSE
    http://lists.opensuse.org/opensuse-security-annou… vendor-advisoryx_refsource_SUSE
    http://lists.opensuse.org/opensuse-security-annou… vendor-advisoryx_refsource_SUSE
    https://kc.mcafee.com/corporate/index?page=conten… x_refsource_CONFIRM
    https://access.redhat.com/errata/RHSA-2019:2745 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2019:2746 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2019:2775 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2019:2799 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2019:2925 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2019:2939 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2019:2946 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2019:2950 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2019:2955 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2019:2966 vendor-advisoryx_refsource_REDHAT
    http://lists.opensuse.org/opensuse-security-annou… vendor-advisoryx_refsource_SUSE
    https://support.f5.com/csp/article/K02591030?utm_… x_refsource_CONFIRM
    https://access.redhat.com/errata/RHSA-2019:3933 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2019:3935 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2019:3932 vendor-advisoryx_refsource_REDHAT
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisoryx_refsource_FEDORA
    Credits
    Thanks to Jonathan Looney of Netflix for reporting this vulnerability.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T21:54:44.285Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "VU#605641",
                "tags": [
                  "third-party-advisory",
                  "x_refsource_CERT-VN",
                  "x_transferred"
                ],
                "url": "https://kb.cert.org/vuls/id/605641/"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md"
              },
              {
                "name": "20190814 APPLE-SA-2019-08-13-5 SwiftNIO HTTP/2 1.5.0",
                "tags": [
                  "mailing-list",
                  "x_refsource_BUGTRAQ",
                  "x_transferred"
                ],
                "url": "https://seclists.org/bugtraq/2019/Aug/24"
              },
              {
                "name": "USN-4099-1",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_UBUNTU",
                  "x_transferred"
                ],
                "url": "https://usn.ubuntu.com/4099-1/"
              },
              {
                "name": "20190816 APPLE-SA-2019-08-13-5 SwiftNIO HTTP/2 1.5.0",
                "tags": [
                  "mailing-list",
                  "x_refsource_FULLDISC",
                  "x_transferred"
                ],
                "url": "http://seclists.org/fulldisclosure/2019/Aug/16"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.synology.com/security/advisory/Synology_SA_19_33"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://support.f5.com/csp/article/K02591030"
              },
              {
                "name": "FEDORA-2019-befd924cfe",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_FEDORA",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TAZZEVTCN2B4WT6AIBJ7XGYJMBTORJU5/"
              },
              {
                "name": "20190822 [SECURITY] [DSA 4505-1] nginx security update",
                "tags": [
                  "mailing-list",
                  "x_refsource_BUGTRAQ",
                  "x_transferred"
                ],
                "url": "https://seclists.org/bugtraq/2019/Aug/40"
              },
              {
                "name": "DSA-4505",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_DEBIAN",
                  "x_transferred"
                ],
                "url": "https://www.debian.org/security/2019/dsa-4505"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://security.netapp.com/advisory/ntap-20190823-0002/"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://security.netapp.com/advisory/ntap-20190823-0005/"
              },
              {
                "name": "FEDORA-2019-5a6a7bc12c",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_FEDORA",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CMNFX5MNYRWWIMO4BTKYQCGUDMHO3AXP/"
              },
              {
                "name": "FEDORA-2019-6a2980de56",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_FEDORA",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4ZQGHE3WTYLYAYJEIDJVF2FIGQTAYPMC/"
              },
              {
                "name": "FEDORA-2019-4427fd65be",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_FEDORA",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BP556LEG3WENHZI5TAQ6ZEBFTJB4E2IS/"
              },
              {
                "name": "FEDORA-2019-63ba15cc83",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_FEDORA",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XHTKU7YQ5EEP2XNSAV4M4VJ7QCBOJMOD/"
              },
              {
                "name": "FEDORA-2019-7a0b45fdc4",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_FEDORA",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/POPAEC4FWL4UU4LDEGPY5NPALU24FFQD/"
              },
              {
                "name": "openSUSE-SU-2019:2120",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_SUSE",
                  "x_transferred"
                ],
                "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00035.html"
              },
              {
                "name": "openSUSE-SU-2019:2114",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_SUSE",
                  "x_transferred"
                ],
                "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00032.html"
              },
              {
                "name": "openSUSE-SU-2019:2115",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_SUSE",
                  "x_transferred"
                ],
                "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00031.html"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10296"
              },
              {
                "name": "RHSA-2019:2745",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:2745"
              },
              {
                "name": "RHSA-2019:2746",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:2746"
              },
              {
                "name": "RHSA-2019:2775",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:2775"
              },
              {
                "name": "RHSA-2019:2799",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:2799"
              },
              {
                "name": "RHSA-2019:2925",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:2925"
              },
              {
                "name": "RHSA-2019:2939",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:2939"
              },
              {
                "name": "RHSA-2019:2946",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:2946"
              },
              {
                "name": "RHSA-2019:2950",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:2950"
              },
              {
                "name": "RHSA-2019:2955",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:2955"
              },
              {
                "name": "RHSA-2019:2966",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:2966"
              },
              {
                "name": "openSUSE-SU-2019:2264",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_SUSE",
                  "x_transferred"
                ],
                "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00014.html"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://support.f5.com/csp/article/K02591030?utm_source=f5support\u0026amp%3Butm_medium=RSS"
              },
              {
                "name": "RHSA-2019:3933",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:3933"
              },
              {
                "name": "RHSA-2019:3935",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:3935"
              },
              {
                "name": "RHSA-2019:3932",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:3932"
              },
              {
                "name": "FEDORA-2021-d5b2c18fe6",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_FEDORA",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H472D5HPXN6RRXCNFML3BK5OYC52CXF2/"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Thanks to Jonathan Looney of Netflix for reporting this vulnerability."
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Some HTTP/2 implementations are vulnerable to a header leak, potentially leading to a denial of service. The attacker sends a stream of headers with a 0-length header name and 0-length header value, optionally Huffman encoded into 1-byte or greater headers. Some implementations allocate memory for these headers and keep the allocation alive until the session dies. This can consume excess memory."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-400",
                  "description": "CWE-400 Uncontrolled Resource Consumption",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-01-16T02:06:09.000Z",
            "orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
            "shortName": "certcc"
          },
          "references": [
            {
              "name": "VU#605641",
              "tags": [
                "third-party-advisory",
                "x_refsource_CERT-VN"
              ],
              "url": "https://kb.cert.org/vuls/id/605641/"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md"
            },
            {
              "name": "20190814 APPLE-SA-2019-08-13-5 SwiftNIO HTTP/2 1.5.0",
              "tags": [
                "mailing-list",
                "x_refsource_BUGTRAQ"
              ],
              "url": "https://seclists.org/bugtraq/2019/Aug/24"
            },
            {
              "name": "USN-4099-1",
              "tags": [
                "vendor-advisory",
                "x_refsource_UBUNTU"
              ],
              "url": "https://usn.ubuntu.com/4099-1/"
            },
            {
              "name": "20190816 APPLE-SA-2019-08-13-5 SwiftNIO HTTP/2 1.5.0",
              "tags": [
                "mailing-list",
                "x_refsource_FULLDISC"
              ],
              "url": "http://seclists.org/fulldisclosure/2019/Aug/16"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.synology.com/security/advisory/Synology_SA_19_33"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://support.f5.com/csp/article/K02591030"
            },
            {
              "name": "FEDORA-2019-befd924cfe",
              "tags": [
                "vendor-advisory",
                "x_refsource_FEDORA"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TAZZEVTCN2B4WT6AIBJ7XGYJMBTORJU5/"
            },
            {
              "name": "20190822 [SECURITY] [DSA 4505-1] nginx security update",
              "tags": [
                "mailing-list",
                "x_refsource_BUGTRAQ"
              ],
              "url": "https://seclists.org/bugtraq/2019/Aug/40"
            },
            {
              "name": "DSA-4505",
              "tags": [
                "vendor-advisory",
                "x_refsource_DEBIAN"
              ],
              "url": "https://www.debian.org/security/2019/dsa-4505"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://security.netapp.com/advisory/ntap-20190823-0002/"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://security.netapp.com/advisory/ntap-20190823-0005/"
            },
            {
              "name": "FEDORA-2019-5a6a7bc12c",
              "tags": [
                "vendor-advisory",
                "x_refsource_FEDORA"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CMNFX5MNYRWWIMO4BTKYQCGUDMHO3AXP/"
            },
            {
              "name": "FEDORA-2019-6a2980de56",
              "tags": [
                "vendor-advisory",
                "x_refsource_FEDORA"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4ZQGHE3WTYLYAYJEIDJVF2FIGQTAYPMC/"
            },
            {
              "name": "FEDORA-2019-4427fd65be",
              "tags": [
                "vendor-advisory",
                "x_refsource_FEDORA"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BP556LEG3WENHZI5TAQ6ZEBFTJB4E2IS/"
            },
            {
              "name": "FEDORA-2019-63ba15cc83",
              "tags": [
                "vendor-advisory",
                "x_refsource_FEDORA"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XHTKU7YQ5EEP2XNSAV4M4VJ7QCBOJMOD/"
            },
            {
              "name": "FEDORA-2019-7a0b45fdc4",
              "tags": [
                "vendor-advisory",
                "x_refsource_FEDORA"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/POPAEC4FWL4UU4LDEGPY5NPALU24FFQD/"
            },
            {
              "name": "openSUSE-SU-2019:2120",
              "tags": [
                "vendor-advisory",
                "x_refsource_SUSE"
              ],
              "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00035.html"
            },
            {
              "name": "openSUSE-SU-2019:2114",
              "tags": [
                "vendor-advisory",
                "x_refsource_SUSE"
              ],
              "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00032.html"
            },
            {
              "name": "openSUSE-SU-2019:2115",
              "tags": [
                "vendor-advisory",
                "x_refsource_SUSE"
              ],
              "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00031.html"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10296"
            },
            {
              "name": "RHSA-2019:2745",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:2745"
            },
            {
              "name": "RHSA-2019:2746",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:2746"
            },
            {
              "name": "RHSA-2019:2775",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:2775"
            },
            {
              "name": "RHSA-2019:2799",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:2799"
            },
            {
              "name": "RHSA-2019:2925",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:2925"
            },
            {
              "name": "RHSA-2019:2939",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:2939"
            },
            {
              "name": "RHSA-2019:2946",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:2946"
            },
            {
              "name": "RHSA-2019:2950",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:2950"
            },
            {
              "name": "RHSA-2019:2955",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:2955"
            },
            {
              "name": "RHSA-2019:2966",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:2966"
            },
            {
              "name": "openSUSE-SU-2019:2264",
              "tags": [
                "vendor-advisory",
                "x_refsource_SUSE"
              ],
              "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00014.html"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://support.f5.com/csp/article/K02591030?utm_source=f5support\u0026amp%3Butm_medium=RSS"
            },
            {
              "name": "RHSA-2019:3933",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:3933"
            },
            {
              "name": "RHSA-2019:3935",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:3935"
            },
            {
              "name": "RHSA-2019:3932",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:3932"
            },
            {
              "name": "FEDORA-2021-d5b2c18fe6",
              "tags": [
                "vendor-advisory",
                "x_refsource_FEDORA"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H472D5HPXN6RRXCNFML3BK5OYC52CXF2/"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Some HTTP/2 implementations are vulnerable to a header leak, potentially leading to a denial of service",
          "x_generator": {
            "engine": "Vulnogram 0.0.7"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "AKA": "HTTP/2 0-Length Headers Leak",
              "ASSIGNER": "cert@cert.org",
              "ID": "CVE-2019-9516",
              "STATE": "PUBLIC",
              "TITLE": "Some HTTP/2 implementations are vulnerable to a header leak, potentially leading to a denial of service"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "n/a",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "n/a"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "n/a"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "Thanks to Jonathan Looney of Netflix for reporting this vulnerability."
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Some HTTP/2 implementations are vulnerable to a header leak, potentially leading to a denial of service. The attacker sends a stream of headers with a 0-length header name and 0-length header value, optionally Huffman encoded into 1-byte or greater headers. Some implementations allocate memory for these headers and keep the allocation alive until the session dies. This can consume excess memory."
                }
              ]
            },
            "generator": {
              "engine": "Vulnogram 0.0.7"
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.0"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-400 Uncontrolled Resource Consumption"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "VU#605641",
                  "refsource": "CERT-VN",
                  "url": "https://kb.cert.org/vuls/id/605641/"
                },
                {
                  "name": "https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md",
                  "refsource": "MISC",
                  "url": "https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md"
                },
                {
                  "name": "20190814 APPLE-SA-2019-08-13-5 SwiftNIO HTTP/2 1.5.0",
                  "refsource": "BUGTRAQ",
                  "url": "https://seclists.org/bugtraq/2019/Aug/24"
                },
                {
                  "name": "USN-4099-1",
                  "refsource": "UBUNTU",
                  "url": "https://usn.ubuntu.com/4099-1/"
                },
                {
                  "name": "20190816 APPLE-SA-2019-08-13-5 SwiftNIO HTTP/2 1.5.0",
                  "refsource": "FULLDISC",
                  "url": "http://seclists.org/fulldisclosure/2019/Aug/16"
                },
                {
                  "name": "https://www.synology.com/security/advisory/Synology_SA_19_33",
                  "refsource": "CONFIRM",
                  "url": "https://www.synology.com/security/advisory/Synology_SA_19_33"
                },
                {
                  "name": "https://support.f5.com/csp/article/K02591030",
                  "refsource": "CONFIRM",
                  "url": "https://support.f5.com/csp/article/K02591030"
                },
                {
                  "name": "FEDORA-2019-befd924cfe",
                  "refsource": "FEDORA",
                  "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TAZZEVTCN2B4WT6AIBJ7XGYJMBTORJU5/"
                },
                {
                  "name": "20190822 [SECURITY] [DSA 4505-1] nginx security update",
                  "refsource": "BUGTRAQ",
                  "url": "https://seclists.org/bugtraq/2019/Aug/40"
                },
                {
                  "name": "DSA-4505",
                  "refsource": "DEBIAN",
                  "url": "https://www.debian.org/security/2019/dsa-4505"
                },
                {
                  "name": "https://security.netapp.com/advisory/ntap-20190823-0002/",
                  "refsource": "CONFIRM",
                  "url": "https://security.netapp.com/advisory/ntap-20190823-0002/"
                },
                {
                  "name": "https://security.netapp.com/advisory/ntap-20190823-0005/",
                  "refsource": "CONFIRM",
                  "url": "https://security.netapp.com/advisory/ntap-20190823-0005/"
                },
                {
                  "name": "FEDORA-2019-5a6a7bc12c",
                  "refsource": "FEDORA",
                  "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CMNFX5MNYRWWIMO4BTKYQCGUDMHO3AXP/"
                },
                {
                  "name": "FEDORA-2019-6a2980de56",
                  "refsource": "FEDORA",
                  "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4ZQGHE3WTYLYAYJEIDJVF2FIGQTAYPMC/"
                },
                {
                  "name": "FEDORA-2019-4427fd65be",
                  "refsource": "FEDORA",
                  "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BP556LEG3WENHZI5TAQ6ZEBFTJB4E2IS/"
                },
                {
                  "name": "FEDORA-2019-63ba15cc83",
                  "refsource": "FEDORA",
                  "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XHTKU7YQ5EEP2XNSAV4M4VJ7QCBOJMOD/"
                },
                {
                  "name": "FEDORA-2019-7a0b45fdc4",
                  "refsource": "FEDORA",
                  "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/POPAEC4FWL4UU4LDEGPY5NPALU24FFQD/"
                },
                {
                  "name": "openSUSE-SU-2019:2120",
                  "refsource": "SUSE",
                  "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00035.html"
                },
                {
                  "name": "openSUSE-SU-2019:2114",
                  "refsource": "SUSE",
                  "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00032.html"
                },
                {
                  "name": "openSUSE-SU-2019:2115",
                  "refsource": "SUSE",
                  "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00031.html"
                },
                {
                  "name": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10296",
                  "refsource": "CONFIRM",
                  "url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10296"
                },
                {
                  "name": "RHSA-2019:2745",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2019:2745"
                },
                {
                  "name": "RHSA-2019:2746",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2019:2746"
                },
                {
                  "name": "RHSA-2019:2775",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2019:2775"
                },
                {
                  "name": "RHSA-2019:2799",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2019:2799"
                },
                {
                  "name": "RHSA-2019:2925",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2019:2925"
                },
                {
                  "name": "RHSA-2019:2939",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2019:2939"
                },
                {
                  "name": "RHSA-2019:2946",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2019:2946"
                },
                {
                  "name": "RHSA-2019:2950",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2019:2950"
                },
                {
                  "name": "RHSA-2019:2955",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2019:2955"
                },
                {
                  "name": "RHSA-2019:2966",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2019:2966"
                },
                {
                  "name": "openSUSE-SU-2019:2264",
                  "refsource": "SUSE",
                  "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00014.html"
                },
                {
                  "name": "https://support.f5.com/csp/article/K02591030?utm_source=f5support\u0026amp;utm_medium=RSS",
                  "refsource": "CONFIRM",
                  "url": "https://support.f5.com/csp/article/K02591030?utm_source=f5support\u0026amp;utm_medium=RSS"
                },
                {
                  "name": "RHSA-2019:3933",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2019:3933"
                },
                {
                  "name": "RHSA-2019:3935",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2019:3935"
                },
                {
                  "name": "RHSA-2019:3932",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2019:3932"
                },
                {
                  "name": "FEDORA-2021-d5b2c18fe6",
                  "refsource": "FEDORA",
                  "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/H472D5HPXN6RRXCNFML3BK5OYC52CXF2/"
                }
              ]
            },
            "source": {
              "discovery": "UNKNOWN"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
        "assignerShortName": "certcc",
        "cveId": "CVE-2019-9516",
        "datePublished": "2019-08-13T20:50:59.000Z",
        "dateReserved": "2019-03-01T00:00:00.000Z",
        "dateUpdated": "2024-08-04T21:54:44.285Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2019-9515 (GCVE-0-2019-9515)

    Vulnerability from nvd – Published: 2019-08-13 20:50 – Updated: 2024-08-04 21:54
    VLAI
    Title
    Some HTTP/2 implementations are vulnerable to a settings flood, potentially leading to a denial of service
    Summary
    Some HTTP/2 implementations are vulnerable to a settings flood, potentially leading to a denial of service. The attacker sends a stream of SETTINGS frames to the peer. Since the RFC requires that the peer reply with one acknowledgement per SETTINGS frame, an empty SETTINGS frame is almost equivalent in behavior to a ping. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both.
    CWE
    • CWE-400 - Uncontrolled Resource Consumption
    Assigner
    References
    URL Tags
    https://kb.cert.org/vuls/id/605641/ third-party-advisoryx_refsource_CERT-VN
    https://github.com/Netflix/security-bulletins/blo… x_refsource_MISC
    https://lists.apache.org/thread.html/bde52309316a… mailing-listx_refsource_MLIST
    https://lists.apache.org/thread.html/392108390cef… mailing-listx_refsource_MLIST
    https://lists.apache.org/thread.html/ad3d01e76719… mailing-listx_refsource_MLIST
    https://seclists.org/bugtraq/2019/Aug/24 mailing-listx_refsource_BUGTRAQ
    http://seclists.org/fulldisclosure/2019/Aug/16 mailing-listx_refsource_FULLDISC
    https://www.synology.com/security/advisory/Synolo… x_refsource_CONFIRM
    https://support.f5.com/csp/article/K50233772 x_refsource_CONFIRM
    https://security.netapp.com/advisory/ntap-2019082… x_refsource_CONFIRM
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisoryx_refsource_FEDORA
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisoryx_refsource_FEDORA
    https://seclists.org/bugtraq/2019/Aug/43 mailing-listx_refsource_BUGTRAQ
    https://www.debian.org/security/2019/dsa-4508 vendor-advisoryx_refsource_DEBIAN
    https://www.debian.org/security/2019/dsa-4520 vendor-advisoryx_refsource_DEBIAN
    https://seclists.org/bugtraq/2019/Sep/18 mailing-listx_refsource_BUGTRAQ
    http://lists.opensuse.org/opensuse-security-annou… vendor-advisoryx_refsource_SUSE
    http://lists.opensuse.org/opensuse-security-annou… vendor-advisoryx_refsource_SUSE
    https://kc.mcafee.com/corporate/index?page=conten… x_refsource_CONFIRM
    https://access.redhat.com/errata/RHSA-2019:2766 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2019:2796 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2019:2861 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2019:2925 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2019:2939 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2019:2955 vendor-advisoryx_refsource_REDHAT
    https://support.f5.com/csp/article/K50233772?utm_… x_refsource_CONFIRM
    https://access.redhat.com/errata/RHSA-2019:3892 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2019:4018 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2019:4019 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2019:4021 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2019:4020 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2019:4045 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2019:4042 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2019:4040 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2019:4041 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2019:4352 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2020:0727 vendor-advisoryx_refsource_REDHAT
    https://usn.ubuntu.com/4308-1/ vendor-advisoryx_refsource_UBUNTU
    Credits
    Thanks to Jonathan Looney of Netflix for reporting this vulnerability.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T21:54:44.327Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "VU#605641",
                "tags": [
                  "third-party-advisory",
                  "x_refsource_CERT-VN",
                  "x_transferred"
                ],
                "url": "https://kb.cert.org/vuls/id/605641/"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md"
              },
              {
                "name": "[trafficserver-dev] 20190813 Apache Traffic Server is vulnerable to various HTTP/2 attacks",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/bde52309316ae798186d783a5e29f4ad1527f61c9219a289d0eee0a7%40%3Cdev.trafficserver.apache.org%3E"
              },
              {
                "name": "[trafficserver-users] 20190813 Apache Traffic Server is vulnerable to various HTTP/2 attacks",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/392108390cef48af647a2e47b7fd5380e050e35ae8d1aa2030254c04%40%3Cusers.trafficserver.apache.org%3E"
              },
              {
                "name": "[trafficserver-announce] 20190813 Apache Traffic Server is vulnerable to various HTTP/2 attacks",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/ad3d01e767199c1aed8033bb6b3f5bf98c011c7c536f07a5d34b3c19%40%3Cannounce.trafficserver.apache.org%3E"
              },
              {
                "name": "20190814 APPLE-SA-2019-08-13-5 SwiftNIO HTTP/2 1.5.0",
                "tags": [
                  "mailing-list",
                  "x_refsource_BUGTRAQ",
                  "x_transferred"
                ],
                "url": "https://seclists.org/bugtraq/2019/Aug/24"
              },
              {
                "name": "20190816 APPLE-SA-2019-08-13-5 SwiftNIO HTTP/2 1.5.0",
                "tags": [
                  "mailing-list",
                  "x_refsource_FULLDISC",
                  "x_transferred"
                ],
                "url": "http://seclists.org/fulldisclosure/2019/Aug/16"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.synology.com/security/advisory/Synology_SA_19_33"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://support.f5.com/csp/article/K50233772"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://security.netapp.com/advisory/ntap-20190823-0005/"
              },
              {
                "name": "FEDORA-2019-5a6a7bc12c",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_FEDORA",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CMNFX5MNYRWWIMO4BTKYQCGUDMHO3AXP/"
              },
              {
                "name": "FEDORA-2019-6a2980de56",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_FEDORA",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4ZQGHE3WTYLYAYJEIDJVF2FIGQTAYPMC/"
              },
              {
                "name": "20190825 [SECURITY] [DSA 4508-1] h2o security update",
                "tags": [
                  "mailing-list",
                  "x_refsource_BUGTRAQ",
                  "x_transferred"
                ],
                "url": "https://seclists.org/bugtraq/2019/Aug/43"
              },
              {
                "name": "DSA-4508",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_DEBIAN",
                  "x_transferred"
                ],
                "url": "https://www.debian.org/security/2019/dsa-4508"
              },
              {
                "name": "DSA-4520",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_DEBIAN",
                  "x_transferred"
                ],
                "url": "https://www.debian.org/security/2019/dsa-4520"
              },
              {
                "name": "20190910 [SECURITY] [DSA 4520-1] trafficserver security update",
                "tags": [
                  "mailing-list",
                  "x_refsource_BUGTRAQ",
                  "x_transferred"
                ],
                "url": "https://seclists.org/bugtraq/2019/Sep/18"
              },
              {
                "name": "openSUSE-SU-2019:2114",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_SUSE",
                  "x_transferred"
                ],
                "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00032.html"
              },
              {
                "name": "openSUSE-SU-2019:2115",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_SUSE",
                  "x_transferred"
                ],
                "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00031.html"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10296"
              },
              {
                "name": "RHSA-2019:2766",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:2766"
              },
              {
                "name": "RHSA-2019:2796",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:2796"
              },
              {
                "name": "RHSA-2019:2861",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:2861"
              },
              {
                "name": "RHSA-2019:2925",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:2925"
              },
              {
                "name": "RHSA-2019:2939",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:2939"
              },
              {
                "name": "RHSA-2019:2955",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:2955"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://support.f5.com/csp/article/K50233772?utm_source=f5support\u0026amp%3Butm_medium=RSS"
              },
              {
                "name": "RHSA-2019:3892",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:3892"
              },
              {
                "name": "RHSA-2019:4018",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:4018"
              },
              {
                "name": "RHSA-2019:4019",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:4019"
              },
              {
                "name": "RHSA-2019:4021",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:4021"
              },
              {
                "name": "RHSA-2019:4020",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:4020"
              },
              {
                "name": "RHSA-2019:4045",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:4045"
              },
              {
                "name": "RHSA-2019:4042",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:4042"
              },
              {
                "name": "RHSA-2019:4040",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:4040"
              },
              {
                "name": "RHSA-2019:4041",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:4041"
              },
              {
                "name": "RHSA-2019:4352",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:4352"
              },
              {
                "name": "RHSA-2020:0727",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2020:0727"
              },
              {
                "name": "USN-4308-1",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_UBUNTU",
                  "x_transferred"
                ],
                "url": "https://usn.ubuntu.com/4308-1/"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Thanks to Jonathan Looney of Netflix for reporting this vulnerability."
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Some HTTP/2 implementations are vulnerable to a settings flood, potentially leading to a denial of service. The attacker sends a stream of SETTINGS frames to the peer. Since the RFC requires that the peer reply with one acknowledgement per SETTINGS frame, an empty SETTINGS frame is almost equivalent in behavior to a ping. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-400",
                  "description": "CWE-400 Uncontrolled Resource Consumption",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2020-03-30T21:06:04.000Z",
            "orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
            "shortName": "certcc"
          },
          "references": [
            {
              "name": "VU#605641",
              "tags": [
                "third-party-advisory",
                "x_refsource_CERT-VN"
              ],
              "url": "https://kb.cert.org/vuls/id/605641/"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md"
            },
            {
              "name": "[trafficserver-dev] 20190813 Apache Traffic Server is vulnerable to various HTTP/2 attacks",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/bde52309316ae798186d783a5e29f4ad1527f61c9219a289d0eee0a7%40%3Cdev.trafficserver.apache.org%3E"
            },
            {
              "name": "[trafficserver-users] 20190813 Apache Traffic Server is vulnerable to various HTTP/2 attacks",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/392108390cef48af647a2e47b7fd5380e050e35ae8d1aa2030254c04%40%3Cusers.trafficserver.apache.org%3E"
            },
            {
              "name": "[trafficserver-announce] 20190813 Apache Traffic Server is vulnerable to various HTTP/2 attacks",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/ad3d01e767199c1aed8033bb6b3f5bf98c011c7c536f07a5d34b3c19%40%3Cannounce.trafficserver.apache.org%3E"
            },
            {
              "name": "20190814 APPLE-SA-2019-08-13-5 SwiftNIO HTTP/2 1.5.0",
              "tags": [
                "mailing-list",
                "x_refsource_BUGTRAQ"
              ],
              "url": "https://seclists.org/bugtraq/2019/Aug/24"
            },
            {
              "name": "20190816 APPLE-SA-2019-08-13-5 SwiftNIO HTTP/2 1.5.0",
              "tags": [
                "mailing-list",
                "x_refsource_FULLDISC"
              ],
              "url": "http://seclists.org/fulldisclosure/2019/Aug/16"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.synology.com/security/advisory/Synology_SA_19_33"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://support.f5.com/csp/article/K50233772"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://security.netapp.com/advisory/ntap-20190823-0005/"
            },
            {
              "name": "FEDORA-2019-5a6a7bc12c",
              "tags": [
                "vendor-advisory",
                "x_refsource_FEDORA"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CMNFX5MNYRWWIMO4BTKYQCGUDMHO3AXP/"
            },
            {
              "name": "FEDORA-2019-6a2980de56",
              "tags": [
                "vendor-advisory",
                "x_refsource_FEDORA"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4ZQGHE3WTYLYAYJEIDJVF2FIGQTAYPMC/"
            },
            {
              "name": "20190825 [SECURITY] [DSA 4508-1] h2o security update",
              "tags": [
                "mailing-list",
                "x_refsource_BUGTRAQ"
              ],
              "url": "https://seclists.org/bugtraq/2019/Aug/43"
            },
            {
              "name": "DSA-4508",
              "tags": [
                "vendor-advisory",
                "x_refsource_DEBIAN"
              ],
              "url": "https://www.debian.org/security/2019/dsa-4508"
            },
            {
              "name": "DSA-4520",
              "tags": [
                "vendor-advisory",
                "x_refsource_DEBIAN"
              ],
              "url": "https://www.debian.org/security/2019/dsa-4520"
            },
            {
              "name": "20190910 [SECURITY] [DSA 4520-1] trafficserver security update",
              "tags": [
                "mailing-list",
                "x_refsource_BUGTRAQ"
              ],
              "url": "https://seclists.org/bugtraq/2019/Sep/18"
            },
            {
              "name": "openSUSE-SU-2019:2114",
              "tags": [
                "vendor-advisory",
                "x_refsource_SUSE"
              ],
              "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00032.html"
            },
            {
              "name": "openSUSE-SU-2019:2115",
              "tags": [
                "vendor-advisory",
                "x_refsource_SUSE"
              ],
              "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00031.html"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10296"
            },
            {
              "name": "RHSA-2019:2766",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:2766"
            },
            {
              "name": "RHSA-2019:2796",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:2796"
            },
            {
              "name": "RHSA-2019:2861",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:2861"
            },
            {
              "name": "RHSA-2019:2925",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:2925"
            },
            {
              "name": "RHSA-2019:2939",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:2939"
            },
            {
              "name": "RHSA-2019:2955",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:2955"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://support.f5.com/csp/article/K50233772?utm_source=f5support\u0026amp%3Butm_medium=RSS"
            },
            {
              "name": "RHSA-2019:3892",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:3892"
            },
            {
              "name": "RHSA-2019:4018",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:4018"
            },
            {
              "name": "RHSA-2019:4019",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:4019"
            },
            {
              "name": "RHSA-2019:4021",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:4021"
            },
            {
              "name": "RHSA-2019:4020",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:4020"
            },
            {
              "name": "RHSA-2019:4045",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:4045"
            },
            {
              "name": "RHSA-2019:4042",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:4042"
            },
            {
              "name": "RHSA-2019:4040",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:4040"
            },
            {
              "name": "RHSA-2019:4041",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:4041"
            },
            {
              "name": "RHSA-2019:4352",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:4352"
            },
            {
              "name": "RHSA-2020:0727",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2020:0727"
            },
            {
              "name": "USN-4308-1",
              "tags": [
                "vendor-advisory",
                "x_refsource_UBUNTU"
              ],
              "url": "https://usn.ubuntu.com/4308-1/"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Some HTTP/2 implementations are vulnerable to a settings flood, potentially leading to a denial of service",
          "x_generator": {
            "engine": "Vulnogram 0.0.7"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "AKA": "HTTP/2 Settings Flood",
              "ASSIGNER": "cert@cert.org",
              "ID": "CVE-2019-9515",
              "STATE": "PUBLIC",
              "TITLE": "Some HTTP/2 implementations are vulnerable to a settings flood, potentially leading to a denial of service"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "n/a",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "n/a"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "n/a"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "Thanks to Jonathan Looney of Netflix for reporting this vulnerability."
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Some HTTP/2 implementations are vulnerable to a settings flood, potentially leading to a denial of service. The attacker sends a stream of SETTINGS frames to the peer. Since the RFC requires that the peer reply with one acknowledgement per SETTINGS frame, an empty SETTINGS frame is almost equivalent in behavior to a ping. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both."
                }
              ]
            },
            "generator": {
              "engine": "Vulnogram 0.0.7"
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.0"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-400 Uncontrolled Resource Consumption"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "VU#605641",
                  "refsource": "CERT-VN",
                  "url": "https://kb.cert.org/vuls/id/605641/"
                },
                {
                  "name": "https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md",
                  "refsource": "MISC",
                  "url": "https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md"
                },
                {
                  "name": "[trafficserver-dev] 20190813 Apache Traffic Server is vulnerable to various HTTP/2 attacks",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/bde52309316ae798186d783a5e29f4ad1527f61c9219a289d0eee0a7@%3Cdev.trafficserver.apache.org%3E"
                },
                {
                  "name": "[trafficserver-users] 20190813 Apache Traffic Server is vulnerable to various HTTP/2 attacks",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/392108390cef48af647a2e47b7fd5380e050e35ae8d1aa2030254c04@%3Cusers.trafficserver.apache.org%3E"
                },
                {
                  "name": "[trafficserver-announce] 20190813 Apache Traffic Server is vulnerable to various HTTP/2 attacks",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/ad3d01e767199c1aed8033bb6b3f5bf98c011c7c536f07a5d34b3c19@%3Cannounce.trafficserver.apache.org%3E"
                },
                {
                  "name": "20190814 APPLE-SA-2019-08-13-5 SwiftNIO HTTP/2 1.5.0",
                  "refsource": "BUGTRAQ",
                  "url": "https://seclists.org/bugtraq/2019/Aug/24"
                },
                {
                  "name": "20190816 APPLE-SA-2019-08-13-5 SwiftNIO HTTP/2 1.5.0",
                  "refsource": "FULLDISC",
                  "url": "http://seclists.org/fulldisclosure/2019/Aug/16"
                },
                {
                  "name": "https://www.synology.com/security/advisory/Synology_SA_19_33",
                  "refsource": "CONFIRM",
                  "url": "https://www.synology.com/security/advisory/Synology_SA_19_33"
                },
                {
                  "name": "https://support.f5.com/csp/article/K50233772",
                  "refsource": "CONFIRM",
                  "url": "https://support.f5.com/csp/article/K50233772"
                },
                {
                  "name": "https://security.netapp.com/advisory/ntap-20190823-0005/",
                  "refsource": "CONFIRM",
                  "url": "https://security.netapp.com/advisory/ntap-20190823-0005/"
                },
                {
                  "name": "FEDORA-2019-5a6a7bc12c",
                  "refsource": "FEDORA",
                  "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CMNFX5MNYRWWIMO4BTKYQCGUDMHO3AXP/"
                },
                {
                  "name": "FEDORA-2019-6a2980de56",
                  "refsource": "FEDORA",
                  "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4ZQGHE3WTYLYAYJEIDJVF2FIGQTAYPMC/"
                },
                {
                  "name": "20190825 [SECURITY] [DSA 4508-1] h2o security update",
                  "refsource": "BUGTRAQ",
                  "url": "https://seclists.org/bugtraq/2019/Aug/43"
                },
                {
                  "name": "DSA-4508",
                  "refsource": "DEBIAN",
                  "url": "https://www.debian.org/security/2019/dsa-4508"
                },
                {
                  "name": "DSA-4520",
                  "refsource": "DEBIAN",
                  "url": "https://www.debian.org/security/2019/dsa-4520"
                },
                {
                  "name": "20190910 [SECURITY] [DSA 4520-1] trafficserver security update",
                  "refsource": "BUGTRAQ",
                  "url": "https://seclists.org/bugtraq/2019/Sep/18"
                },
                {
                  "name": "openSUSE-SU-2019:2114",
                  "refsource": "SUSE",
                  "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00032.html"
                },
                {
                  "name": "openSUSE-SU-2019:2115",
                  "refsource": "SUSE",
                  "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00031.html"
                },
                {
                  "name": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10296",
                  "refsource": "CONFIRM",
                  "url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10296"
                },
                {
                  "name": "RHSA-2019:2766",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2019:2766"
                },
                {
                  "name": "RHSA-2019:2796",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2019:2796"
                },
                {
                  "name": "RHSA-2019:2861",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2019:2861"
                },
                {
                  "name": "RHSA-2019:2925",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2019:2925"
                },
                {
                  "name": "RHSA-2019:2939",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2019:2939"
                },
                {
                  "name": "RHSA-2019:2955",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2019:2955"
                },
                {
                  "name": "https://support.f5.com/csp/article/K50233772?utm_source=f5support\u0026amp;utm_medium=RSS",
                  "refsource": "CONFIRM",
                  "url": "https://support.f5.com/csp/article/K50233772?utm_source=f5support\u0026amp;utm_medium=RSS"
                },
                {
                  "name": "RHSA-2019:3892",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2019:3892"
                },
                {
                  "name": "RHSA-2019:4018",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2019:4018"
                },
                {
                  "name": "RHSA-2019:4019",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2019:4019"
                },
                {
                  "name": "RHSA-2019:4021",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2019:4021"
                },
                {
                  "name": "RHSA-2019:4020",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2019:4020"
                },
                {
                  "name": "RHSA-2019:4045",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2019:4045"
                },
                {
                  "name": "RHSA-2019:4042",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2019:4042"
                },
                {
                  "name": "RHSA-2019:4040",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2019:4040"
                },
                {
                  "name": "RHSA-2019:4041",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2019:4041"
                },
                {
                  "name": "RHSA-2019:4352",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2019:4352"
                },
                {
                  "name": "RHSA-2020:0727",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2020:0727"
                },
                {
                  "name": "USN-4308-1",
                  "refsource": "UBUNTU",
                  "url": "https://usn.ubuntu.com/4308-1/"
                }
              ]
            },
            "source": {
              "discovery": "UNKNOWN"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
        "assignerShortName": "certcc",
        "cveId": "CVE-2019-9515",
        "datePublished": "2019-08-13T20:50:59.000Z",
        "dateReserved": "2019-03-01T00:00:00.000Z",
        "dateUpdated": "2024-08-04T21:54:44.327Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2019-9514 (GCVE-0-2019-9514)

    Vulnerability from nvd – Published: 2019-08-13 00:00 – Updated: 2024-08-04 21:54
    VLAI
    Title
    Some HTTP/2 implementations are vulnerable to a reset flood, potentially leading to a denial of service
    Summary
    Some HTTP/2 implementations are vulnerable to a reset flood, potentially leading to a denial of service. The attacker opens a number of streams and sends an invalid request over each stream that should solicit a stream of RST_STREAM frames from the peer. Depending on how the peer queues the RST_STREAM frames, this can consume excess memory, CPU, or both.
    CWE
    • CWE-400 - Uncontrolled Resource Consumption
    Assigner
    References
    URL Tags
    https://kb.cert.org/vuls/id/605641/ third-party-advisory
    https://github.com/Netflix/security-bulletins/blo…
    https://lists.apache.org/thread.html/bde52309316a… mailing-list
    https://lists.apache.org/thread.html/392108390cef… mailing-list
    https://lists.apache.org/thread.html/ad3d01e76719… mailing-list
    https://seclists.org/bugtraq/2019/Aug/24 mailing-list
    http://seclists.org/fulldisclosure/2019/Aug/16 mailing-list
    https://www.synology.com/security/advisory/Synolo…
    https://seclists.org/bugtraq/2019/Aug/31 mailing-list
    https://www.debian.org/security/2019/dsa-4503 vendor-advisory
    https://support.f5.com/csp/article/K01988340
    http://www.openwall.com/lists/oss-security/2019/08/20/1 mailing-list
    https://security.netapp.com/advisory/ntap-2019082…
    https://security.netapp.com/advisory/ntap-2019082…
    https://security.netapp.com/advisory/ntap-2019082…
    http://lists.opensuse.org/opensuse-security-annou… vendor-advisory
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisory
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisory
    https://seclists.org/bugtraq/2019/Aug/43 mailing-list
    https://www.debian.org/security/2019/dsa-4508 vendor-advisory
    http://lists.opensuse.org/opensuse-security-annou… vendor-advisory
    http://lists.opensuse.org/opensuse-security-annou… vendor-advisory
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisory
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisory
    http://lists.opensuse.org/opensuse-security-annou… vendor-advisory
    https://access.redhat.com/errata/RHSA-2019:2682 vendor-advisory
    https://www.debian.org/security/2019/dsa-4520 vendor-advisory
    https://access.redhat.com/errata/RHSA-2019:2726 vendor-advisory
    https://seclists.org/bugtraq/2019/Sep/18 mailing-list
    https://access.redhat.com/errata/RHSA-2019:2594 vendor-advisory
    http://lists.opensuse.org/opensuse-security-annou… vendor-advisory
    http://lists.opensuse.org/opensuse-security-annou… vendor-advisory
    https://access.redhat.com/errata/RHSA-2019:2661 vendor-advisory
    https://kc.mcafee.com/corporate/index?page=conten…
    https://access.redhat.com/errata/RHSA-2019:2690 vendor-advisory
    https://access.redhat.com/errata/RHSA-2019:2766 vendor-advisory
    http://lists.opensuse.org/opensuse-security-annou… vendor-advisory
    https://access.redhat.com/errata/RHSA-2019:2796 vendor-advisory
    https://access.redhat.com/errata/RHSA-2019:2861 vendor-advisory
    https://access.redhat.com/errata/RHSA-2019:2925 vendor-advisory
    https://access.redhat.com/errata/RHSA-2019:2939 vendor-advisory
    https://access.redhat.com/errata/RHSA-2019:2955 vendor-advisory
    https://access.redhat.com/errata/RHSA-2019:2966 vendor-advisory
    https://support.f5.com/csp/article/K01988340?utm_…
    https://access.redhat.com/errata/RHSA-2019:3131 vendor-advisory
    https://access.redhat.com/errata/RHSA-2019:2769 vendor-advisory
    https://access.redhat.com/errata/RHSA-2019:3245 vendor-advisory
    https://access.redhat.com/errata/RHSA-2019:3265 vendor-advisory
    https://access.redhat.com/errata/RHSA-2019:3892 vendor-advisory
    https://access.redhat.com/errata/RHSA-2019:3906 vendor-advisory
    https://access.redhat.com/errata/RHSA-2019:4018 vendor-advisory
    https://access.redhat.com/errata/RHSA-2019:4019 vendor-advisory
    https://access.redhat.com/errata/RHSA-2019:4021 vendor-advisory
    https://access.redhat.com/errata/RHSA-2019:4020 vendor-advisory
    https://access.redhat.com/errata/RHSA-2019:4045 vendor-advisory
    https://access.redhat.com/errata/RHSA-2019:4042 vendor-advisory
    https://access.redhat.com/errata/RHSA-2019:4040 vendor-advisory
    https://access.redhat.com/errata/RHSA-2019:4041 vendor-advisory
    https://access.redhat.com/errata/RHSA-2019:4269 vendor-advisory
    https://access.redhat.com/errata/RHSA-2019:4273 vendor-advisory
    https://access.redhat.com/errata/RHSA-2019:4352 vendor-advisory
    https://access.redhat.com/errata/RHSA-2020:0406 vendor-advisory
    https://access.redhat.com/errata/RHSA-2020:0727 vendor-advisory
    https://usn.ubuntu.com/4308-1/ vendor-advisory
    https://www.debian.org/security/2020/dsa-4669 vendor-advisory
    https://lists.debian.org/debian-lts-announce/2020… mailing-list
    http://www.openwall.com/lists/oss-security/2023/10/18/8 mailing-list
    Credits
    Thanks to Jonathan Looney of Netflix for reporting this vulnerability.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T21:54:44.511Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "VU#605641",
                "tags": [
                  "third-party-advisory",
                  "x_transferred"
                ],
                "url": "https://kb.cert.org/vuls/id/605641/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md"
              },
              {
                "name": "[trafficserver-dev] 20190813 Apache Traffic Server is vulnerable to various HTTP/2 attacks",
                "tags": [
                  "mailing-list",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/bde52309316ae798186d783a5e29f4ad1527f61c9219a289d0eee0a7%40%3Cdev.trafficserver.apache.org%3E"
              },
              {
                "name": "[trafficserver-users] 20190813 Apache Traffic Server is vulnerable to various HTTP/2 attacks",
                "tags": [
                  "mailing-list",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/392108390cef48af647a2e47b7fd5380e050e35ae8d1aa2030254c04%40%3Cusers.trafficserver.apache.org%3E"
              },
              {
                "name": "[trafficserver-announce] 20190813 Apache Traffic Server is vulnerable to various HTTP/2 attacks",
                "tags": [
                  "mailing-list",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/ad3d01e767199c1aed8033bb6b3f5bf98c011c7c536f07a5d34b3c19%40%3Cannounce.trafficserver.apache.org%3E"
              },
              {
                "name": "20190814 APPLE-SA-2019-08-13-5 SwiftNIO HTTP/2 1.5.0",
                "tags": [
                  "mailing-list",
                  "x_transferred"
                ],
                "url": "https://seclists.org/bugtraq/2019/Aug/24"
              },
              {
                "name": "20190816 APPLE-SA-2019-08-13-5 SwiftNIO HTTP/2 1.5.0",
                "tags": [
                  "mailing-list",
                  "x_transferred"
                ],
                "url": "http://seclists.org/fulldisclosure/2019/Aug/16"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.synology.com/security/advisory/Synology_SA_19_33"
              },
              {
                "name": "20190819 [SECURITY] [DSA 4503-1] golang-1.11 security update",
                "tags": [
                  "mailing-list",
                  "x_transferred"
                ],
                "url": "https://seclists.org/bugtraq/2019/Aug/31"
              },
              {
                "name": "DSA-4503",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://www.debian.org/security/2019/dsa-4503"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://support.f5.com/csp/article/K01988340"
              },
              {
                "name": "[oss-security] 20190819 [ANNOUNCE] Security release of Kubernetes v1.15.3, v1.14.6, v1.13.10 - CVE-2019-9512 and CVE-2019-9514",
                "tags": [
                  "mailing-list",
                  "x_transferred"
                ],
                "url": "http://www.openwall.com/lists/oss-security/2019/08/20/1"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://security.netapp.com/advisory/ntap-20190823-0001/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://security.netapp.com/advisory/ntap-20190823-0004/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://security.netapp.com/advisory/ntap-20190823-0005/"
              },
              {
                "name": "openSUSE-SU-2019:2000",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00076.html"
              },
              {
                "name": "FEDORA-2019-5a6a7bc12c",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CMNFX5MNYRWWIMO4BTKYQCGUDMHO3AXP/"
              },
              {
                "name": "FEDORA-2019-6a2980de56",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4ZQGHE3WTYLYAYJEIDJVF2FIGQTAYPMC/"
              },
              {
                "name": "20190825 [SECURITY] [DSA 4508-1] h2o security update",
                "tags": [
                  "mailing-list",
                  "x_transferred"
                ],
                "url": "https://seclists.org/bugtraq/2019/Aug/43"
              },
              {
                "name": "DSA-4508",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://www.debian.org/security/2019/dsa-4508"
              },
              {
                "name": "openSUSE-SU-2019:2056",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00002.html"
              },
              {
                "name": "openSUSE-SU-2019:2072",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00011.html"
              },
              {
                "name": "FEDORA-2019-55d101a740",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LYO6E3H34C346D2E443GLXK7OK6KIYIQ/"
              },
              {
                "name": "FEDORA-2019-65db7ad6c7",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4BBP27PZGSY6OP6D26E5FW4GZKBFHNU7/"
              },
              {
                "name": "openSUSE-SU-2019:2085",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00021.html"
              },
              {
                "name": "RHSA-2019:2682",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:2682"
              },
              {
                "name": "DSA-4520",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://www.debian.org/security/2019/dsa-4520"
              },
              {
                "name": "RHSA-2019:2726",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:2726"
              },
              {
                "name": "20190910 [SECURITY] [DSA 4520-1] trafficserver security update",
                "tags": [
                  "mailing-list",
                  "x_transferred"
                ],
                "url": "https://seclists.org/bugtraq/2019/Sep/18"
              },
              {
                "name": "RHSA-2019:2594",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:2594"
              },
              {
                "name": "openSUSE-SU-2019:2114",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00032.html"
              },
              {
                "name": "openSUSE-SU-2019:2115",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00031.html"
              },
              {
                "name": "RHSA-2019:2661",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:2661"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10296"
              },
              {
                "name": "RHSA-2019:2690",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:2690"
              },
              {
                "name": "RHSA-2019:2766",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:2766"
              },
              {
                "name": "openSUSE-SU-2019:2130",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00038.html"
              },
              {
                "name": "RHSA-2019:2796",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:2796"
              },
              {
                "name": "RHSA-2019:2861",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:2861"
              },
              {
                "name": "RHSA-2019:2925",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:2925"
              },
              {
                "name": "RHSA-2019:2939",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:2939"
              },
              {
                "name": "RHSA-2019:2955",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:2955"
              },
              {
                "name": "RHSA-2019:2966",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:2966"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://support.f5.com/csp/article/K01988340?utm_source=f5support\u0026amp%3Butm_medium=RSS"
              },
              {
                "name": "RHSA-2019:3131",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:3131"
              },
              {
                "name": "RHSA-2019:2769",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:2769"
              },
              {
                "name": "RHSA-2019:3245",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:3245"
              },
              {
                "name": "RHSA-2019:3265",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:3265"
              },
              {
                "name": "RHSA-2019:3892",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:3892"
              },
              {
                "name": "RHSA-2019:3906",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:3906"
              },
              {
                "name": "RHSA-2019:4018",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:4018"
              },
              {
                "name": "RHSA-2019:4019",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:4019"
              },
              {
                "name": "RHSA-2019:4021",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:4021"
              },
              {
                "name": "RHSA-2019:4020",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:4020"
              },
              {
                "name": "RHSA-2019:4045",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:4045"
              },
              {
                "name": "RHSA-2019:4042",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:4042"
              },
              {
                "name": "RHSA-2019:4040",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:4040"
              },
              {
                "name": "RHSA-2019:4041",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:4041"
              },
              {
                "name": "RHSA-2019:4269",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:4269"
              },
              {
                "name": "RHSA-2019:4273",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:4273"
              },
              {
                "name": "RHSA-2019:4352",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:4352"
              },
              {
                "name": "RHSA-2020:0406",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2020:0406"
              },
              {
                "name": "RHSA-2020:0727",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2020:0727"
              },
              {
                "name": "USN-4308-1",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://usn.ubuntu.com/4308-1/"
              },
              {
                "name": "DSA-4669",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://www.debian.org/security/2020/dsa-4669"
              },
              {
                "name": "[debian-lts-announce] 20201208 [SECURITY] [DLA 2485-1] golang-golang-x-net-dev security update",
                "tags": [
                  "mailing-list",
                  "x_transferred"
                ],
                "url": "https://lists.debian.org/debian-lts-announce/2020/12/msg00011.html"
              },
              {
                "name": "[oss-security] 20231018 Re: CVE-2023-44487: HTTP/2 Rapid Reset attack against many implementations",
                "tags": [
                  "mailing-list",
                  "x_transferred"
                ],
                "url": "http://www.openwall.com/lists/oss-security/2023/10/18/8"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Thanks to Jonathan Looney of Netflix for reporting this vulnerability."
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Some HTTP/2 implementations are vulnerable to a reset flood, potentially leading to a denial of service. The attacker opens a number of streams and sends an invalid request over each stream that should solicit a stream of RST_STREAM frames from the peer. Depending on how the peer queues the RST_STREAM frames, this can consume excess memory, CPU, or both."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-400",
                  "description": "CWE-400 Uncontrolled Resource Consumption",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-10-19T02:06:30.169Z",
            "orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
            "shortName": "certcc"
          },
          "references": [
            {
              "name": "VU#605641",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://kb.cert.org/vuls/id/605641/"
            },
            {
              "url": "https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md"
            },
            {
              "name": "[trafficserver-dev] 20190813 Apache Traffic Server is vulnerable to various HTTP/2 attacks",
              "tags": [
                "mailing-list"
              ],
              "url": "https://lists.apache.org/thread.html/bde52309316ae798186d783a5e29f4ad1527f61c9219a289d0eee0a7%40%3Cdev.trafficserver.apache.org%3E"
            },
            {
              "name": "[trafficserver-users] 20190813 Apache Traffic Server is vulnerable to various HTTP/2 attacks",
              "tags": [
                "mailing-list"
              ],
              "url": "https://lists.apache.org/thread.html/392108390cef48af647a2e47b7fd5380e050e35ae8d1aa2030254c04%40%3Cusers.trafficserver.apache.org%3E"
            },
            {
              "name": "[trafficserver-announce] 20190813 Apache Traffic Server is vulnerable to various HTTP/2 attacks",
              "tags": [
                "mailing-list"
              ],
              "url": "https://lists.apache.org/thread.html/ad3d01e767199c1aed8033bb6b3f5bf98c011c7c536f07a5d34b3c19%40%3Cannounce.trafficserver.apache.org%3E"
            },
            {
              "name": "20190814 APPLE-SA-2019-08-13-5 SwiftNIO HTTP/2 1.5.0",
              "tags": [
                "mailing-list"
              ],
              "url": "https://seclists.org/bugtraq/2019/Aug/24"
            },
            {
              "name": "20190816 APPLE-SA-2019-08-13-5 SwiftNIO HTTP/2 1.5.0",
              "tags": [
                "mailing-list"
              ],
              "url": "http://seclists.org/fulldisclosure/2019/Aug/16"
            },
            {
              "url": "https://www.synology.com/security/advisory/Synology_SA_19_33"
            },
            {
              "name": "20190819 [SECURITY] [DSA 4503-1] golang-1.11 security update",
              "tags": [
                "mailing-list"
              ],
              "url": "https://seclists.org/bugtraq/2019/Aug/31"
            },
            {
              "name": "DSA-4503",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.debian.org/security/2019/dsa-4503"
            },
            {
              "url": "https://support.f5.com/csp/article/K01988340"
            },
            {
              "name": "[oss-security] 20190819 [ANNOUNCE] Security release of Kubernetes v1.15.3, v1.14.6, v1.13.10 - CVE-2019-9512 and CVE-2019-9514",
              "tags": [
                "mailing-list"
              ],
              "url": "http://www.openwall.com/lists/oss-security/2019/08/20/1"
            },
            {
              "url": "https://security.netapp.com/advisory/ntap-20190823-0001/"
            },
            {
              "url": "https://security.netapp.com/advisory/ntap-20190823-0004/"
            },
            {
              "url": "https://security.netapp.com/advisory/ntap-20190823-0005/"
            },
            {
              "name": "openSUSE-SU-2019:2000",
              "tags": [
                "vendor-advisory"
              ],
              "url": "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00076.html"
            },
            {
              "name": "FEDORA-2019-5a6a7bc12c",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CMNFX5MNYRWWIMO4BTKYQCGUDMHO3AXP/"
            },
            {
              "name": "FEDORA-2019-6a2980de56",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4ZQGHE3WTYLYAYJEIDJVF2FIGQTAYPMC/"
            },
            {
              "name": "20190825 [SECURITY] [DSA 4508-1] h2o security update",
              "tags": [
                "mailing-list"
              ],
              "url": "https://seclists.org/bugtraq/2019/Aug/43"
            },
            {
              "name": "DSA-4508",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.debian.org/security/2019/dsa-4508"
            },
            {
              "name": "openSUSE-SU-2019:2056",
              "tags": [
                "vendor-advisory"
              ],
              "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00002.html"
            },
            {
              "name": "openSUSE-SU-2019:2072",
              "tags": [
                "vendor-advisory"
              ],
              "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00011.html"
            },
            {
              "name": "FEDORA-2019-55d101a740",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LYO6E3H34C346D2E443GLXK7OK6KIYIQ/"
            },
            {
              "name": "FEDORA-2019-65db7ad6c7",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4BBP27PZGSY6OP6D26E5FW4GZKBFHNU7/"
            },
            {
              "name": "openSUSE-SU-2019:2085",
              "tags": [
                "vendor-advisory"
              ],
              "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00021.html"
            },
            {
              "name": "RHSA-2019:2682",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:2682"
            },
            {
              "name": "DSA-4520",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.debian.org/security/2019/dsa-4520"
            },
            {
              "name": "RHSA-2019:2726",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:2726"
            },
            {
              "name": "20190910 [SECURITY] [DSA 4520-1] trafficserver security update",
              "tags": [
                "mailing-list"
              ],
              "url": "https://seclists.org/bugtraq/2019/Sep/18"
            },
            {
              "name": "RHSA-2019:2594",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:2594"
            },
            {
              "name": "openSUSE-SU-2019:2114",
              "tags": [
                "vendor-advisory"
              ],
              "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00032.html"
            },
            {
              "name": "openSUSE-SU-2019:2115",
              "tags": [
                "vendor-advisory"
              ],
              "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00031.html"
            },
            {
              "name": "RHSA-2019:2661",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:2661"
            },
            {
              "url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10296"
            },
            {
              "name": "RHSA-2019:2690",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:2690"
            },
            {
              "name": "RHSA-2019:2766",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:2766"
            },
            {
              "name": "openSUSE-SU-2019:2130",
              "tags": [
                "vendor-advisory"
              ],
              "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00038.html"
            },
            {
              "name": "RHSA-2019:2796",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:2796"
            },
            {
              "name": "RHSA-2019:2861",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:2861"
            },
            {
              "name": "RHSA-2019:2925",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:2925"
            },
            {
              "name": "RHSA-2019:2939",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:2939"
            },
            {
              "name": "RHSA-2019:2955",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:2955"
            },
            {
              "name": "RHSA-2019:2966",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:2966"
            },
            {
              "url": "https://support.f5.com/csp/article/K01988340?utm_source=f5support\u0026amp%3Butm_medium=RSS"
            },
            {
              "name": "RHSA-2019:3131",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:3131"
            },
            {
              "name": "RHSA-2019:2769",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:2769"
            },
            {
              "name": "RHSA-2019:3245",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:3245"
            },
            {
              "name": "RHSA-2019:3265",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:3265"
            },
            {
              "name": "RHSA-2019:3892",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:3892"
            },
            {
              "name": "RHSA-2019:3906",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:3906"
            },
            {
              "name": "RHSA-2019:4018",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:4018"
            },
            {
              "name": "RHSA-2019:4019",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:4019"
            },
            {
              "name": "RHSA-2019:4021",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:4021"
            },
            {
              "name": "RHSA-2019:4020",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:4020"
            },
            {
              "name": "RHSA-2019:4045",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:4045"
            },
            {
              "name": "RHSA-2019:4042",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:4042"
            },
            {
              "name": "RHSA-2019:4040",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:4040"
            },
            {
              "name": "RHSA-2019:4041",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:4041"
            },
            {
              "name": "RHSA-2019:4269",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:4269"
            },
            {
              "name": "RHSA-2019:4273",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:4273"
            },
            {
              "name": "RHSA-2019:4352",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:4352"
            },
            {
              "name": "RHSA-2020:0406",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2020:0406"
            },
            {
              "name": "RHSA-2020:0727",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2020:0727"
            },
            {
              "name": "USN-4308-1",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://usn.ubuntu.com/4308-1/"
            },
            {
              "name": "DSA-4669",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.debian.org/security/2020/dsa-4669"
            },
            {
              "name": "[debian-lts-announce] 20201208 [SECURITY] [DLA 2485-1] golang-golang-x-net-dev security update",
              "tags": [
                "mailing-list"
              ],
              "url": "https://lists.debian.org/debian-lts-announce/2020/12/msg00011.html"
            },
            {
              "name": "[oss-security] 20231018 Re: CVE-2023-44487: HTTP/2 Rapid Reset attack against many implementations",
              "tags": [
                "mailing-list"
              ],
              "url": "http://www.openwall.com/lists/oss-security/2023/10/18/8"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Some HTTP/2 implementations are vulnerable to a reset flood, potentially leading to a denial of service",
          "x_generator": {
            "engine": "Vulnogram 0.0.7"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
        "assignerShortName": "certcc",
        "cveId": "CVE-2019-9514",
        "datePublished": "2019-08-13T00:00:00.000Z",
        "dateReserved": "2019-03-01T00:00:00.000Z",
        "dateUpdated": "2024-08-04T21:54:44.511Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2019-9513 (GCVE-0-2019-9513)

    Vulnerability from nvd – Published: 2019-08-13 20:50 – Updated: 2024-08-04 21:54
    VLAI
    Title
    Some HTTP/2 implementations are vulnerable to resource loops, potentially leading to a denial of service
    Summary
    Some HTTP/2 implementations are vulnerable to resource loops, potentially leading to a denial of service. The attacker creates multiple request streams and continually shuffles the priority of the streams in a way that causes substantial churn to the priority tree. This can consume excess CPU.
    CWE
    • CWE-400 - Uncontrolled Resource Consumption
    Assigner
    References
    URL Tags
    https://kb.cert.org/vuls/id/605641/ third-party-advisoryx_refsource_CERT-VN
    https://usn.ubuntu.com/4099-1/ vendor-advisoryx_refsource_UBUNTU
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisoryx_refsource_FEDORA
    https://seclists.org/bugtraq/2019/Aug/40 mailing-listx_refsource_BUGTRAQ
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisoryx_refsource_FEDORA
    https://www.debian.org/security/2019/dsa-4505 vendor-advisoryx_refsource_DEBIAN
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisoryx_refsource_FEDORA
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisoryx_refsource_FEDORA
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisoryx_refsource_FEDORA
    https://seclists.org/bugtraq/2019/Sep/1 mailing-listx_refsource_BUGTRAQ
    https://www.debian.org/security/2019/dsa-4511 vendor-advisoryx_refsource_DEBIAN
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisoryx_refsource_FEDORA
    https://access.redhat.com/errata/RHSA-2019:2692 vendor-advisoryx_refsource_REDHAT
    http://lists.opensuse.org/opensuse-security-annou… vendor-advisoryx_refsource_SUSE
    http://lists.opensuse.org/opensuse-security-annou… vendor-advisoryx_refsource_SUSE
    http://lists.opensuse.org/opensuse-security-annou… vendor-advisoryx_refsource_SUSE
    https://access.redhat.com/errata/RHSA-2019:2745 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2019:2746 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2019:2775 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2019:2799 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2019:2925 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2019:2939 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2019:2949 vendor-advisoryx_refsource_REDHAT
    http://lists.opensuse.org/opensuse-security-annou… vendor-advisoryx_refsource_SUSE
    http://lists.opensuse.org/opensuse-security-annou… vendor-advisoryx_refsource_SUSE
    https://access.redhat.com/errata/RHSA-2019:2955 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2019:2966 vendor-advisoryx_refsource_REDHAT
    http://lists.opensuse.org/opensuse-security-annou… vendor-advisoryx_refsource_SUSE
    https://access.redhat.com/errata/RHSA-2019:3041 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2019:3933 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2019:3935 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2019:3932 vendor-advisoryx_refsource_REDHAT
    https://www.debian.org/security/2020/dsa-4669 vendor-advisoryx_refsource_DEBIAN
    https://www.oracle.com/security-alerts/cpuoct2020.html x_refsource_MISC
    https://github.com/Netflix/security-bulletins/blo… x_refsource_MISC
    https://www.synology.com/security/advisory/Synolo… x_refsource_CONFIRM
    https://support.f5.com/csp/article/K02591030 x_refsource_CONFIRM
    https://security.netapp.com/advisory/ntap-2019082… x_refsource_CONFIRM
    https://security.netapp.com/advisory/ntap-2019082… x_refsource_CONFIRM
    https://kc.mcafee.com/corporate/index?page=conten… x_refsource_CONFIRM
    https://support.f5.com/csp/article/K02591030?utm_… x_refsource_CONFIRM
    https://www.oracle.com/security-alerts/cpujan2021.html x_refsource_MISC
    Credits
    Thanks to Jonathan Looney of Netflix for reporting this vulnerability.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T21:54:44.842Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "VU#605641",
                "tags": [
                  "third-party-advisory",
                  "x_refsource_CERT-VN",
                  "x_transferred"
                ],
                "url": "https://kb.cert.org/vuls/id/605641/"
              },
              {
                "name": "USN-4099-1",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_UBUNTU",
                  "x_transferred"
                ],
                "url": "https://usn.ubuntu.com/4099-1/"
              },
              {
                "name": "FEDORA-2019-befd924cfe",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_FEDORA",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TAZZEVTCN2B4WT6AIBJ7XGYJMBTORJU5/"
              },
              {
                "name": "20190822 [SECURITY] [DSA 4505-1] nginx security update",
                "tags": [
                  "mailing-list",
                  "x_refsource_BUGTRAQ",
                  "x_transferred"
                ],
                "url": "https://seclists.org/bugtraq/2019/Aug/40"
              },
              {
                "name": "FEDORA-2019-81985a8858",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_FEDORA",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LZLUYPYY3RX4ZJDWZRJIKSULYRJ4PXW7/"
              },
              {
                "name": "DSA-4505",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_DEBIAN",
                  "x_transferred"
                ],
                "url": "https://www.debian.org/security/2019/dsa-4505"
              },
              {
                "name": "FEDORA-2019-5a6a7bc12c",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_FEDORA",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CMNFX5MNYRWWIMO4BTKYQCGUDMHO3AXP/"
              },
              {
                "name": "FEDORA-2019-6a2980de56",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_FEDORA",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4ZQGHE3WTYLYAYJEIDJVF2FIGQTAYPMC/"
              },
              {
                "name": "FEDORA-2019-8a437d5c2f",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_FEDORA",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JUBYAF6ED3O4XCHQ5C2HYENJLXYXZC4M/"
              },
              {
                "name": "20190902 [SECURITY] [DSA 4511-1] nghttp2 security update",
                "tags": [
                  "mailing-list",
                  "x_refsource_BUGTRAQ",
                  "x_transferred"
                ],
                "url": "https://seclists.org/bugtraq/2019/Sep/1"
              },
              {
                "name": "DSA-4511",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_DEBIAN",
                  "x_transferred"
                ],
                "url": "https://www.debian.org/security/2019/dsa-4511"
              },
              {
                "name": "FEDORA-2019-7a0b45fdc4",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_FEDORA",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/POPAEC4FWL4UU4LDEGPY5NPALU24FFQD/"
              },
              {
                "name": "RHSA-2019:2692",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:2692"
              },
              {
                "name": "openSUSE-SU-2019:2120",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_SUSE",
                  "x_transferred"
                ],
                "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00035.html"
              },
              {
                "name": "openSUSE-SU-2019:2114",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_SUSE",
                  "x_transferred"
                ],
                "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00032.html"
              },
              {
                "name": "openSUSE-SU-2019:2115",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_SUSE",
                  "x_transferred"
                ],
                "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00031.html"
              },
              {
                "name": "RHSA-2019:2745",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:2745"
              },
              {
                "name": "RHSA-2019:2746",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:2746"
              },
              {
                "name": "RHSA-2019:2775",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:2775"
              },
              {
                "name": "RHSA-2019:2799",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:2799"
              },
              {
                "name": "RHSA-2019:2925",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:2925"
              },
              {
                "name": "RHSA-2019:2939",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:2939"
              },
              {
                "name": "RHSA-2019:2949",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:2949"
              },
              {
                "name": "openSUSE-SU-2019:2232",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_SUSE",
                  "x_transferred"
                ],
                "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00003.html"
              },
              {
                "name": "openSUSE-SU-2019:2234",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_SUSE",
                  "x_transferred"
                ],
                "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00005.html"
              },
              {
                "name": "RHSA-2019:2955",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:2955"
              },
              {
                "name": "RHSA-2019:2966",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:2966"
              },
              {
                "name": "openSUSE-SU-2019:2264",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_SUSE",
                  "x_transferred"
                ],
                "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00014.html"
              },
              {
                "name": "RHSA-2019:3041",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:3041"
              },
              {
                "name": "RHSA-2019:3933",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:3933"
              },
              {
                "name": "RHSA-2019:3935",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:3935"
              },
              {
                "name": "RHSA-2019:3932",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:3932"
              },
              {
                "name": "DSA-4669",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_DEBIAN",
                  "x_transferred"
                ],
                "url": "https://www.debian.org/security/2020/dsa-4669"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.oracle.com/security-alerts/cpuoct2020.html"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.synology.com/security/advisory/Synology_SA_19_33"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://support.f5.com/csp/article/K02591030"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://security.netapp.com/advisory/ntap-20190823-0002/"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://security.netapp.com/advisory/ntap-20190823-0005/"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10296"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://support.f5.com/csp/article/K02591030?utm_source=f5support\u0026amp%3Butm_medium=RSS"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.oracle.com/security-alerts/cpujan2021.html"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Thanks to Jonathan Looney of Netflix for reporting this vulnerability."
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Some HTTP/2 implementations are vulnerable to resource loops, potentially leading to a denial of service. The attacker creates multiple request streams and continually shuffles the priority of the streams in a way that causes substantial churn to the priority tree. This can consume excess CPU."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-400",
                  "description": "CWE-400 Uncontrolled Resource Consumption",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-01-20T14:42:02.000Z",
            "orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
            "shortName": "certcc"
          },
          "references": [
            {
              "name": "VU#605641",
              "tags": [
                "third-party-advisory",
                "x_refsource_CERT-VN"
              ],
              "url": "https://kb.cert.org/vuls/id/605641/"
            },
            {
              "name": "USN-4099-1",
              "tags": [
                "vendor-advisory",
                "x_refsource_UBUNTU"
              ],
              "url": "https://usn.ubuntu.com/4099-1/"
            },
            {
              "name": "FEDORA-2019-befd924cfe",
              "tags": [
                "vendor-advisory",
                "x_refsource_FEDORA"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TAZZEVTCN2B4WT6AIBJ7XGYJMBTORJU5/"
            },
            {
              "name": "20190822 [SECURITY] [DSA 4505-1] nginx security update",
              "tags": [
                "mailing-list",
                "x_refsource_BUGTRAQ"
              ],
              "url": "https://seclists.org/bugtraq/2019/Aug/40"
            },
            {
              "name": "FEDORA-2019-81985a8858",
              "tags": [
                "vendor-advisory",
                "x_refsource_FEDORA"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LZLUYPYY3RX4ZJDWZRJIKSULYRJ4PXW7/"
            },
            {
              "name": "DSA-4505",
              "tags": [
                "vendor-advisory",
                "x_refsource_DEBIAN"
              ],
              "url": "https://www.debian.org/security/2019/dsa-4505"
            },
            {
              "name": "FEDORA-2019-5a6a7bc12c",
              "tags": [
                "vendor-advisory",
                "x_refsource_FEDORA"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CMNFX5MNYRWWIMO4BTKYQCGUDMHO3AXP/"
            },
            {
              "name": "FEDORA-2019-6a2980de56",
              "tags": [
                "vendor-advisory",
                "x_refsource_FEDORA"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4ZQGHE3WTYLYAYJEIDJVF2FIGQTAYPMC/"
            },
            {
              "name": "FEDORA-2019-8a437d5c2f",
              "tags": [
                "vendor-advisory",
                "x_refsource_FEDORA"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JUBYAF6ED3O4XCHQ5C2HYENJLXYXZC4M/"
            },
            {
              "name": "20190902 [SECURITY] [DSA 4511-1] nghttp2 security update",
              "tags": [
                "mailing-list",
                "x_refsource_BUGTRAQ"
              ],
              "url": "https://seclists.org/bugtraq/2019/Sep/1"
            },
            {
              "name": "DSA-4511",
              "tags": [
                "vendor-advisory",
                "x_refsource_DEBIAN"
              ],
              "url": "https://www.debian.org/security/2019/dsa-4511"
            },
            {
              "name": "FEDORA-2019-7a0b45fdc4",
              "tags": [
                "vendor-advisory",
                "x_refsource_FEDORA"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/POPAEC4FWL4UU4LDEGPY5NPALU24FFQD/"
            },
            {
              "name": "RHSA-2019:2692",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:2692"
            },
            {
              "name": "openSUSE-SU-2019:2120",
              "tags": [
                "vendor-advisory",
                "x_refsource_SUSE"
              ],
              "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00035.html"
            },
            {
              "name": "openSUSE-SU-2019:2114",
              "tags": [
                "vendor-advisory",
                "x_refsource_SUSE"
              ],
              "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00032.html"
            },
            {
              "name": "openSUSE-SU-2019:2115",
              "tags": [
                "vendor-advisory",
                "x_refsource_SUSE"
              ],
              "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00031.html"
            },
            {
              "name": "RHSA-2019:2745",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:2745"
            },
            {
              "name": "RHSA-2019:2746",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:2746"
            },
            {
              "name": "RHSA-2019:2775",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:2775"
            },
            {
              "name": "RHSA-2019:2799",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:2799"
            },
            {
              "name": "RHSA-2019:2925",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:2925"
            },
            {
              "name": "RHSA-2019:2939",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:2939"
            },
            {
              "name": "RHSA-2019:2949",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:2949"
            },
            {
              "name": "openSUSE-SU-2019:2232",
              "tags": [
                "vendor-advisory",
                "x_refsource_SUSE"
              ],
              "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00003.html"
            },
            {
              "name": "openSUSE-SU-2019:2234",
              "tags": [
                "vendor-advisory",
                "x_refsource_SUSE"
              ],
              "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00005.html"
            },
            {
              "name": "RHSA-2019:2955",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:2955"
            },
            {
              "name": "RHSA-2019:2966",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:2966"
            },
            {
              "name": "openSUSE-SU-2019:2264",
              "tags": [
                "vendor-advisory",
                "x_refsource_SUSE"
              ],
              "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00014.html"
            },
            {
              "name": "RHSA-2019:3041",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:3041"
            },
            {
              "name": "RHSA-2019:3933",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:3933"
            },
            {
              "name": "RHSA-2019:3935",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:3935"
            },
            {
              "name": "RHSA-2019:3932",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:3932"
            },
            {
              "name": "DSA-4669",
              "tags": [
                "vendor-advisory",
                "x_refsource_DEBIAN"
              ],
              "url": "https://www.debian.org/security/2020/dsa-4669"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.oracle.com/security-alerts/cpuoct2020.html"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.synology.com/security/advisory/Synology_SA_19_33"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://support.f5.com/csp/article/K02591030"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://security.netapp.com/advisory/ntap-20190823-0002/"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://security.netapp.com/advisory/ntap-20190823-0005/"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10296"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://support.f5.com/csp/article/K02591030?utm_source=f5support\u0026amp%3Butm_medium=RSS"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.oracle.com/security-alerts/cpujan2021.html"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Some HTTP/2 implementations are vulnerable to resource loops, potentially leading to a denial of service",
          "x_generator": {
            "engine": "Vulnogram 0.0.7"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "AKA": "HTTP/2 Resource Loop",
              "ASSIGNER": "cert@cert.org",
              "ID": "CVE-2019-9513",
              "STATE": "PUBLIC",
              "TITLE": "Some HTTP/2 implementations are vulnerable to resource loops, potentially leading to a denial of service"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "n/a",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "n/a"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "n/a"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "Thanks to Jonathan Looney of Netflix for reporting this vulnerability."
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Some HTTP/2 implementations are vulnerable to resource loops, potentially leading to a denial of service. The attacker creates multiple request streams and continually shuffles the priority of the streams in a way that causes substantial churn to the priority tree. This can consume excess CPU."
                }
              ]
            },
            "generator": {
              "engine": "Vulnogram 0.0.7"
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.0"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-400 Uncontrolled Resource Consumption"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "VU#605641",
                  "refsource": "CERT-VN",
                  "url": "https://kb.cert.org/vuls/id/605641/"
                },
                {
                  "name": "USN-4099-1",
                  "refsource": "UBUNTU",
                  "url": "https://usn.ubuntu.com/4099-1/"
                },
                {
                  "name": "FEDORA-2019-befd924cfe",
                  "refsource": "FEDORA",
                  "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TAZZEVTCN2B4WT6AIBJ7XGYJMBTORJU5/"
                },
                {
                  "name": "20190822 [SECURITY] [DSA 4505-1] nginx security update",
                  "refsource": "BUGTRAQ",
                  "url": "https://seclists.org/bugtraq/2019/Aug/40"
                },
                {
                  "name": "FEDORA-2019-81985a8858",
                  "refsource": "FEDORA",
                  "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LZLUYPYY3RX4ZJDWZRJIKSULYRJ4PXW7/"
                },
                {
                  "name": "DSA-4505",
                  "refsource": "DEBIAN",
                  "url": "https://www.debian.org/security/2019/dsa-4505"
                },
                {
                  "name": "FEDORA-2019-5a6a7bc12c",
                  "refsource": "FEDORA",
                  "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CMNFX5MNYRWWIMO4BTKYQCGUDMHO3AXP/"
                },
                {
                  "name": "FEDORA-2019-6a2980de56",
                  "refsource": "FEDORA",
                  "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4ZQGHE3WTYLYAYJEIDJVF2FIGQTAYPMC/"
                },
                {
                  "name": "FEDORA-2019-8a437d5c2f",
                  "refsource": "FEDORA",
                  "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JUBYAF6ED3O4XCHQ5C2HYENJLXYXZC4M/"
                },
                {
                  "name": "20190902 [SECURITY] [DSA 4511-1] nghttp2 security update",
                  "refsource": "BUGTRAQ",
                  "url": "https://seclists.org/bugtraq/2019/Sep/1"
                },
                {
                  "name": "DSA-4511",
                  "refsource": "DEBIAN",
                  "url": "https://www.debian.org/security/2019/dsa-4511"
                },
                {
                  "name": "FEDORA-2019-7a0b45fdc4",
                  "refsource": "FEDORA",
                  "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/POPAEC4FWL4UU4LDEGPY5NPALU24FFQD/"
                },
                {
                  "name": "RHSA-2019:2692",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2019:2692"
                },
                {
                  "name": "openSUSE-SU-2019:2120",
                  "refsource": "SUSE",
                  "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00035.html"
                },
                {
                  "name": "openSUSE-SU-2019:2114",
                  "refsource": "SUSE",
                  "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00032.html"
                },
                {
                  "name": "openSUSE-SU-2019:2115",
                  "refsource": "SUSE",
                  "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00031.html"
                },
                {
                  "name": "RHSA-2019:2745",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2019:2745"
                },
                {
                  "name": "RHSA-2019:2746",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2019:2746"
                },
                {
                  "name": "RHSA-2019:2775",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2019:2775"
                },
                {
                  "name": "RHSA-2019:2799",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2019:2799"
                },
                {
                  "name": "RHSA-2019:2925",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2019:2925"
                },
                {
                  "name": "RHSA-2019:2939",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2019:2939"
                },
                {
                  "name": "RHSA-2019:2949",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2019:2949"
                },
                {
                  "name": "openSUSE-SU-2019:2232",
                  "refsource": "SUSE",
                  "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00003.html"
                },
                {
                  "name": "openSUSE-SU-2019:2234",
                  "refsource": "SUSE",
                  "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00005.html"
                },
                {
                  "name": "RHSA-2019:2955",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2019:2955"
                },
                {
                  "name": "RHSA-2019:2966",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2019:2966"
                },
                {
                  "name": "openSUSE-SU-2019:2264",
                  "refsource": "SUSE",
                  "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00014.html"
                },
                {
                  "name": "RHSA-2019:3041",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2019:3041"
                },
                {
                  "name": "RHSA-2019:3933",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2019:3933"
                },
                {
                  "name": "RHSA-2019:3935",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2019:3935"
                },
                {
                  "name": "RHSA-2019:3932",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2019:3932"
                },
                {
                  "name": "DSA-4669",
                  "refsource": "DEBIAN",
                  "url": "https://www.debian.org/security/2020/dsa-4669"
                },
                {
                  "name": "https://www.oracle.com/security-alerts/cpuoct2020.html",
                  "refsource": "MISC",
                  "url": "https://www.oracle.com/security-alerts/cpuoct2020.html"
                },
                {
                  "name": "https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md",
                  "refsource": "MISC",
                  "url": "https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md"
                },
                {
                  "name": "https://www.synology.com/security/advisory/Synology_SA_19_33",
                  "refsource": "CONFIRM",
                  "url": "https://www.synology.com/security/advisory/Synology_SA_19_33"
                },
                {
                  "name": "https://support.f5.com/csp/article/K02591030",
                  "refsource": "CONFIRM",
                  "url": "https://support.f5.com/csp/article/K02591030"
                },
                {
                  "name": "https://security.netapp.com/advisory/ntap-20190823-0002/",
                  "refsource": "CONFIRM",
                  "url": "https://security.netapp.com/advisory/ntap-20190823-0002/"
                },
                {
                  "name": "https://security.netapp.com/advisory/ntap-20190823-0005/",
                  "refsource": "CONFIRM",
                  "url": "https://security.netapp.com/advisory/ntap-20190823-0005/"
                },
                {
                  "name": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10296",
                  "refsource": "CONFIRM",
                  "url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10296"
                },
                {
                  "name": "https://support.f5.com/csp/article/K02591030?utm_source=f5support\u0026amp;utm_medium=RSS",
                  "refsource": "CONFIRM",
                  "url": "https://support.f5.com/csp/article/K02591030?utm_source=f5support\u0026amp;utm_medium=RSS"
                },
                {
                  "name": "https://www.oracle.com/security-alerts/cpujan2021.html",
                  "refsource": "MISC",
                  "url": "https://www.oracle.com/security-alerts/cpujan2021.html"
                }
              ]
            },
            "source": {
              "discovery": "UNKNOWN"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
        "assignerShortName": "certcc",
        "cveId": "CVE-2019-9513",
        "datePublished": "2019-08-13T20:50:59.000Z",
        "dateReserved": "2019-03-01T00:00:00.000Z",
        "dateUpdated": "2024-08-04T21:54:44.842Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2019-9511 (GCVE-0-2019-9511)

    Vulnerability from nvd – Published: 2019-08-13 20:50 – Updated: 2024-08-04 21:54
    VLAI
    Title
    Some HTTP/2 implementations are vulnerable to window size manipulation and stream prioritization manipulation, potentially leading to a denial of service
    Summary
    Some HTTP/2 implementations are vulnerable to window size manipulation and stream prioritization manipulation, potentially leading to a denial of service. The attacker requests a large amount of data from a specified resource over multiple streams. They manipulate window size and stream priority to force the server to queue the data in 1-byte chunks. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both.
    CWE
    • CWE-400 - Uncontrolled Resource Consumption
    Assigner
    References
    URL Tags
    https://kb.cert.org/vuls/id/605641/ third-party-advisoryx_refsource_CERT-VN
    https://usn.ubuntu.com/4099-1/ vendor-advisoryx_refsource_UBUNTU
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisoryx_refsource_FEDORA
    https://seclists.org/bugtraq/2019/Aug/40 mailing-listx_refsource_BUGTRAQ
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisoryx_refsource_FEDORA
    https://www.debian.org/security/2019/dsa-4505 vendor-advisoryx_refsource_DEBIAN
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisoryx_refsource_FEDORA
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisoryx_refsource_FEDORA
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisoryx_refsource_FEDORA
    https://seclists.org/bugtraq/2019/Sep/1 mailing-listx_refsource_BUGTRAQ
    https://www.debian.org/security/2019/dsa-4511 vendor-advisoryx_refsource_DEBIAN
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisoryx_refsource_FEDORA
    https://access.redhat.com/errata/RHSA-2019:2692 vendor-advisoryx_refsource_REDHAT
    http://lists.opensuse.org/opensuse-security-annou… vendor-advisoryx_refsource_SUSE
    http://lists.opensuse.org/opensuse-security-annou… vendor-advisoryx_refsource_SUSE
    http://lists.opensuse.org/opensuse-security-annou… vendor-advisoryx_refsource_SUSE
    https://access.redhat.com/errata/RHSA-2019:2745 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2019:2746 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2019:2775 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2019:2799 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2019:2925 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2019:2939 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2019:2949 vendor-advisoryx_refsource_REDHAT
    http://lists.opensuse.org/opensuse-security-annou… vendor-advisoryx_refsource_SUSE
    http://lists.opensuse.org/opensuse-security-annou… vendor-advisoryx_refsource_SUSE
    https://access.redhat.com/errata/RHSA-2019:2955 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2019:2966 vendor-advisoryx_refsource_REDHAT
    http://lists.opensuse.org/opensuse-security-annou… vendor-advisoryx_refsource_SUSE
    https://access.redhat.com/errata/RHSA-2019:3041 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2019:3933 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2019:3935 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2019:3932 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2019:4018 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2019:4019 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2019:4021 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2019:4020 vendor-advisoryx_refsource_REDHAT
    https://www.debian.org/security/2020/dsa-4669 vendor-advisoryx_refsource_DEBIAN
    https://www.oracle.com/technetwork/security-advis… x_refsource_MISC
    https://www.oracle.com/security-alerts/cpuoct2020.html x_refsource_MISC
    https://github.com/Netflix/security-bulletins/blo… x_refsource_MISC
    https://www.synology.com/security/advisory/Synolo… x_refsource_CONFIRM
    https://support.f5.com/csp/article/K02591030 x_refsource_CONFIRM
    https://security.netapp.com/advisory/ntap-2019082… x_refsource_CONFIRM
    https://security.netapp.com/advisory/ntap-2019082… x_refsource_CONFIRM
    https://kc.mcafee.com/corporate/index?page=conten… x_refsource_CONFIRM
    https://support.f5.com/csp/article/K02591030?utm_… x_refsource_CONFIRM
    https://www.oracle.com/security-alerts/cpujan2021.html x_refsource_MISC
    Credits
    Thanks to Jonathan Looney of Netflix for reporting this vulnerability.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T21:54:44.157Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "VU#605641",
                "tags": [
                  "third-party-advisory",
                  "x_refsource_CERT-VN",
                  "x_transferred"
                ],
                "url": "https://kb.cert.org/vuls/id/605641/"
              },
              {
                "name": "USN-4099-1",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_UBUNTU",
                  "x_transferred"
                ],
                "url": "https://usn.ubuntu.com/4099-1/"
              },
              {
                "name": "FEDORA-2019-befd924cfe",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_FEDORA",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TAZZEVTCN2B4WT6AIBJ7XGYJMBTORJU5/"
              },
              {
                "name": "20190822 [SECURITY] [DSA 4505-1] nginx security update",
                "tags": [
                  "mailing-list",
                  "x_refsource_BUGTRAQ",
                  "x_transferred"
                ],
                "url": "https://seclists.org/bugtraq/2019/Aug/40"
              },
              {
                "name": "FEDORA-2019-81985a8858",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_FEDORA",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LZLUYPYY3RX4ZJDWZRJIKSULYRJ4PXW7/"
              },
              {
                "name": "DSA-4505",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_DEBIAN",
                  "x_transferred"
                ],
                "url": "https://www.debian.org/security/2019/dsa-4505"
              },
              {
                "name": "FEDORA-2019-8a437d5c2f",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_FEDORA",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JUBYAF6ED3O4XCHQ5C2HYENJLXYXZC4M/"
              },
              {
                "name": "FEDORA-2019-4427fd65be",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_FEDORA",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BP556LEG3WENHZI5TAQ6ZEBFTJB4E2IS/"
              },
              {
                "name": "FEDORA-2019-63ba15cc83",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_FEDORA",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XHTKU7YQ5EEP2XNSAV4M4VJ7QCBOJMOD/"
              },
              {
                "name": "20190902 [SECURITY] [DSA 4511-1] nghttp2 security update",
                "tags": [
                  "mailing-list",
                  "x_refsource_BUGTRAQ",
                  "x_transferred"
                ],
                "url": "https://seclists.org/bugtraq/2019/Sep/1"
              },
              {
                "name": "DSA-4511",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_DEBIAN",
                  "x_transferred"
                ],
                "url": "https://www.debian.org/security/2019/dsa-4511"
              },
              {
                "name": "FEDORA-2019-7a0b45fdc4",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_FEDORA",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/POPAEC4FWL4UU4LDEGPY5NPALU24FFQD/"
              },
              {
                "name": "RHSA-2019:2692",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:2692"
              },
              {
                "name": "openSUSE-SU-2019:2120",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_SUSE",
                  "x_transferred"
                ],
                "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00035.html"
              },
              {
                "name": "openSUSE-SU-2019:2114",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_SUSE",
                  "x_transferred"
                ],
                "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00032.html"
              },
              {
                "name": "openSUSE-SU-2019:2115",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_SUSE",
                  "x_transferred"
                ],
                "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00031.html"
              },
              {
                "name": "RHSA-2019:2745",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:2745"
              },
              {
                "name": "RHSA-2019:2746",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:2746"
              },
              {
                "name": "RHSA-2019:2775",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:2775"
              },
              {
                "name": "RHSA-2019:2799",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:2799"
              },
              {
                "name": "RHSA-2019:2925",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:2925"
              },
              {
                "name": "RHSA-2019:2939",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:2939"
              },
              {
                "name": "RHSA-2019:2949",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:2949"
              },
              {
                "name": "openSUSE-SU-2019:2232",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_SUSE",
                  "x_transferred"
                ],
                "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00003.html"
              },
              {
                "name": "openSUSE-SU-2019:2234",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_SUSE",
                  "x_transferred"
                ],
                "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00005.html"
              },
              {
                "name": "RHSA-2019:2955",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:2955"
              },
              {
                "name": "RHSA-2019:2966",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:2966"
              },
              {
                "name": "openSUSE-SU-2019:2264",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_SUSE",
                  "x_transferred"
                ],
                "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00014.html"
              },
              {
                "name": "RHSA-2019:3041",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:3041"
              },
              {
                "name": "RHSA-2019:3933",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:3933"
              },
              {
                "name": "RHSA-2019:3935",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:3935"
              },
              {
                "name": "RHSA-2019:3932",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:3932"
              },
              {
                "name": "RHSA-2019:4018",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:4018"
              },
              {
                "name": "RHSA-2019:4019",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:4019"
              },
              {
                "name": "RHSA-2019:4021",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:4021"
              },
              {
                "name": "RHSA-2019:4020",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:4020"
              },
              {
                "name": "DSA-4669",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_DEBIAN",
                  "x_transferred"
                ],
                "url": "https://www.debian.org/security/2020/dsa-4669"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.oracle.com/security-alerts/cpuoct2020.html"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.synology.com/security/advisory/Synology_SA_19_33"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://support.f5.com/csp/article/K02591030"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://security.netapp.com/advisory/ntap-20190823-0002/"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://security.netapp.com/advisory/ntap-20190823-0005/"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10296"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://support.f5.com/csp/article/K02591030?utm_source=f5support\u0026amp%3Butm_medium=RSS"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.oracle.com/security-alerts/cpujan2021.html"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Thanks to Jonathan Looney of Netflix for reporting this vulnerability."
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Some HTTP/2 implementations are vulnerable to window size manipulation and stream prioritization manipulation, potentially leading to a denial of service. The attacker requests a large amount of data from a specified resource over multiple streams. They manipulate window size and stream priority to force the server to queue the data in 1-byte chunks. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-400",
                  "description": "CWE-400 Uncontrolled Resource Consumption",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-01-20T14:42:02.000Z",
            "orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
            "shortName": "certcc"
          },
          "references": [
            {
              "name": "VU#605641",
              "tags": [
                "third-party-advisory",
                "x_refsource_CERT-VN"
              ],
              "url": "https://kb.cert.org/vuls/id/605641/"
            },
            {
              "name": "USN-4099-1",
              "tags": [
                "vendor-advisory",
                "x_refsource_UBUNTU"
              ],
              "url": "https://usn.ubuntu.com/4099-1/"
            },
            {
              "name": "FEDORA-2019-befd924cfe",
              "tags": [
                "vendor-advisory",
                "x_refsource_FEDORA"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TAZZEVTCN2B4WT6AIBJ7XGYJMBTORJU5/"
            },
            {
              "name": "20190822 [SECURITY] [DSA 4505-1] nginx security update",
              "tags": [
                "mailing-list",
                "x_refsource_BUGTRAQ"
              ],
              "url": "https://seclists.org/bugtraq/2019/Aug/40"
            },
            {
              "name": "FEDORA-2019-81985a8858",
              "tags": [
                "vendor-advisory",
                "x_refsource_FEDORA"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LZLUYPYY3RX4ZJDWZRJIKSULYRJ4PXW7/"
            },
            {
              "name": "DSA-4505",
              "tags": [
                "vendor-advisory",
                "x_refsource_DEBIAN"
              ],
              "url": "https://www.debian.org/security/2019/dsa-4505"
            },
            {
              "name": "FEDORA-2019-8a437d5c2f",
              "tags": [
                "vendor-advisory",
                "x_refsource_FEDORA"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JUBYAF6ED3O4XCHQ5C2HYENJLXYXZC4M/"
            },
            {
              "name": "FEDORA-2019-4427fd65be",
              "tags": [
                "vendor-advisory",
                "x_refsource_FEDORA"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BP556LEG3WENHZI5TAQ6ZEBFTJB4E2IS/"
            },
            {
              "name": "FEDORA-2019-63ba15cc83",
              "tags": [
                "vendor-advisory",
                "x_refsource_FEDORA"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XHTKU7YQ5EEP2XNSAV4M4VJ7QCBOJMOD/"
            },
            {
              "name": "20190902 [SECURITY] [DSA 4511-1] nghttp2 security update",
              "tags": [
                "mailing-list",
                "x_refsource_BUGTRAQ"
              ],
              "url": "https://seclists.org/bugtraq/2019/Sep/1"
            },
            {
              "name": "DSA-4511",
              "tags": [
                "vendor-advisory",
                "x_refsource_DEBIAN"
              ],
              "url": "https://www.debian.org/security/2019/dsa-4511"
            },
            {
              "name": "FEDORA-2019-7a0b45fdc4",
              "tags": [
                "vendor-advisory",
                "x_refsource_FEDORA"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/POPAEC4FWL4UU4LDEGPY5NPALU24FFQD/"
            },
            {
              "name": "RHSA-2019:2692",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:2692"
            },
            {
              "name": "openSUSE-SU-2019:2120",
              "tags": [
                "vendor-advisory",
                "x_refsource_SUSE"
              ],
              "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00035.html"
            },
            {
              "name": "openSUSE-SU-2019:2114",
              "tags": [
                "vendor-advisory",
                "x_refsource_SUSE"
              ],
              "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00032.html"
            },
            {
              "name": "openSUSE-SU-2019:2115",
              "tags": [
                "vendor-advisory",
                "x_refsource_SUSE"
              ],
              "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00031.html"
            },
            {
              "name": "RHSA-2019:2745",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:2745"
            },
            {
              "name": "RHSA-2019:2746",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:2746"
            },
            {
              "name": "RHSA-2019:2775",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:2775"
            },
            {
              "name": "RHSA-2019:2799",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:2799"
            },
            {
              "name": "RHSA-2019:2925",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:2925"
            },
            {
              "name": "RHSA-2019:2939",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:2939"
            },
            {
              "name": "RHSA-2019:2949",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:2949"
            },
            {
              "name": "openSUSE-SU-2019:2232",
              "tags": [
                "vendor-advisory",
                "x_refsource_SUSE"
              ],
              "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00003.html"
            },
            {
              "name": "openSUSE-SU-2019:2234",
              "tags": [
                "vendor-advisory",
                "x_refsource_SUSE"
              ],
              "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00005.html"
            },
            {
              "name": "RHSA-2019:2955",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:2955"
            },
            {
              "name": "RHSA-2019:2966",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:2966"
            },
            {
              "name": "openSUSE-SU-2019:2264",
              "tags": [
                "vendor-advisory",
                "x_refsource_SUSE"
              ],
              "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00014.html"
            },
            {
              "name": "RHSA-2019:3041",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:3041"
            },
            {
              "name": "RHSA-2019:3933",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:3933"
            },
            {
              "name": "RHSA-2019:3935",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:3935"
            },
            {
              "name": "RHSA-2019:3932",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:3932"
            },
            {
              "name": "RHSA-2019:4018",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:4018"
            },
            {
              "name": "RHSA-2019:4019",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:4019"
            },
            {
              "name": "RHSA-2019:4021",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:4021"
            },
            {
              "name": "RHSA-2019:4020",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:4020"
            },
            {
              "name": "DSA-4669",
              "tags": [
                "vendor-advisory",
                "x_refsource_DEBIAN"
              ],
              "url": "https://www.debian.org/security/2020/dsa-4669"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.oracle.com/security-alerts/cpuoct2020.html"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.synology.com/security/advisory/Synology_SA_19_33"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://support.f5.com/csp/article/K02591030"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://security.netapp.com/advisory/ntap-20190823-0002/"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://security.netapp.com/advisory/ntap-20190823-0005/"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10296"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://support.f5.com/csp/article/K02591030?utm_source=f5support\u0026amp%3Butm_medium=RSS"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.oracle.com/security-alerts/cpujan2021.html"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Some HTTP/2 implementations are vulnerable to window size manipulation and stream prioritization manipulation, potentially leading to a denial of service",
          "x_generator": {
            "engine": "Vulnogram 0.0.7"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "AKA": "HTTP/2 Data Dribble",
              "ASSIGNER": "cert@cert.org",
              "ID": "CVE-2019-9511",
              "STATE": "PUBLIC",
              "TITLE": "Some HTTP/2 implementations are vulnerable to window size manipulation and stream prioritization manipulation, potentially leading to a denial of service"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "n/a",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "n/a"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "n/a"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "Thanks to Jonathan Looney of Netflix for reporting this vulnerability."
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Some HTTP/2 implementations are vulnerable to window size manipulation and stream prioritization manipulation, potentially leading to a denial of service. The attacker requests a large amount of data from a specified resource over multiple streams. They manipulate window size and stream priority to force the server to queue the data in 1-byte chunks. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both."
                }
              ]
            },
            "generator": {
              "engine": "Vulnogram 0.0.7"
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.0"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-400 Uncontrolled Resource Consumption"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "VU#605641",
                  "refsource": "CERT-VN",
                  "url": "https://kb.cert.org/vuls/id/605641/"
                },
                {
                  "name": "USN-4099-1",
                  "refsource": "UBUNTU",
                  "url": "https://usn.ubuntu.com/4099-1/"
                },
                {
                  "name": "FEDORA-2019-befd924cfe",
                  "refsource": "FEDORA",
                  "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TAZZEVTCN2B4WT6AIBJ7XGYJMBTORJU5/"
                },
                {
                  "name": "20190822 [SECURITY] [DSA 4505-1] nginx security update",
                  "refsource": "BUGTRAQ",
                  "url": "https://seclists.org/bugtraq/2019/Aug/40"
                },
                {
                  "name": "FEDORA-2019-81985a8858",
                  "refsource": "FEDORA",
                  "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LZLUYPYY3RX4ZJDWZRJIKSULYRJ4PXW7/"
                },
                {
                  "name": "DSA-4505",
                  "refsource": "DEBIAN",
                  "url": "https://www.debian.org/security/2019/dsa-4505"
                },
                {
                  "name": "FEDORA-2019-8a437d5c2f",
                  "refsource": "FEDORA",
                  "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JUBYAF6ED3O4XCHQ5C2HYENJLXYXZC4M/"
                },
                {
                  "name": "FEDORA-2019-4427fd65be",
                  "refsource": "FEDORA",
                  "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BP556LEG3WENHZI5TAQ6ZEBFTJB4E2IS/"
                },
                {
                  "name": "FEDORA-2019-63ba15cc83",
                  "refsource": "FEDORA",
                  "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XHTKU7YQ5EEP2XNSAV4M4VJ7QCBOJMOD/"
                },
                {
                  "name": "20190902 [SECURITY] [DSA 4511-1] nghttp2 security update",
                  "refsource": "BUGTRAQ",
                  "url": "https://seclists.org/bugtraq/2019/Sep/1"
                },
                {
                  "name": "DSA-4511",
                  "refsource": "DEBIAN",
                  "url": "https://www.debian.org/security/2019/dsa-4511"
                },
                {
                  "name": "FEDORA-2019-7a0b45fdc4",
                  "refsource": "FEDORA",
                  "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/POPAEC4FWL4UU4LDEGPY5NPALU24FFQD/"
                },
                {
                  "name": "RHSA-2019:2692",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2019:2692"
                },
                {
                  "name": "openSUSE-SU-2019:2120",
                  "refsource": "SUSE",
                  "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00035.html"
                },
                {
                  "name": "openSUSE-SU-2019:2114",
                  "refsource": "SUSE",
                  "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00032.html"
                },
                {
                  "name": "openSUSE-SU-2019:2115",
                  "refsource": "SUSE",
                  "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00031.html"
                },
                {
                  "name": "RHSA-2019:2745",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2019:2745"
                },
                {
                  "name": "RHSA-2019:2746",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2019:2746"
                },
                {
                  "name": "RHSA-2019:2775",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2019:2775"
                },
                {
                  "name": "RHSA-2019:2799",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2019:2799"
                },
                {
                  "name": "RHSA-2019:2925",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2019:2925"
                },
                {
                  "name": "RHSA-2019:2939",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2019:2939"
                },
                {
                  "name": "RHSA-2019:2949",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2019:2949"
                },
                {
                  "name": "openSUSE-SU-2019:2232",
                  "refsource": "SUSE",
                  "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00003.html"
                },
                {
                  "name": "openSUSE-SU-2019:2234",
                  "refsource": "SUSE",
                  "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00005.html"
                },
                {
                  "name": "RHSA-2019:2955",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2019:2955"
                },
                {
                  "name": "RHSA-2019:2966",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2019:2966"
                },
                {
                  "name": "openSUSE-SU-2019:2264",
                  "refsource": "SUSE",
                  "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00014.html"
                },
                {
                  "name": "RHSA-2019:3041",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2019:3041"
                },
                {
                  "name": "RHSA-2019:3933",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2019:3933"
                },
                {
                  "name": "RHSA-2019:3935",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2019:3935"
                },
                {
                  "name": "RHSA-2019:3932",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2019:3932"
                },
                {
                  "name": "RHSA-2019:4018",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2019:4018"
                },
                {
                  "name": "RHSA-2019:4019",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2019:4019"
                },
                {
                  "name": "RHSA-2019:4021",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2019:4021"
                },
                {
                  "name": "RHSA-2019:4020",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2019:4020"
                },
                {
                  "name": "DSA-4669",
                  "refsource": "DEBIAN",
                  "url": "https://www.debian.org/security/2020/dsa-4669"
                },
                {
                  "name": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html",
                  "refsource": "MISC",
                  "url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html"
                },
                {
                  "name": "https://www.oracle.com/security-alerts/cpuoct2020.html",
                  "refsource": "MISC",
                  "url": "https://www.oracle.com/security-alerts/cpuoct2020.html"
                },
                {
                  "name": "https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md",
                  "refsource": "MISC",
                  "url": "https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md"
                },
                {
                  "name": "https://www.synology.com/security/advisory/Synology_SA_19_33",
                  "refsource": "CONFIRM",
                  "url": "https://www.synology.com/security/advisory/Synology_SA_19_33"
                },
                {
                  "name": "https://support.f5.com/csp/article/K02591030",
                  "refsource": "CONFIRM",
                  "url": "https://support.f5.com/csp/article/K02591030"
                },
                {
                  "name": "https://security.netapp.com/advisory/ntap-20190823-0002/",
                  "refsource": "CONFIRM",
                  "url": "https://security.netapp.com/advisory/ntap-20190823-0002/"
                },
                {
                  "name": "https://security.netapp.com/advisory/ntap-20190823-0005/",
                  "refsource": "CONFIRM",
                  "url": "https://security.netapp.com/advisory/ntap-20190823-0005/"
                },
                {
                  "name": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10296",
                  "refsource": "CONFIRM",
                  "url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10296"
                },
                {
                  "name": "https://support.f5.com/csp/article/K02591030?utm_source=f5support\u0026amp;utm_medium=RSS",
                  "refsource": "CONFIRM",
                  "url": "https://support.f5.com/csp/article/K02591030?utm_source=f5support\u0026amp;utm_medium=RSS"
                },
                {
                  "name": "https://www.oracle.com/security-alerts/cpujan2021.html",
                  "refsource": "MISC",
                  "url": "https://www.oracle.com/security-alerts/cpujan2021.html"
                }
              ]
            },
            "source": {
              "discovery": "UNKNOWN"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
        "assignerShortName": "certcc",
        "cveId": "CVE-2019-9511",
        "datePublished": "2019-08-13T20:50:59.000Z",
        "dateReserved": "2019-03-01T00:00:00.000Z",
        "dateUpdated": "2024-08-04T21:54:44.157Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-26567 (GCVE-0-2021-26567)

    Vulnerability from cvelistv5 – Published: 2021-02-26 21:45 – Updated: 2024-09-16 19:56
    VLAI
    Summary
    Stack-based buffer overflow vulnerability in frontend/main.c in faad2 before 2.2.7.1 allow local attackers to execute arbitrary code via filename and pathname options.
    Severity
    No CVSS data available.
    CWE
    • CWE-121 - Stack-based Buffer Overflow
    Assigner
    References
    Impacted products
    Vendor Product Version
    github/knik0 faad2 Affected: unspecified , < 2.2.7.1 (custom)
    Create a notification for this product.
    Date Public
    2021-02-26 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T20:26:25.524Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.synology.com/security/advisory/Synology_SA_20_26"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/knik0/faad2/commit/720f7004d6c4aabee19aad16e7c456ed76a3ebfa"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "faad2",
              "vendor": "github/knik0",
              "versions": [
                {
                  "lessThan": "2.2.7.1",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2021-02-26T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Stack-based buffer overflow vulnerability in frontend/main.c in faad2 before 2.2.7.1 allow local attackers to execute arbitrary code via filename and pathname options."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-121",
                  "description": "CWE-121: Stack-based Buffer Overflow",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-03-12T13:40:10.000Z",
            "orgId": "db201096-a0cc-46c7-9a55-61d9e221bf01",
            "shortName": "synology"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.synology.com/security/advisory/Synology_SA_20_26"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/knik0/faad2/commit/720f7004d6c4aabee19aad16e7c456ed76a3ebfa"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@synology.com",
              "DATE_PUBLIC": "2021-02-26T00:00:00",
              "ID": "CVE-2021-26567",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "faad2",
                          "version": {
                            "version_data": [
                              {
                                "affected": "\u003c",
                                "version_affected": "\u003c",
                                "version_value": "2.2.7.1"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "github/knik0"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Stack-based buffer overflow vulnerability in frontend/main.c in faad2 before 2.2.7.1 allow local attackers to execute arbitrary code via filename and pathname options."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-121: Stack-based Buffer Overflow"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://www.synology.com/security/advisory/Synology_SA_20_26",
                  "refsource": "CONFIRM",
                  "url": "https://www.synology.com/security/advisory/Synology_SA_20_26"
                },
                {
                  "name": "https://github.com/knik0/faad2/commit/720f7004d6c4aabee19aad16e7c456ed76a3ebfa",
                  "refsource": "MISC",
                  "url": "https://github.com/knik0/faad2/commit/720f7004d6c4aabee19aad16e7c456ed76a3ebfa"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "db201096-a0cc-46c7-9a55-61d9e221bf01",
        "assignerShortName": "synology",
        "cveId": "CVE-2021-26567",
        "datePublished": "2021-02-26T21:45:35.788Z",
        "dateReserved": "2021-02-02T00:00:00.000Z",
        "dateUpdated": "2024-09-16T19:56:15.211Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-26566 (GCVE-0-2021-26566)

    Vulnerability from cvelistv5 – Published: 2021-02-26 21:45 – Updated: 2024-09-17 03:23
    VLAI
    Summary
    Insertion of sensitive information into sent data vulnerability in synorelayd in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows man-in-the-middle attackers to execute arbitrary commands via inbound QuickConnect traffic.
    CWE
    • CWE-201 - Insertion of Sensitive Information Into Sent Data
    Assigner
    References
    Impacted products
    Vendor Product Version
    Synology Synology DiskStation Manager (DSM) Affected: unspecified , < 6.2.3-25426-3 (custom)
    Create a notification for this product.
    Date Public
    2021-02-26 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T20:26:25.445Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.synology.com/security/advisory/Synology_SA_20_26"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2020-1160"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Synology DiskStation Manager (DSM)",
              "vendor": "Synology",
              "versions": [
                {
                  "lessThan": "6.2.3-25426-3",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2021-02-26T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Insertion of sensitive information into sent data vulnerability in synorelayd in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows man-in-the-middle attackers to execute arbitrary commands via inbound QuickConnect traffic."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8.3,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-201",
                  "description": "CWE-201: Insertion of Sensitive Information Into Sent Data",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-04-19T19:06:25.000Z",
            "orgId": "db201096-a0cc-46c7-9a55-61d9e221bf01",
            "shortName": "synology"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.synology.com/security/advisory/Synology_SA_20_26"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2020-1160"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@synology.com",
              "DATE_PUBLIC": "2021-02-26T00:00:00",
              "ID": "CVE-2021-26566",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Synology DiskStation Manager (DSM)",
                          "version": {
                            "version_data": [
                              {
                                "affected": "\u003c",
                                "version_affected": "\u003c",
                                "version_value": "6.2.3-25426-3"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Synology"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Insertion of sensitive information into sent data vulnerability in synorelayd in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows man-in-the-middle attackers to execute arbitrary commands via inbound QuickConnect traffic."
                }
              ]
            },
            "impact": {
              "cvss": {
                "baseScore": "8.3",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-201: Insertion of Sensitive Information Into Sent Data"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://www.synology.com/security/advisory/Synology_SA_20_26",
                  "refsource": "CONFIRM",
                  "url": "https://www.synology.com/security/advisory/Synology_SA_20_26"
                },
                {
                  "name": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2020-1160",
                  "refsource": "MISC",
                  "url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2020-1160"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "db201096-a0cc-46c7-9a55-61d9e221bf01",
        "assignerShortName": "synology",
        "cveId": "CVE-2021-26566",
        "datePublished": "2021-02-26T21:45:35.118Z",
        "dateReserved": "2021-02-02T00:00:00.000Z",
        "dateUpdated": "2024-09-17T03:23:15.693Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-26565 (GCVE-0-2021-26565)

    Vulnerability from cvelistv5 – Published: 2021-02-26 21:45 – Updated: 2024-09-17 01:27
    VLAI
    Summary
    Cleartext transmission of sensitive information vulnerability in synorelayd in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows man-in-the-middle attackers to obtain sensitive information via an HTTP session.
    CWE
    • CWE-319 - Cleartext Transmission of Sensitive Information
    Assigner
    References
    Impacted products
    Vendor Product Version
    Synology Synology DiskStation Manager (DSM) Affected: unspecified , < 6.2.3-25426-3 (custom)
    Create a notification for this product.
    Date Public
    2021-02-26 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T20:26:25.468Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.synology.com/security/advisory/Synology_SA_20_26"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2020-1160"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Synology DiskStation Manager (DSM)",
              "vendor": "Synology",
              "versions": [
                {
                  "lessThan": "6.2.3-25426-3",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2021-02-26T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Cleartext transmission of sensitive information vulnerability in synorelayd in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows man-in-the-middle attackers to obtain sensitive information via an HTTP session."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8.3,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-319",
                  "description": "CWE-319: Cleartext Transmission of Sensitive Information",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-04-19T19:06:24.000Z",
            "orgId": "db201096-a0cc-46c7-9a55-61d9e221bf01",
            "shortName": "synology"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.synology.com/security/advisory/Synology_SA_20_26"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2020-1160"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@synology.com",
              "DATE_PUBLIC": "2021-02-26T00:00:00",
              "ID": "CVE-2021-26565",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Synology DiskStation Manager (DSM)",
                          "version": {
                            "version_data": [
                              {
                                "affected": "\u003c",
                                "version_affected": "\u003c",
                                "version_value": "6.2.3-25426-3"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Synology"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Cleartext transmission of sensitive information vulnerability in synorelayd in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows man-in-the-middle attackers to obtain sensitive information via an HTTP session."
                }
              ]
            },
            "impact": {
              "cvss": {
                "baseScore": "8.3",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-319: Cleartext Transmission of Sensitive Information"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://www.synology.com/security/advisory/Synology_SA_20_26",
                  "refsource": "CONFIRM",
                  "url": "https://www.synology.com/security/advisory/Synology_SA_20_26"
                },
                {
                  "name": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2020-1160",
                  "refsource": "MISC",
                  "url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2020-1160"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "db201096-a0cc-46c7-9a55-61d9e221bf01",
        "assignerShortName": "synology",
        "cveId": "CVE-2021-26565",
        "datePublished": "2021-02-26T21:45:34.345Z",
        "dateReserved": "2021-02-02T00:00:00.000Z",
        "dateUpdated": "2024-09-17T01:27:07.136Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-26564 (GCVE-0-2021-26564)

    Vulnerability from cvelistv5 – Published: 2021-02-26 21:45 – Updated: 2024-09-17 00:46
    VLAI
    Summary
    Cleartext transmission of sensitive information vulnerability in synorelayd in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows man-in-the-middle attackers to spoof servers via an HTTP session.
    CWE
    • CWE-319 - Cleartext Transmission of Sensitive Information
    Assigner
    References
    Impacted products
    Vendor Product Version
    Synology Synology DiskStation Manager (DSM) Affected: unspecified , < 6.2.3-25426-3 (custom)
    Create a notification for this product.
    Date Public
    2021-02-26 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T20:26:25.479Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.synology.com/security/advisory/Synology_SA_20_26"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2020-1160"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Synology DiskStation Manager (DSM)",
              "vendor": "Synology",
              "versions": [
                {
                  "lessThan": "6.2.3-25426-3",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2021-02-26T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Cleartext transmission of sensitive information vulnerability in synorelayd in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows man-in-the-middle attackers to spoof servers via an HTTP session."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8.3,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-319",
                  "description": "CWE-319: Cleartext Transmission of Sensitive Information",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-05-12T12:50:50.000Z",
            "orgId": "db201096-a0cc-46c7-9a55-61d9e221bf01",
            "shortName": "synology"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.synology.com/security/advisory/Synology_SA_20_26"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2020-1160"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@synology.com",
              "DATE_PUBLIC": "2021-02-26T00:00:00",
              "ID": "CVE-2021-26564",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Synology DiskStation Manager (DSM)",
                          "version": {
                            "version_data": [
                              {
                                "affected": "\u003c",
                                "version_affected": "\u003c",
                                "version_value": "6.2.3-25426-3"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Synology"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Cleartext transmission of sensitive information vulnerability in synorelayd in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows man-in-the-middle attackers to spoof servers via an HTTP session."
                }
              ]
            },
            "impact": {
              "cvss": {
                "baseScore": "8.3",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-319: Cleartext Transmission of Sensitive Information"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://www.synology.com/security/advisory/Synology_SA_20_26",
                  "refsource": "CONFIRM",
                  "url": "https://www.synology.com/security/advisory/Synology_SA_20_26"
                },
                {
                  "name": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2020-1160",
                  "refsource": "MISC",
                  "url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2020-1160"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "db201096-a0cc-46c7-9a55-61d9e221bf01",
        "assignerShortName": "synology",
        "cveId": "CVE-2021-26564",
        "datePublished": "2021-02-26T21:45:33.663Z",
        "dateReserved": "2021-02-02T00:00:00.000Z",
        "dateUpdated": "2024-09-17T00:46:03.051Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-26563 (GCVE-0-2021-26563)

    Vulnerability from cvelistv5 – Published: 2021-02-26 21:45 – Updated: 2024-09-16 16:23
    VLAI
    Summary
    Incorrect authorization vulnerability in synoagentregisterd in Synology DiskStation Manager (DSM) before 6.2.4-25553 allows local users to execute arbitrary code via unspecified vectors.
    CWE
    • CWE-863 - Incorrect Authorization
    Assigner
    References
    Impacted products
    Vendor Product Version
    Synology DiskStation Manager (DSM) Affected: unspecified , < 6.2.4-25553 (custom)
    Create a notification for this product.
    Date Public
    2021-06-17 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T20:26:25.477Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2020-1158"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.synology.com/security/advisory/Synology_SA_21_03"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "DiskStation Manager (DSM)",
              "vendor": "Synology",
              "versions": [
                {
                  "lessThan": "6.2.4-25553",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2021-06-17T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Incorrect authorization vulnerability in synoagentregisterd in Synology DiskStation Manager (DSM) before 6.2.4-25553 allows local users to execute arbitrary code via unspecified vectors."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "HIGH",
                "baseScore": 8.2,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "HIGH",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-863",
                  "description": "CWE-863: Incorrect Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-06-18T10:18:29.000Z",
            "orgId": "db201096-a0cc-46c7-9a55-61d9e221bf01",
            "shortName": "synology"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2020-1158"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.synology.com/security/advisory/Synology_SA_21_03"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@synology.com",
              "DATE_PUBLIC": "2021-06-17T07:07:06.548759",
              "ID": "CVE-2021-26563",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "DiskStation Manager (DSM)",
                          "version": {
                            "version_data": [
                              {
                                "affected": "\u003c",
                                "version_affected": "\u003c",
                                "version_value": "6.2.4-25553"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Synology"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Incorrect authorization vulnerability in synoagentregisterd in Synology DiskStation Manager (DSM) before 6.2.4-25553 allows local users to execute arbitrary code via unspecified vectors."
                }
              ]
            },
            "impact": {
              "cvss": {
                "baseScore": "8.2",
                "vectorString": "AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-863: Incorrect Authorization"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2020-1158",
                  "refsource": "MISC",
                  "url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2020-1158"
                },
                {
                  "name": "https://www.synology.com/security/advisory/Synology_SA_21_03",
                  "refsource": "CONFIRM",
                  "url": "https://www.synology.com/security/advisory/Synology_SA_21_03"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "db201096-a0cc-46c7-9a55-61d9e221bf01",
        "assignerShortName": "synology",
        "cveId": "CVE-2021-26563",
        "datePublished": "2021-02-26T21:45:33.039Z",
        "dateReserved": "2021-02-02T00:00:00.000Z",
        "dateUpdated": "2024-09-16T16:23:45.140Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-26562 (GCVE-0-2021-26562)

    Vulnerability from cvelistv5 – Published: 2021-02-26 21:45 – Updated: 2024-09-17 04:08
    VLAI
    Summary
    Out-of-bounds write vulnerability in synoagentregisterd in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows man-in-the-middle attackers to execute arbitrary code via syno_finder_site HTTP header.
    CWE
    Assigner
    References
    Impacted products
    Vendor Product Version
    Synology Synology DiskStation Manager (DSM) Affected: unspecified , < 6.2.3-25426-3 (custom)
    Create a notification for this product.
    Date Public
    2021-02-26 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T20:26:25.470Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.synology.com/security/advisory/Synology_SA_20_26"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2020-1159"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Synology DiskStation Manager (DSM)",
              "vendor": "Synology",
              "versions": [
                {
                  "lessThan": "6.2.3-25426-3",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2021-02-26T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Out-of-bounds write vulnerability in synoagentregisterd in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows man-in-the-middle attackers to execute arbitrary code via syno_finder_site HTTP header."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 9,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-787",
                  "description": "CWE-787: Out-of-bounds Write",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-04-19T18:06:15.000Z",
            "orgId": "db201096-a0cc-46c7-9a55-61d9e221bf01",
            "shortName": "synology"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.synology.com/security/advisory/Synology_SA_20_26"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2020-1159"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@synology.com",
              "DATE_PUBLIC": "2021-02-26T00:00:00",
              "ID": "CVE-2021-26562",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Synology DiskStation Manager (DSM)",
                          "version": {
                            "version_data": [
                              {
                                "affected": "\u003c",
                                "version_affected": "\u003c",
                                "version_value": "6.2.3-25426-3"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Synology"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Out-of-bounds write vulnerability in synoagentregisterd in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows man-in-the-middle attackers to execute arbitrary code via syno_finder_site HTTP header."
                }
              ]
            },
            "impact": {
              "cvss": {
                "baseScore": "9.0",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-787: Out-of-bounds Write"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://www.synology.com/security/advisory/Synology_SA_20_26",
                  "refsource": "CONFIRM",
                  "url": "https://www.synology.com/security/advisory/Synology_SA_20_26"
                },
                {
                  "name": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2020-1159",
                  "refsource": "MISC",
                  "url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2020-1159"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "db201096-a0cc-46c7-9a55-61d9e221bf01",
        "assignerShortName": "synology",
        "cveId": "CVE-2021-26562",
        "datePublished": "2021-02-26T21:45:31.818Z",
        "dateReserved": "2021-02-02T00:00:00.000Z",
        "dateUpdated": "2024-09-17T04:08:58.655Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-26561 (GCVE-0-2021-26561)

    Vulnerability from cvelistv5 – Published: 2021-02-26 21:45 – Updated: 2024-09-16 23:06
    VLAI
    Summary
    Stack-based buffer overflow vulnerability in synoagentregisterd in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows man-in-the-middle attackers to execute arbitrary code via syno_finder_site HTTP header.
    CWE
    • CWE-121 - Stack-based Buffer Overflow
    Assigner
    References
    Impacted products
    Vendor Product Version
    Synology Synology DiskStation Manager (DSM) Affected: unspecified , < 6.2.3-25426-3 (custom)
    Create a notification for this product.
    Date Public
    2021-02-26 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T20:26:25.449Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.synology.com/security/advisory/Synology_SA_20_26"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2020-1159"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Synology DiskStation Manager (DSM)",
              "vendor": "Synology",
              "versions": [
                {
                  "lessThan": "6.2.3-25426-3",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2021-02-26T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Stack-based buffer overflow vulnerability in synoagentregisterd in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows man-in-the-middle attackers to execute arbitrary code via syno_finder_site HTTP header."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 9,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-121",
                  "description": "CWE-121: Stack-based Buffer Overflow",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-04-19T18:06:13.000Z",
            "orgId": "db201096-a0cc-46c7-9a55-61d9e221bf01",
            "shortName": "synology"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.synology.com/security/advisory/Synology_SA_20_26"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2020-1159"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@synology.com",
              "DATE_PUBLIC": "2021-02-26T00:00:00",
              "ID": "CVE-2021-26561",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Synology DiskStation Manager (DSM)",
                          "version": {
                            "version_data": [
                              {
                                "affected": "\u003c",
                                "version_affected": "\u003c",
                                "version_value": "6.2.3-25426-3"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Synology"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Stack-based buffer overflow vulnerability in synoagentregisterd in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows man-in-the-middle attackers to execute arbitrary code via syno_finder_site HTTP header."
                }
              ]
            },
            "impact": {
              "cvss": {
                "baseScore": "9.0",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-121: Stack-based Buffer Overflow"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://www.synology.com/security/advisory/Synology_SA_20_26",
                  "refsource": "CONFIRM",
                  "url": "https://www.synology.com/security/advisory/Synology_SA_20_26"
                },
                {
                  "name": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2020-1159",
                  "refsource": "MISC",
                  "url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2020-1159"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "db201096-a0cc-46c7-9a55-61d9e221bf01",
        "assignerShortName": "synology",
        "cveId": "CVE-2021-26561",
        "datePublished": "2021-02-26T21:45:31.206Z",
        "dateReserved": "2021-02-02T00:00:00.000Z",
        "dateUpdated": "2024-09-16T23:06:05.777Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-26560 (GCVE-0-2021-26560)

    Vulnerability from cvelistv5 – Published: 2021-02-26 21:45 – Updated: 2024-09-17 01:30
    VLAI
    Summary
    Cleartext transmission of sensitive information vulnerability in synoagentregisterd in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows man-in-the-middle attackers to spoof servers via an HTTP session.
    CWE
    • CWE-319 - Cleartext Transmission of Sensitive Information
    Assigner
    References
    Impacted products
    Vendor Product Version
    Synology Synology DiskStation Manager (DSM) Affected: unspecified , < 6.2.3-25426-3 (custom)
    Create a notification for this product.
    Date Public
    2021-02-26 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T20:26:25.473Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.synology.com/security/advisory/Synology_SA_20_26"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2020-1159"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Synology DiskStation Manager (DSM)",
              "vendor": "Synology",
              "versions": [
                {
                  "lessThan": "6.2.3-25426-3",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2021-02-26T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Cleartext transmission of sensitive information vulnerability in synoagentregisterd in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows man-in-the-middle attackers to spoof servers via an HTTP session."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 9,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-319",
                  "description": "CWE-319: Cleartext Transmission of Sensitive Information",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-05-12T12:50:50.000Z",
            "orgId": "db201096-a0cc-46c7-9a55-61d9e221bf01",
            "shortName": "synology"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.synology.com/security/advisory/Synology_SA_20_26"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2020-1159"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@synology.com",
              "DATE_PUBLIC": "2021-02-26T00:00:00",
              "ID": "CVE-2021-26560",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Synology DiskStation Manager (DSM)",
                          "version": {
                            "version_data": [
                              {
                                "affected": "\u003c",
                                "version_affected": "\u003c",
                                "version_value": "6.2.3-25426-3"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Synology"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Cleartext transmission of sensitive information vulnerability in synoagentregisterd in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows man-in-the-middle attackers to spoof servers via an HTTP session."
                }
              ]
            },
            "impact": {
              "cvss": {
                "baseScore": "9.0",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-319: Cleartext Transmission of Sensitive Information"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://www.synology.com/security/advisory/Synology_SA_20_26",
                  "refsource": "CONFIRM",
                  "url": "https://www.synology.com/security/advisory/Synology_SA_20_26"
                },
                {
                  "name": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2020-1159",
                  "refsource": "MISC",
                  "url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2020-1159"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "db201096-a0cc-46c7-9a55-61d9e221bf01",
        "assignerShortName": "synology",
        "cveId": "CVE-2021-26560",
        "datePublished": "2021-02-26T21:45:30.498Z",
        "dateReserved": "2021-02-02T00:00:00.000Z",
        "dateUpdated": "2024-09-17T01:30:56.188Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-3156 (GCVE-0-2021-3156)

    Vulnerability from cvelistv5 – Published: 2021-01-26 00:00 – Updated: 2025-10-21 23:35
    VLAI CISA KEVIntel
    Summary
    Sudo before 1.9.5p2 contains an off-by-one error that can result in a heap-based buffer overflow, which allows privilege escalation to root via "sudoedit -s" and a command-line argument that ends with a single backslash character.
    SSVC
    Exploitation: active Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    References
    URL Tags
    https://lists.debian.org/debian-lts-announce/2021… mailing-list
    http://seclists.org/fulldisclosure/2021/Jan/79 mailing-list
    http://www.openwall.com/lists/oss-security/2021/01/26/3 mailing-list
    https://security.gentoo.org/glsa/202101-33 vendor-advisory
    https://www.debian.org/security/2021/dsa-4839 vendor-advisory
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisory
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisory
    http://www.openwall.com/lists/oss-security/2021/01/27/1 mailing-list
    http://www.openwall.com/lists/oss-security/2021/01/27/2 mailing-list
    https://tools.cisco.com/security/center/content/C… vendor-advisory
    https://www.kb.cert.org/vuls/id/794544 third-party-advisory
    http://seclists.org/fulldisclosure/2021/Feb/42 mailing-list
    http://www.openwall.com/lists/oss-security/2021/02/15/1 mailing-list
    https://www.oracle.com//security-alerts/cpujul2021.html
    https://www.sudo.ws/stable.html#1.9.5p2
    https://www.openwall.com/lists/oss-security/2021/…
    http://packetstormsecurity.com/files/161160/Sudo-…
    https://security.netapp.com/advisory/ntap-2021012…
    https://security.netapp.com/advisory/ntap-2021012…
    http://packetstormsecurity.com/files/161230/Sudo-…
    http://packetstormsecurity.com/files/161270/Sudo-…
    http://packetstormsecurity.com/files/161293/Sudo-…
    https://support.apple.com/kb/HT212177
    https://kc.mcafee.com/corporate/index?page=conten…
    https://www.beyondtrust.com/blog/entry/security-a…
    https://www.synology.com/security/advisory/Synolo…
    http://www.openwall.com/lists/oss-security/2021/09/14/2 mailing-list
    https://www.oracle.com/security-alerts/cpuoct2021.html
    https://www.oracle.com/security-alerts/cpuapr2022.html
    http://www.openwall.com/lists/oss-security/2024/01/30/8 mailing-list
    http://www.openwall.com/lists/oss-security/2024/01/30/6 mailing-list
    http://packetstormsecurity.com/files/176932/glibc…
    http://seclists.org/fulldisclosure/2024/Feb/3 mailing-list
    https://www.vicarius.io/vsociety/posts/sudoedit-p…
    https://www.cisa.gov/known-exploited-vulnerabilit… government-resource
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T16:45:51.408Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "[debian-lts-announce] 20210126 [SECURITY] [DLA 2534-1] sudo security update",
                "tags": [
                  "mailing-list",
                  "x_transferred"
                ],
                "url": "https://lists.debian.org/debian-lts-announce/2021/01/msg00022.html"
              },
              {
                "name": "20210126 Baron Samedit: Heap-based buffer overflow in Sudo (CVE-2021-3156)",
                "tags": [
                  "mailing-list",
                  "x_transferred"
                ],
                "url": "http://seclists.org/fulldisclosure/2021/Jan/79"
              },
              {
                "name": "[oss-security] 20210126 Baron Samedit: Heap-based buffer overflow in Sudo (CVE-2021-3156)",
                "tags": [
                  "mailing-list",
                  "x_transferred"
                ],
                "url": "http://www.openwall.com/lists/oss-security/2021/01/26/3"
              },
              {
                "name": "GLSA-202101-33",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://security.gentoo.org/glsa/202101-33"
              },
              {
                "name": "DSA-4839",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://www.debian.org/security/2021/dsa-4839"
              },
              {
                "name": "FEDORA-2021-2cb63d912a",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LHXK6ICO5AYLGFK2TAX5MZKUXTUKWOJY/"
              },
              {
                "name": "FEDORA-2021-8840cbdccd",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CALA5FTXIQBRRYUA2ZQNJXB6OQMAXEII/"
              },
              {
                "name": "[oss-security] 20210127 Re: Baron Samedit: Heap-based buffer overflow in Sudo (CVE-2021-3156)",
                "tags": [
                  "mailing-list",
                  "x_transferred"
                ],
                "url": "http://www.openwall.com/lists/oss-security/2021/01/27/1"
              },
              {
                "name": "[oss-security] 20210127 Re: Baron Samedit: Heap-based buffer overflow in Sudo (CVE-2021-3156)",
                "tags": [
                  "mailing-list",
                  "x_transferred"
                ],
                "url": "http://www.openwall.com/lists/oss-security/2021/01/27/2"
              },
              {
                "name": "20210129 Sudo Privilege Escalation Vulnerability Affecting Cisco Products: January 2021",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sudo-privesc-jan2021-qnYQfcM"
              },
              {
                "name": "VU#794544",
                "tags": [
                  "third-party-advisory",
                  "x_transferred"
                ],
                "url": "https://www.kb.cert.org/vuls/id/794544"
              },
              {
                "name": "20210211 APPLE-SA-2021-02-09-1 macOS Big Sur 11.2.1, macOS Catalina 10.15.7 Supplemental Update, and macOS Mojave 10.14.6 Security Update 2021-002",
                "tags": [
                  "mailing-list",
                  "x_transferred"
                ],
                "url": "http://seclists.org/fulldisclosure/2021/Feb/42"
              },
              {
                "name": "[oss-security] 20210215 Re: sudo: Ineffective NO_ROOT_MAILER and Baron Samedit",
                "tags": [
                  "mailing-list",
                  "x_transferred"
                ],
                "url": "http://www.openwall.com/lists/oss-security/2021/02/15/1"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.oracle.com//security-alerts/cpujul2021.html"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.sudo.ws/stable.html#1.9.5p2"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.openwall.com/lists/oss-security/2021/01/26/3"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "http://packetstormsecurity.com/files/161160/Sudo-Heap-Based-Buffer-Overflow.html"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://security.netapp.com/advisory/ntap-20210128-0002/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://security.netapp.com/advisory/ntap-20210128-0001/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "http://packetstormsecurity.com/files/161230/Sudo-Buffer-Overflow-Privilege-Escalation.html"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "http://packetstormsecurity.com/files/161270/Sudo-1.9.5p1-Buffer-Overflow-Privilege-Escalation.html"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "http://packetstormsecurity.com/files/161293/Sudo-1.8.31p2-1.9.5p1-Buffer-Overflow.html"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://support.apple.com/kb/HT212177"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10348"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.beyondtrust.com/blog/entry/security-advisory-privilege-management-for-unix-linux-pmul-basic-and-privilege-management-for-mac-pmm-affected-by-sudo-vulnerability"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.synology.com/security/advisory/Synology_SA_21_02"
              },
              {
                "name": "[oss-security] 20210914 Re: Oracle Solaris membership in the distros list",
                "tags": [
                  "mailing-list",
                  "x_transferred"
                ],
                "url": "http://www.openwall.com/lists/oss-security/2021/09/14/2"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
              },
              {
                "name": "[oss-security] 20240130 Re: CVE-2023-6246: Heap-based buffer overflow in the glibc\u0027s syslog()",
                "tags": [
                  "mailing-list",
                  "x_transferred"
                ],
                "url": "http://www.openwall.com/lists/oss-security/2024/01/30/8"
              },
              {
                "name": "[oss-security] 20240130 CVE-2023-6246: Heap-based buffer overflow in the glibc\u0027s syslog()",
                "tags": [
                  "mailing-list",
                  "x_transferred"
                ],
                "url": "http://www.openwall.com/lists/oss-security/2024/01/30/6"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "http://packetstormsecurity.com/files/176932/glibc-syslog-Heap-Based-Buffer-Overflow.html"
              },
              {
                "name": "20240204 CVE-2023-6246: Heap-based buffer overflow in the glibc\u0027s syslog()",
                "tags": [
                  "mailing-list",
                  "x_transferred"
                ],
                "url": "http://seclists.org/fulldisclosure/2024/Feb/3"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "LOCAL",
                  "availabilityImpact": "HIGH",
                  "baseScore": 7.8,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "LOW",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2021-3156",
                    "options": [
                      {
                        "Exploitation": "active"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-02-03T15:43:52.658146Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              },
              {
                "other": {
                  "content": {
                    "dateAdded": "2022-04-06",
                    "reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-3156"
                  },
                  "type": "kev"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-193",
                    "description": "CWE-193 Off-by-one Error",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-10-21T23:35:29.600Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "government-resource"
                ],
                "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-3156"
              }
            ],
            "timeline": [
              {
                "lang": "en",
                "time": "2022-04-06T00:00:00.000Z",
                "value": "CVE-2021-3156 added to CISA KEV"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Sudo before 1.9.5p2 contains an off-by-one error that can result in a heap-based buffer overflow, which allows privilege escalation to root via \"sudoedit -s\" and a command-line argument that ends with a single backslash character."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-09-18T16:41:27.031Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "name": "[debian-lts-announce] 20210126 [SECURITY] [DLA 2534-1] sudo security update",
              "tags": [
                "mailing-list"
              ],
              "url": "https://lists.debian.org/debian-lts-announce/2021/01/msg00022.html"
            },
            {
              "name": "20210126 Baron Samedit: Heap-based buffer overflow in Sudo (CVE-2021-3156)",
              "tags": [
                "mailing-list"
              ],
              "url": "http://seclists.org/fulldisclosure/2021/Jan/79"
            },
            {
              "name": "[oss-security] 20210126 Baron Samedit: Heap-based buffer overflow in Sudo (CVE-2021-3156)",
              "tags": [
                "mailing-list"
              ],
              "url": "http://www.openwall.com/lists/oss-security/2021/01/26/3"
            },
            {
              "name": "GLSA-202101-33",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://security.gentoo.org/glsa/202101-33"
            },
            {
              "name": "DSA-4839",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.debian.org/security/2021/dsa-4839"
            },
            {
              "name": "FEDORA-2021-2cb63d912a",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LHXK6ICO5AYLGFK2TAX5MZKUXTUKWOJY/"
            },
            {
              "name": "FEDORA-2021-8840cbdccd",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CALA5FTXIQBRRYUA2ZQNJXB6OQMAXEII/"
            },
            {
              "name": "[oss-security] 20210127 Re: Baron Samedit: Heap-based buffer overflow in Sudo (CVE-2021-3156)",
              "tags": [
                "mailing-list"
              ],
              "url": "http://www.openwall.com/lists/oss-security/2021/01/27/1"
            },
            {
              "name": "[oss-security] 20210127 Re: Baron Samedit: Heap-based buffer overflow in Sudo (CVE-2021-3156)",
              "tags": [
                "mailing-list"
              ],
              "url": "http://www.openwall.com/lists/oss-security/2021/01/27/2"
            },
            {
              "name": "20210129 Sudo Privilege Escalation Vulnerability Affecting Cisco Products: January 2021",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sudo-privesc-jan2021-qnYQfcM"
            },
            {
              "name": "VU#794544",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://www.kb.cert.org/vuls/id/794544"
            },
            {
              "name": "20210211 APPLE-SA-2021-02-09-1 macOS Big Sur 11.2.1, macOS Catalina 10.15.7 Supplemental Update, and macOS Mojave 10.14.6 Security Update 2021-002",
              "tags": [
                "mailing-list"
              ],
              "url": "http://seclists.org/fulldisclosure/2021/Feb/42"
            },
            {
              "name": "[oss-security] 20210215 Re: sudo: Ineffective NO_ROOT_MAILER and Baron Samedit",
              "tags": [
                "mailing-list"
              ],
              "url": "http://www.openwall.com/lists/oss-security/2021/02/15/1"
            },
            {
              "url": "https://www.oracle.com//security-alerts/cpujul2021.html"
            },
            {
              "url": "https://www.sudo.ws/stable.html#1.9.5p2"
            },
            {
              "url": "https://www.openwall.com/lists/oss-security/2021/01/26/3"
            },
            {
              "url": "http://packetstormsecurity.com/files/161160/Sudo-Heap-Based-Buffer-Overflow.html"
            },
            {
              "url": "https://security.netapp.com/advisory/ntap-20210128-0002/"
            },
            {
              "url": "https://security.netapp.com/advisory/ntap-20210128-0001/"
            },
            {
              "url": "http://packetstormsecurity.com/files/161230/Sudo-Buffer-Overflow-Privilege-Escalation.html"
            },
            {
              "url": "http://packetstormsecurity.com/files/161270/Sudo-1.9.5p1-Buffer-Overflow-Privilege-Escalation.html"
            },
            {
              "url": "http://packetstormsecurity.com/files/161293/Sudo-1.8.31p2-1.9.5p1-Buffer-Overflow.html"
            },
            {
              "url": "https://support.apple.com/kb/HT212177"
            },
            {
              "url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10348"
            },
            {
              "url": "https://www.beyondtrust.com/blog/entry/security-advisory-privilege-management-for-unix-linux-pmul-basic-and-privilege-management-for-mac-pmm-affected-by-sudo-vulnerability"
            },
            {
              "url": "https://www.synology.com/security/advisory/Synology_SA_21_02"
            },
            {
              "name": "[oss-security] 20210914 Re: Oracle Solaris membership in the distros list",
              "tags": [
                "mailing-list"
              ],
              "url": "http://www.openwall.com/lists/oss-security/2021/09/14/2"
            },
            {
              "url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
            },
            {
              "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
            },
            {
              "name": "[oss-security] 20240130 Re: CVE-2023-6246: Heap-based buffer overflow in the glibc\u0027s syslog()",
              "tags": [
                "mailing-list"
              ],
              "url": "http://www.openwall.com/lists/oss-security/2024/01/30/8"
            },
            {
              "name": "[oss-security] 20240130 CVE-2023-6246: Heap-based buffer overflow in the glibc\u0027s syslog()",
              "tags": [
                "mailing-list"
              ],
              "url": "http://www.openwall.com/lists/oss-security/2024/01/30/6"
            },
            {
              "url": "http://packetstormsecurity.com/files/176932/glibc-syslog-Heap-Based-Buffer-Overflow.html"
            },
            {
              "name": "20240204 CVE-2023-6246: Heap-based buffer overflow in the glibc\u0027s syslog()",
              "tags": [
                "mailing-list"
              ],
              "url": "http://seclists.org/fulldisclosure/2024/Feb/3"
            },
            {
              "url": "https://www.vicarius.io/vsociety/posts/sudoedit-pwned-cve-2021-3156"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2021-3156",
        "datePublished": "2021-01-26T00:00:00.000Z",
        "dateReserved": "2021-01-15T00:00:00.000Z",
        "dateUpdated": "2025-10-21T23:35:29.600Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2019-9518 (GCVE-0-2019-9518)

    Vulnerability from cvelistv5 – Published: 2019-08-13 20:50 – Updated: 2024-08-04 21:54
    VLAI
    Title
    Some HTTP/2 implementations are vulnerable to a flood of empty frames, potentially leading to a denial of service
    Summary
    Some HTTP/2 implementations are vulnerable to a flood of empty frames, potentially leading to a denial of service. The attacker sends a stream of frames with an empty payload and without the end-of-stream flag. These frames can be DATA, HEADERS, CONTINUATION and/or PUSH_PROMISE. The peer spends time processing each frame disproportionate to attack bandwidth. This can consume excess CPU.
    CWE
    • CWE-400 - Uncontrolled Resource Consumption
    Assigner
    References
    URL Tags
    https://kb.cert.org/vuls/id/605641/ third-party-advisoryx_refsource_CERT-VN
    https://github.com/Netflix/security-bulletins/blo… x_refsource_MISC
    https://seclists.org/bugtraq/2019/Aug/24 mailing-listx_refsource_BUGTRAQ
    http://seclists.org/fulldisclosure/2019/Aug/16 mailing-listx_refsource_FULLDISC
    https://www.synology.com/security/advisory/Synolo… x_refsource_CONFIRM
    https://support.f5.com/csp/article/K46011592 x_refsource_CONFIRM
    https://lists.apache.org/thread.html/2653c5654557… mailing-listx_refsource_MLIST
    https://lists.apache.org/thread.html/091b518265bc… mailing-listx_refsource_MLIST
    https://lists.apache.org/thread.html/ff5b0821a698… mailing-listx_refsource_MLIST
    https://security.netapp.com/advisory/ntap-2019082… x_refsource_CONFIRM
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisoryx_refsource_FEDORA
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisoryx_refsource_FEDORA
    https://www.debian.org/security/2019/dsa-4520 vendor-advisoryx_refsource_DEBIAN
    https://seclists.org/bugtraq/2019/Sep/18 mailing-listx_refsource_BUGTRAQ
    http://lists.opensuse.org/opensuse-security-annou… vendor-advisoryx_refsource_SUSE
    http://lists.opensuse.org/opensuse-security-annou… vendor-advisoryx_refsource_SUSE
    https://kc.mcafee.com/corporate/index?page=conten… x_refsource_CONFIRM
    https://access.redhat.com/errata/RHSA-2019:2925 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2019:2939 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2019:2955 vendor-advisoryx_refsource_REDHAT
    https://support.f5.com/csp/article/K46011592?utm_… x_refsource_CONFIRM
    https://access.redhat.com/errata/RHSA-2019:3892 vendor-advisoryx_refsource_REDHAT
    https://lists.apache.org/thread.html/9317fd092b25… mailing-listx_refsource_MLIST
    https://access.redhat.com/errata/RHSA-2019:4352 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2020:0727 vendor-advisoryx_refsource_REDHAT
    https://lists.apache.org/thread.html/r99a625fb170… mailing-listx_refsource_MLIST
    https://lists.apache.org/thread.html/rd31230d01fa… mailing-listx_refsource_MLIST
    Credits
    Thanks to Piotr Sikora of Google for reporting this vulnerability.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T21:54:44.510Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "VU#605641",
                "tags": [
                  "third-party-advisory",
                  "x_refsource_CERT-VN",
                  "x_transferred"
                ],
                "url": "https://kb.cert.org/vuls/id/605641/"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md"
              },
              {
                "name": "20190814 APPLE-SA-2019-08-13-5 SwiftNIO HTTP/2 1.5.0",
                "tags": [
                  "mailing-list",
                  "x_refsource_BUGTRAQ",
                  "x_transferred"
                ],
                "url": "https://seclists.org/bugtraq/2019/Aug/24"
              },
              {
                "name": "20190816 APPLE-SA-2019-08-13-5 SwiftNIO HTTP/2 1.5.0",
                "tags": [
                  "mailing-list",
                  "x_refsource_FULLDISC",
                  "x_transferred"
                ],
                "url": "http://seclists.org/fulldisclosure/2019/Aug/16"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.synology.com/security/advisory/Synology_SA_19_33"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://support.f5.com/csp/article/K46011592"
              },
              {
                "name": "[trafficserver-announce] 20190820 ATS is vulnerable to a HTTP/2 attack with empty frames",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/2653c56545573b528f3f6352a29eccaf498bd6fb2a6a59568d81a61d%40%3Cannounce.trafficserver.apache.org%3E"
              },
              {
                "name": "[trafficserver-users] 20190820 ATS is vulnerable to a HTTP/2 attack with empty frames",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/091b518265bce56a16af87b77c8cfacda902a02079e866f9fdf13b61%40%3Cusers.trafficserver.apache.org%3E"
              },
              {
                "name": "[trafficserver-dev] 20190820 ATS is vulnerable to a HTTP/2 attack with empty frames",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/ff5b0821a6985159a832ff6d1a4bd311ac07ecc7db1e2d8bab619107%40%3Cdev.trafficserver.apache.org%3E"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://security.netapp.com/advisory/ntap-20190823-0005/"
              },
              {
                "name": "FEDORA-2019-5a6a7bc12c",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_FEDORA",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CMNFX5MNYRWWIMO4BTKYQCGUDMHO3AXP/"
              },
              {
                "name": "FEDORA-2019-6a2980de56",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_FEDORA",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4ZQGHE3WTYLYAYJEIDJVF2FIGQTAYPMC/"
              },
              {
                "name": "DSA-4520",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_DEBIAN",
                  "x_transferred"
                ],
                "url": "https://www.debian.org/security/2019/dsa-4520"
              },
              {
                "name": "20190910 [SECURITY] [DSA 4520-1] trafficserver security update",
                "tags": [
                  "mailing-list",
                  "x_refsource_BUGTRAQ",
                  "x_transferred"
                ],
                "url": "https://seclists.org/bugtraq/2019/Sep/18"
              },
              {
                "name": "openSUSE-SU-2019:2114",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_SUSE",
                  "x_transferred"
                ],
                "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00032.html"
              },
              {
                "name": "openSUSE-SU-2019:2115",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_SUSE",
                  "x_transferred"
                ],
                "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00031.html"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10296"
              },
              {
                "name": "RHSA-2019:2925",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:2925"
              },
              {
                "name": "RHSA-2019:2939",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:2939"
              },
              {
                "name": "RHSA-2019:2955",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:2955"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://support.f5.com/csp/article/K46011592?utm_source=f5support\u0026amp%3Butm_medium=RSS"
              },
              {
                "name": "RHSA-2019:3892",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:3892"
              },
              {
                "name": "[druid-commits] 20191115 [GitHub] [incubator-druid] ccaominh opened a new pull request #8878: Address security vulnerabilities",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe%40%3Ccommits.druid.apache.org%3E"
              },
              {
                "name": "RHSA-2019:4352",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:4352"
              },
              {
                "name": "RHSA-2020:0727",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2020:0727"
              },
              {
                "name": "[cassandra-commits] 20210526 [jira] [Created] (CASSANDRA-16698) Security vulnerability CVE-2019-9518 for Netty",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/r99a625fb17032646d96cd23dec49603ff630e9318e44a686d63046bc%40%3Ccommits.cassandra.apache.org%3E"
              },
              {
                "name": "[cassandra-commits] 20210526 [jira] [Updated] (CASSANDRA-16698) Security vulnerability CVE-2019-9518 for Netty",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/rd31230d01fa6aad18bdadc0720acd1747e53690bd35f73a48e7a9b75%40%3Ccommits.cassandra.apache.org%3E"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Thanks to Piotr Sikora of Google for reporting this vulnerability."
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Some HTTP/2 implementations are vulnerable to a flood of empty frames, potentially leading to a denial of service. The attacker sends a stream of frames with an empty payload and without the end-of-stream flag. These frames can be DATA, HEADERS, CONTINUATION and/or PUSH_PROMISE. The peer spends time processing each frame disproportionate to attack bandwidth. This can consume excess CPU."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-400",
                  "description": "CWE-400 Uncontrolled Resource Consumption",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-05-26T16:06:12.000Z",
            "orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
            "shortName": "certcc"
          },
          "references": [
            {
              "name": "VU#605641",
              "tags": [
                "third-party-advisory",
                "x_refsource_CERT-VN"
              ],
              "url": "https://kb.cert.org/vuls/id/605641/"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md"
            },
            {
              "name": "20190814 APPLE-SA-2019-08-13-5 SwiftNIO HTTP/2 1.5.0",
              "tags": [
                "mailing-list",
                "x_refsource_BUGTRAQ"
              ],
              "url": "https://seclists.org/bugtraq/2019/Aug/24"
            },
            {
              "name": "20190816 APPLE-SA-2019-08-13-5 SwiftNIO HTTP/2 1.5.0",
              "tags": [
                "mailing-list",
                "x_refsource_FULLDISC"
              ],
              "url": "http://seclists.org/fulldisclosure/2019/Aug/16"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.synology.com/security/advisory/Synology_SA_19_33"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://support.f5.com/csp/article/K46011592"
            },
            {
              "name": "[trafficserver-announce] 20190820 ATS is vulnerable to a HTTP/2 attack with empty frames",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/2653c56545573b528f3f6352a29eccaf498bd6fb2a6a59568d81a61d%40%3Cannounce.trafficserver.apache.org%3E"
            },
            {
              "name": "[trafficserver-users] 20190820 ATS is vulnerable to a HTTP/2 attack with empty frames",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/091b518265bce56a16af87b77c8cfacda902a02079e866f9fdf13b61%40%3Cusers.trafficserver.apache.org%3E"
            },
            {
              "name": "[trafficserver-dev] 20190820 ATS is vulnerable to a HTTP/2 attack with empty frames",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/ff5b0821a6985159a832ff6d1a4bd311ac07ecc7db1e2d8bab619107%40%3Cdev.trafficserver.apache.org%3E"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://security.netapp.com/advisory/ntap-20190823-0005/"
            },
            {
              "name": "FEDORA-2019-5a6a7bc12c",
              "tags": [
                "vendor-advisory",
                "x_refsource_FEDORA"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CMNFX5MNYRWWIMO4BTKYQCGUDMHO3AXP/"
            },
            {
              "name": "FEDORA-2019-6a2980de56",
              "tags": [
                "vendor-advisory",
                "x_refsource_FEDORA"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4ZQGHE3WTYLYAYJEIDJVF2FIGQTAYPMC/"
            },
            {
              "name": "DSA-4520",
              "tags": [
                "vendor-advisory",
                "x_refsource_DEBIAN"
              ],
              "url": "https://www.debian.org/security/2019/dsa-4520"
            },
            {
              "name": "20190910 [SECURITY] [DSA 4520-1] trafficserver security update",
              "tags": [
                "mailing-list",
                "x_refsource_BUGTRAQ"
              ],
              "url": "https://seclists.org/bugtraq/2019/Sep/18"
            },
            {
              "name": "openSUSE-SU-2019:2114",
              "tags": [
                "vendor-advisory",
                "x_refsource_SUSE"
              ],
              "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00032.html"
            },
            {
              "name": "openSUSE-SU-2019:2115",
              "tags": [
                "vendor-advisory",
                "x_refsource_SUSE"
              ],
              "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00031.html"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10296"
            },
            {
              "name": "RHSA-2019:2925",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:2925"
            },
            {
              "name": "RHSA-2019:2939",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:2939"
            },
            {
              "name": "RHSA-2019:2955",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:2955"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://support.f5.com/csp/article/K46011592?utm_source=f5support\u0026amp%3Butm_medium=RSS"
            },
            {
              "name": "RHSA-2019:3892",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:3892"
            },
            {
              "name": "[druid-commits] 20191115 [GitHub] [incubator-druid] ccaominh opened a new pull request #8878: Address security vulnerabilities",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe%40%3Ccommits.druid.apache.org%3E"
            },
            {
              "name": "RHSA-2019:4352",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:4352"
            },
            {
              "name": "RHSA-2020:0727",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2020:0727"
            },
            {
              "name": "[cassandra-commits] 20210526 [jira] [Created] (CASSANDRA-16698) Security vulnerability CVE-2019-9518 for Netty",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/r99a625fb17032646d96cd23dec49603ff630e9318e44a686d63046bc%40%3Ccommits.cassandra.apache.org%3E"
            },
            {
              "name": "[cassandra-commits] 20210526 [jira] [Updated] (CASSANDRA-16698) Security vulnerability CVE-2019-9518 for Netty",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/rd31230d01fa6aad18bdadc0720acd1747e53690bd35f73a48e7a9b75%40%3Ccommits.cassandra.apache.org%3E"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Some HTTP/2 implementations are vulnerable to a flood of empty frames, potentially leading to a denial of service",
          "x_generator": {
            "engine": "Vulnogram 0.0.7"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "AKA": "HTTP/2 Empty Frame Flooding",
              "ASSIGNER": "cert@cert.org",
              "ID": "CVE-2019-9518",
              "STATE": "PUBLIC",
              "TITLE": "Some HTTP/2 implementations are vulnerable to a flood of empty frames, potentially leading to a denial of service"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "n/a",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "n/a"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "n/a"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "Thanks to Piotr Sikora of Google for reporting this vulnerability."
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Some HTTP/2 implementations are vulnerable to a flood of empty frames, potentially leading to a denial of service. The attacker sends a stream of frames with an empty payload and without the end-of-stream flag. These frames can be DATA, HEADERS, CONTINUATION and/or PUSH_PROMISE. The peer spends time processing each frame disproportionate to attack bandwidth. This can consume excess CPU."
                }
              ]
            },
            "generator": {
              "engine": "Vulnogram 0.0.7"
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.0"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-400 Uncontrolled Resource Consumption"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "VU#605641",
                  "refsource": "CERT-VN",
                  "url": "https://kb.cert.org/vuls/id/605641/"
                },
                {
                  "name": "https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md",
                  "refsource": "MISC",
                  "url": "https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md"
                },
                {
                  "name": "20190814 APPLE-SA-2019-08-13-5 SwiftNIO HTTP/2 1.5.0",
                  "refsource": "BUGTRAQ",
                  "url": "https://seclists.org/bugtraq/2019/Aug/24"
                },
                {
                  "name": "20190816 APPLE-SA-2019-08-13-5 SwiftNIO HTTP/2 1.5.0",
                  "refsource": "FULLDISC",
                  "url": "http://seclists.org/fulldisclosure/2019/Aug/16"
                },
                {
                  "name": "https://www.synology.com/security/advisory/Synology_SA_19_33",
                  "refsource": "CONFIRM",
                  "url": "https://www.synology.com/security/advisory/Synology_SA_19_33"
                },
                {
                  "name": "https://support.f5.com/csp/article/K46011592",
                  "refsource": "CONFIRM",
                  "url": "https://support.f5.com/csp/article/K46011592"
                },
                {
                  "name": "[trafficserver-announce] 20190820 ATS is vulnerable to a HTTP/2 attack with empty frames",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/2653c56545573b528f3f6352a29eccaf498bd6fb2a6a59568d81a61d@%3Cannounce.trafficserver.apache.org%3E"
                },
                {
                  "name": "[trafficserver-users] 20190820 ATS is vulnerable to a HTTP/2 attack with empty frames",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/091b518265bce56a16af87b77c8cfacda902a02079e866f9fdf13b61@%3Cusers.trafficserver.apache.org%3E"
                },
                {
                  "name": "[trafficserver-dev] 20190820 ATS is vulnerable to a HTTP/2 attack with empty frames",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/ff5b0821a6985159a832ff6d1a4bd311ac07ecc7db1e2d8bab619107@%3Cdev.trafficserver.apache.org%3E"
                },
                {
                  "name": "https://security.netapp.com/advisory/ntap-20190823-0005/",
                  "refsource": "CONFIRM",
                  "url": "https://security.netapp.com/advisory/ntap-20190823-0005/"
                },
                {
                  "name": "FEDORA-2019-5a6a7bc12c",
                  "refsource": "FEDORA",
                  "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CMNFX5MNYRWWIMO4BTKYQCGUDMHO3AXP/"
                },
                {
                  "name": "FEDORA-2019-6a2980de56",
                  "refsource": "FEDORA",
                  "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4ZQGHE3WTYLYAYJEIDJVF2FIGQTAYPMC/"
                },
                {
                  "name": "DSA-4520",
                  "refsource": "DEBIAN",
                  "url": "https://www.debian.org/security/2019/dsa-4520"
                },
                {
                  "name": "20190910 [SECURITY] [DSA 4520-1] trafficserver security update",
                  "refsource": "BUGTRAQ",
                  "url": "https://seclists.org/bugtraq/2019/Sep/18"
                },
                {
                  "name": "openSUSE-SU-2019:2114",
                  "refsource": "SUSE",
                  "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00032.html"
                },
                {
                  "name": "openSUSE-SU-2019:2115",
                  "refsource": "SUSE",
                  "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00031.html"
                },
                {
                  "name": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10296",
                  "refsource": "CONFIRM",
                  "url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10296"
                },
                {
                  "name": "RHSA-2019:2925",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2019:2925"
                },
                {
                  "name": "RHSA-2019:2939",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2019:2939"
                },
                {
                  "name": "RHSA-2019:2955",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2019:2955"
                },
                {
                  "name": "https://support.f5.com/csp/article/K46011592?utm_source=f5support\u0026amp;utm_medium=RSS",
                  "refsource": "CONFIRM",
                  "url": "https://support.f5.com/csp/article/K46011592?utm_source=f5support\u0026amp;utm_medium=RSS"
                },
                {
                  "name": "RHSA-2019:3892",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2019:3892"
                },
                {
                  "name": "[druid-commits] 20191115 [GitHub] [incubator-druid] ccaominh opened a new pull request #8878: Address security vulnerabilities",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe@%3Ccommits.druid.apache.org%3E"
                },
                {
                  "name": "RHSA-2019:4352",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2019:4352"
                },
                {
                  "name": "RHSA-2020:0727",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2020:0727"
                },
                {
                  "name": "[cassandra-commits] 20210526 [jira] [Created] (CASSANDRA-16698) Security vulnerability CVE-2019-9518 for Netty",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/r99a625fb17032646d96cd23dec49603ff630e9318e44a686d63046bc@%3Ccommits.cassandra.apache.org%3E"
                },
                {
                  "name": "[cassandra-commits] 20210526 [jira] [Updated] (CASSANDRA-16698) Security vulnerability CVE-2019-9518 for Netty",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/rd31230d01fa6aad18bdadc0720acd1747e53690bd35f73a48e7a9b75@%3Ccommits.cassandra.apache.org%3E"
                }
              ]
            },
            "source": {
              "discovery": "UNKNOWN"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
        "assignerShortName": "certcc",
        "cveId": "CVE-2019-9518",
        "datePublished": "2019-08-13T20:50:59.000Z",
        "dateReserved": "2019-03-01T00:00:00.000Z",
        "dateUpdated": "2024-08-04T21:54:44.510Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2019-9511 (GCVE-0-2019-9511)

    Vulnerability from cvelistv5 – Published: 2019-08-13 20:50 – Updated: 2024-08-04 21:54
    VLAI
    Title
    Some HTTP/2 implementations are vulnerable to window size manipulation and stream prioritization manipulation, potentially leading to a denial of service
    Summary
    Some HTTP/2 implementations are vulnerable to window size manipulation and stream prioritization manipulation, potentially leading to a denial of service. The attacker requests a large amount of data from a specified resource over multiple streams. They manipulate window size and stream priority to force the server to queue the data in 1-byte chunks. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both.
    CWE
    • CWE-400 - Uncontrolled Resource Consumption
    Assigner
    References
    URL Tags
    https://kb.cert.org/vuls/id/605641/ third-party-advisoryx_refsource_CERT-VN
    https://usn.ubuntu.com/4099-1/ vendor-advisoryx_refsource_UBUNTU
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisoryx_refsource_FEDORA
    https://seclists.org/bugtraq/2019/Aug/40 mailing-listx_refsource_BUGTRAQ
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisoryx_refsource_FEDORA
    https://www.debian.org/security/2019/dsa-4505 vendor-advisoryx_refsource_DEBIAN
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisoryx_refsource_FEDORA
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisoryx_refsource_FEDORA
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisoryx_refsource_FEDORA
    https://seclists.org/bugtraq/2019/Sep/1 mailing-listx_refsource_BUGTRAQ
    https://www.debian.org/security/2019/dsa-4511 vendor-advisoryx_refsource_DEBIAN
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisoryx_refsource_FEDORA
    https://access.redhat.com/errata/RHSA-2019:2692 vendor-advisoryx_refsource_REDHAT
    http://lists.opensuse.org/opensuse-security-annou… vendor-advisoryx_refsource_SUSE
    http://lists.opensuse.org/opensuse-security-annou… vendor-advisoryx_refsource_SUSE
    http://lists.opensuse.org/opensuse-security-annou… vendor-advisoryx_refsource_SUSE
    https://access.redhat.com/errata/RHSA-2019:2745 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2019:2746 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2019:2775 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2019:2799 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2019:2925 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2019:2939 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2019:2949 vendor-advisoryx_refsource_REDHAT
    http://lists.opensuse.org/opensuse-security-annou… vendor-advisoryx_refsource_SUSE
    http://lists.opensuse.org/opensuse-security-annou… vendor-advisoryx_refsource_SUSE
    https://access.redhat.com/errata/RHSA-2019:2955 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2019:2966 vendor-advisoryx_refsource_REDHAT
    http://lists.opensuse.org/opensuse-security-annou… vendor-advisoryx_refsource_SUSE
    https://access.redhat.com/errata/RHSA-2019:3041 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2019:3933 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2019:3935 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2019:3932 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2019:4018 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2019:4019 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2019:4021 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2019:4020 vendor-advisoryx_refsource_REDHAT
    https://www.debian.org/security/2020/dsa-4669 vendor-advisoryx_refsource_DEBIAN
    https://www.oracle.com/technetwork/security-advis… x_refsource_MISC
    https://www.oracle.com/security-alerts/cpuoct2020.html x_refsource_MISC
    https://github.com/Netflix/security-bulletins/blo… x_refsource_MISC
    https://www.synology.com/security/advisory/Synolo… x_refsource_CONFIRM
    https://support.f5.com/csp/article/K02591030 x_refsource_CONFIRM
    https://security.netapp.com/advisory/ntap-2019082… x_refsource_CONFIRM
    https://security.netapp.com/advisory/ntap-2019082… x_refsource_CONFIRM
    https://kc.mcafee.com/corporate/index?page=conten… x_refsource_CONFIRM
    https://support.f5.com/csp/article/K02591030?utm_… x_refsource_CONFIRM
    https://www.oracle.com/security-alerts/cpujan2021.html x_refsource_MISC
    Credits
    Thanks to Jonathan Looney of Netflix for reporting this vulnerability.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T21:54:44.157Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "VU#605641",
                "tags": [
                  "third-party-advisory",
                  "x_refsource_CERT-VN",
                  "x_transferred"
                ],
                "url": "https://kb.cert.org/vuls/id/605641/"
              },
              {
                "name": "USN-4099-1",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_UBUNTU",
                  "x_transferred"
                ],
                "url": "https://usn.ubuntu.com/4099-1/"
              },
              {
                "name": "FEDORA-2019-befd924cfe",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_FEDORA",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TAZZEVTCN2B4WT6AIBJ7XGYJMBTORJU5/"
              },
              {
                "name": "20190822 [SECURITY] [DSA 4505-1] nginx security update",
                "tags": [
                  "mailing-list",
                  "x_refsource_BUGTRAQ",
                  "x_transferred"
                ],
                "url": "https://seclists.org/bugtraq/2019/Aug/40"
              },
              {
                "name": "FEDORA-2019-81985a8858",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_FEDORA",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LZLUYPYY3RX4ZJDWZRJIKSULYRJ4PXW7/"
              },
              {
                "name": "DSA-4505",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_DEBIAN",
                  "x_transferred"
                ],
                "url": "https://www.debian.org/security/2019/dsa-4505"
              },
              {
                "name": "FEDORA-2019-8a437d5c2f",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_FEDORA",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JUBYAF6ED3O4XCHQ5C2HYENJLXYXZC4M/"
              },
              {
                "name": "FEDORA-2019-4427fd65be",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_FEDORA",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BP556LEG3WENHZI5TAQ6ZEBFTJB4E2IS/"
              },
              {
                "name": "FEDORA-2019-63ba15cc83",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_FEDORA",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XHTKU7YQ5EEP2XNSAV4M4VJ7QCBOJMOD/"
              },
              {
                "name": "20190902 [SECURITY] [DSA 4511-1] nghttp2 security update",
                "tags": [
                  "mailing-list",
                  "x_refsource_BUGTRAQ",
                  "x_transferred"
                ],
                "url": "https://seclists.org/bugtraq/2019/Sep/1"
              },
              {
                "name": "DSA-4511",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_DEBIAN",
                  "x_transferred"
                ],
                "url": "https://www.debian.org/security/2019/dsa-4511"
              },
              {
                "name": "FEDORA-2019-7a0b45fdc4",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_FEDORA",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/POPAEC4FWL4UU4LDEGPY5NPALU24FFQD/"
              },
              {
                "name": "RHSA-2019:2692",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:2692"
              },
              {
                "name": "openSUSE-SU-2019:2120",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_SUSE",
                  "x_transferred"
                ],
                "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00035.html"
              },
              {
                "name": "openSUSE-SU-2019:2114",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_SUSE",
                  "x_transferred"
                ],
                "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00032.html"
              },
              {
                "name": "openSUSE-SU-2019:2115",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_SUSE",
                  "x_transferred"
                ],
                "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00031.html"
              },
              {
                "name": "RHSA-2019:2745",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:2745"
              },
              {
                "name": "RHSA-2019:2746",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:2746"
              },
              {
                "name": "RHSA-2019:2775",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:2775"
              },
              {
                "name": "RHSA-2019:2799",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:2799"
              },
              {
                "name": "RHSA-2019:2925",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:2925"
              },
              {
                "name": "RHSA-2019:2939",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:2939"
              },
              {
                "name": "RHSA-2019:2949",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:2949"
              },
              {
                "name": "openSUSE-SU-2019:2232",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_SUSE",
                  "x_transferred"
                ],
                "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00003.html"
              },
              {
                "name": "openSUSE-SU-2019:2234",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_SUSE",
                  "x_transferred"
                ],
                "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00005.html"
              },
              {
                "name": "RHSA-2019:2955",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:2955"
              },
              {
                "name": "RHSA-2019:2966",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:2966"
              },
              {
                "name": "openSUSE-SU-2019:2264",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_SUSE",
                  "x_transferred"
                ],
                "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00014.html"
              },
              {
                "name": "RHSA-2019:3041",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:3041"
              },
              {
                "name": "RHSA-2019:3933",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:3933"
              },
              {
                "name": "RHSA-2019:3935",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:3935"
              },
              {
                "name": "RHSA-2019:3932",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:3932"
              },
              {
                "name": "RHSA-2019:4018",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:4018"
              },
              {
                "name": "RHSA-2019:4019",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:4019"
              },
              {
                "name": "RHSA-2019:4021",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:4021"
              },
              {
                "name": "RHSA-2019:4020",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:4020"
              },
              {
                "name": "DSA-4669",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_DEBIAN",
                  "x_transferred"
                ],
                "url": "https://www.debian.org/security/2020/dsa-4669"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.oracle.com/security-alerts/cpuoct2020.html"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.synology.com/security/advisory/Synology_SA_19_33"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://support.f5.com/csp/article/K02591030"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://security.netapp.com/advisory/ntap-20190823-0002/"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://security.netapp.com/advisory/ntap-20190823-0005/"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10296"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://support.f5.com/csp/article/K02591030?utm_source=f5support\u0026amp%3Butm_medium=RSS"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.oracle.com/security-alerts/cpujan2021.html"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Thanks to Jonathan Looney of Netflix for reporting this vulnerability."
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Some HTTP/2 implementations are vulnerable to window size manipulation and stream prioritization manipulation, potentially leading to a denial of service. The attacker requests a large amount of data from a specified resource over multiple streams. They manipulate window size and stream priority to force the server to queue the data in 1-byte chunks. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-400",
                  "description": "CWE-400 Uncontrolled Resource Consumption",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-01-20T14:42:02.000Z",
            "orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
            "shortName": "certcc"
          },
          "references": [
            {
              "name": "VU#605641",
              "tags": [
                "third-party-advisory",
                "x_refsource_CERT-VN"
              ],
              "url": "https://kb.cert.org/vuls/id/605641/"
            },
            {
              "name": "USN-4099-1",
              "tags": [
                "vendor-advisory",
                "x_refsource_UBUNTU"
              ],
              "url": "https://usn.ubuntu.com/4099-1/"
            },
            {
              "name": "FEDORA-2019-befd924cfe",
              "tags": [
                "vendor-advisory",
                "x_refsource_FEDORA"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TAZZEVTCN2B4WT6AIBJ7XGYJMBTORJU5/"
            },
            {
              "name": "20190822 [SECURITY] [DSA 4505-1] nginx security update",
              "tags": [
                "mailing-list",
                "x_refsource_BUGTRAQ"
              ],
              "url": "https://seclists.org/bugtraq/2019/Aug/40"
            },
            {
              "name": "FEDORA-2019-81985a8858",
              "tags": [
                "vendor-advisory",
                "x_refsource_FEDORA"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LZLUYPYY3RX4ZJDWZRJIKSULYRJ4PXW7/"
            },
            {
              "name": "DSA-4505",
              "tags": [
                "vendor-advisory",
                "x_refsource_DEBIAN"
              ],
              "url": "https://www.debian.org/security/2019/dsa-4505"
            },
            {
              "name": "FEDORA-2019-8a437d5c2f",
              "tags": [
                "vendor-advisory",
                "x_refsource_FEDORA"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JUBYAF6ED3O4XCHQ5C2HYENJLXYXZC4M/"
            },
            {
              "name": "FEDORA-2019-4427fd65be",
              "tags": [
                "vendor-advisory",
                "x_refsource_FEDORA"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BP556LEG3WENHZI5TAQ6ZEBFTJB4E2IS/"
            },
            {
              "name": "FEDORA-2019-63ba15cc83",
              "tags": [
                "vendor-advisory",
                "x_refsource_FEDORA"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XHTKU7YQ5EEP2XNSAV4M4VJ7QCBOJMOD/"
            },
            {
              "name": "20190902 [SECURITY] [DSA 4511-1] nghttp2 security update",
              "tags": [
                "mailing-list",
                "x_refsource_BUGTRAQ"
              ],
              "url": "https://seclists.org/bugtraq/2019/Sep/1"
            },
            {
              "name": "DSA-4511",
              "tags": [
                "vendor-advisory",
                "x_refsource_DEBIAN"
              ],
              "url": "https://www.debian.org/security/2019/dsa-4511"
            },
            {
              "name": "FEDORA-2019-7a0b45fdc4",
              "tags": [
                "vendor-advisory",
                "x_refsource_FEDORA"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/POPAEC4FWL4UU4LDEGPY5NPALU24FFQD/"
            },
            {
              "name": "RHSA-2019:2692",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:2692"
            },
            {
              "name": "openSUSE-SU-2019:2120",
              "tags": [
                "vendor-advisory",
                "x_refsource_SUSE"
              ],
              "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00035.html"
            },
            {
              "name": "openSUSE-SU-2019:2114",
              "tags": [
                "vendor-advisory",
                "x_refsource_SUSE"
              ],
              "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00032.html"
            },
            {
              "name": "openSUSE-SU-2019:2115",
              "tags": [
                "vendor-advisory",
                "x_refsource_SUSE"
              ],
              "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00031.html"
            },
            {
              "name": "RHSA-2019:2745",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:2745"
            },
            {
              "name": "RHSA-2019:2746",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:2746"
            },
            {
              "name": "RHSA-2019:2775",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:2775"
            },
            {
              "name": "RHSA-2019:2799",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:2799"
            },
            {
              "name": "RHSA-2019:2925",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:2925"
            },
            {
              "name": "RHSA-2019:2939",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:2939"
            },
            {
              "name": "RHSA-2019:2949",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:2949"
            },
            {
              "name": "openSUSE-SU-2019:2232",
              "tags": [
                "vendor-advisory",
                "x_refsource_SUSE"
              ],
              "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00003.html"
            },
            {
              "name": "openSUSE-SU-2019:2234",
              "tags": [
                "vendor-advisory",
                "x_refsource_SUSE"
              ],
              "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00005.html"
            },
            {
              "name": "RHSA-2019:2955",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:2955"
            },
            {
              "name": "RHSA-2019:2966",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:2966"
            },
            {
              "name": "openSUSE-SU-2019:2264",
              "tags": [
                "vendor-advisory",
                "x_refsource_SUSE"
              ],
              "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00014.html"
            },
            {
              "name": "RHSA-2019:3041",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:3041"
            },
            {
              "name": "RHSA-2019:3933",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:3933"
            },
            {
              "name": "RHSA-2019:3935",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:3935"
            },
            {
              "name": "RHSA-2019:3932",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:3932"
            },
            {
              "name": "RHSA-2019:4018",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:4018"
            },
            {
              "name": "RHSA-2019:4019",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:4019"
            },
            {
              "name": "RHSA-2019:4021",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:4021"
            },
            {
              "name": "RHSA-2019:4020",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:4020"
            },
            {
              "name": "DSA-4669",
              "tags": [
                "vendor-advisory",
                "x_refsource_DEBIAN"
              ],
              "url": "https://www.debian.org/security/2020/dsa-4669"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.oracle.com/security-alerts/cpuoct2020.html"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.synology.com/security/advisory/Synology_SA_19_33"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://support.f5.com/csp/article/K02591030"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://security.netapp.com/advisory/ntap-20190823-0002/"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://security.netapp.com/advisory/ntap-20190823-0005/"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10296"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://support.f5.com/csp/article/K02591030?utm_source=f5support\u0026amp%3Butm_medium=RSS"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.oracle.com/security-alerts/cpujan2021.html"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Some HTTP/2 implementations are vulnerable to window size manipulation and stream prioritization manipulation, potentially leading to a denial of service",
          "x_generator": {
            "engine": "Vulnogram 0.0.7"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "AKA": "HTTP/2 Data Dribble",
              "ASSIGNER": "cert@cert.org",
              "ID": "CVE-2019-9511",
              "STATE": "PUBLIC",
              "TITLE": "Some HTTP/2 implementations are vulnerable to window size manipulation and stream prioritization manipulation, potentially leading to a denial of service"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "n/a",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "n/a"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "n/a"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "Thanks to Jonathan Looney of Netflix for reporting this vulnerability."
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Some HTTP/2 implementations are vulnerable to window size manipulation and stream prioritization manipulation, potentially leading to a denial of service. The attacker requests a large amount of data from a specified resource over multiple streams. They manipulate window size and stream priority to force the server to queue the data in 1-byte chunks. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both."
                }
              ]
            },
            "generator": {
              "engine": "Vulnogram 0.0.7"
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.0"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-400 Uncontrolled Resource Consumption"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "VU#605641",
                  "refsource": "CERT-VN",
                  "url": "https://kb.cert.org/vuls/id/605641/"
                },
                {
                  "name": "USN-4099-1",
                  "refsource": "UBUNTU",
                  "url": "https://usn.ubuntu.com/4099-1/"
                },
                {
                  "name": "FEDORA-2019-befd924cfe",
                  "refsource": "FEDORA",
                  "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TAZZEVTCN2B4WT6AIBJ7XGYJMBTORJU5/"
                },
                {
                  "name": "20190822 [SECURITY] [DSA 4505-1] nginx security update",
                  "refsource": "BUGTRAQ",
                  "url": "https://seclists.org/bugtraq/2019/Aug/40"
                },
                {
                  "name": "FEDORA-2019-81985a8858",
                  "refsource": "FEDORA",
                  "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LZLUYPYY3RX4ZJDWZRJIKSULYRJ4PXW7/"
                },
                {
                  "name": "DSA-4505",
                  "refsource": "DEBIAN",
                  "url": "https://www.debian.org/security/2019/dsa-4505"
                },
                {
                  "name": "FEDORA-2019-8a437d5c2f",
                  "refsource": "FEDORA",
                  "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JUBYAF6ED3O4XCHQ5C2HYENJLXYXZC4M/"
                },
                {
                  "name": "FEDORA-2019-4427fd65be",
                  "refsource": "FEDORA",
                  "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BP556LEG3WENHZI5TAQ6ZEBFTJB4E2IS/"
                },
                {
                  "name": "FEDORA-2019-63ba15cc83",
                  "refsource": "FEDORA",
                  "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XHTKU7YQ5EEP2XNSAV4M4VJ7QCBOJMOD/"
                },
                {
                  "name": "20190902 [SECURITY] [DSA 4511-1] nghttp2 security update",
                  "refsource": "BUGTRAQ",
                  "url": "https://seclists.org/bugtraq/2019/Sep/1"
                },
                {
                  "name": "DSA-4511",
                  "refsource": "DEBIAN",
                  "url": "https://www.debian.org/security/2019/dsa-4511"
                },
                {
                  "name": "FEDORA-2019-7a0b45fdc4",
                  "refsource": "FEDORA",
                  "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/POPAEC4FWL4UU4LDEGPY5NPALU24FFQD/"
                },
                {
                  "name": "RHSA-2019:2692",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2019:2692"
                },
                {
                  "name": "openSUSE-SU-2019:2120",
                  "refsource": "SUSE",
                  "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00035.html"
                },
                {
                  "name": "openSUSE-SU-2019:2114",
                  "refsource": "SUSE",
                  "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00032.html"
                },
                {
                  "name": "openSUSE-SU-2019:2115",
                  "refsource": "SUSE",
                  "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00031.html"
                },
                {
                  "name": "RHSA-2019:2745",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2019:2745"
                },
                {
                  "name": "RHSA-2019:2746",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2019:2746"
                },
                {
                  "name": "RHSA-2019:2775",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2019:2775"
                },
                {
                  "name": "RHSA-2019:2799",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2019:2799"
                },
                {
                  "name": "RHSA-2019:2925",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2019:2925"
                },
                {
                  "name": "RHSA-2019:2939",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2019:2939"
                },
                {
                  "name": "RHSA-2019:2949",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2019:2949"
                },
                {
                  "name": "openSUSE-SU-2019:2232",
                  "refsource": "SUSE",
                  "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00003.html"
                },
                {
                  "name": "openSUSE-SU-2019:2234",
                  "refsource": "SUSE",
                  "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00005.html"
                },
                {
                  "name": "RHSA-2019:2955",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2019:2955"
                },
                {
                  "name": "RHSA-2019:2966",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2019:2966"
                },
                {
                  "name": "openSUSE-SU-2019:2264",
                  "refsource": "SUSE",
                  "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00014.html"
                },
                {
                  "name": "RHSA-2019:3041",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2019:3041"
                },
                {
                  "name": "RHSA-2019:3933",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2019:3933"
                },
                {
                  "name": "RHSA-2019:3935",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2019:3935"
                },
                {
                  "name": "RHSA-2019:3932",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2019:3932"
                },
                {
                  "name": "RHSA-2019:4018",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2019:4018"
                },
                {
                  "name": "RHSA-2019:4019",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2019:4019"
                },
                {
                  "name": "RHSA-2019:4021",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2019:4021"
                },
                {
                  "name": "RHSA-2019:4020",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2019:4020"
                },
                {
                  "name": "DSA-4669",
                  "refsource": "DEBIAN",
                  "url": "https://www.debian.org/security/2020/dsa-4669"
                },
                {
                  "name": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html",
                  "refsource": "MISC",
                  "url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html"
                },
                {
                  "name": "https://www.oracle.com/security-alerts/cpuoct2020.html",
                  "refsource": "MISC",
                  "url": "https://www.oracle.com/security-alerts/cpuoct2020.html"
                },
                {
                  "name": "https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md",
                  "refsource": "MISC",
                  "url": "https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md"
                },
                {
                  "name": "https://www.synology.com/security/advisory/Synology_SA_19_33",
                  "refsource": "CONFIRM",
                  "url": "https://www.synology.com/security/advisory/Synology_SA_19_33"
                },
                {
                  "name": "https://support.f5.com/csp/article/K02591030",
                  "refsource": "CONFIRM",
                  "url": "https://support.f5.com/csp/article/K02591030"
                },
                {
                  "name": "https://security.netapp.com/advisory/ntap-20190823-0002/",
                  "refsource": "CONFIRM",
                  "url": "https://security.netapp.com/advisory/ntap-20190823-0002/"
                },
                {
                  "name": "https://security.netapp.com/advisory/ntap-20190823-0005/",
                  "refsource": "CONFIRM",
                  "url": "https://security.netapp.com/advisory/ntap-20190823-0005/"
                },
                {
                  "name": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10296",
                  "refsource": "CONFIRM",
                  "url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10296"
                },
                {
                  "name": "https://support.f5.com/csp/article/K02591030?utm_source=f5support\u0026amp;utm_medium=RSS",
                  "refsource": "CONFIRM",
                  "url": "https://support.f5.com/csp/article/K02591030?utm_source=f5support\u0026amp;utm_medium=RSS"
                },
                {
                  "name": "https://www.oracle.com/security-alerts/cpujan2021.html",
                  "refsource": "MISC",
                  "url": "https://www.oracle.com/security-alerts/cpujan2021.html"
                }
              ]
            },
            "source": {
              "discovery": "UNKNOWN"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
        "assignerShortName": "certcc",
        "cveId": "CVE-2019-9511",
        "datePublished": "2019-08-13T20:50:59.000Z",
        "dateReserved": "2019-03-01T00:00:00.000Z",
        "dateUpdated": "2024-08-04T21:54:44.157Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2019-9516 (GCVE-0-2019-9516)

    Vulnerability from cvelistv5 – Published: 2019-08-13 20:50 – Updated: 2024-08-04 21:54
    VLAI
    Title
    Some HTTP/2 implementations are vulnerable to a header leak, potentially leading to a denial of service
    Summary
    Some HTTP/2 implementations are vulnerable to a header leak, potentially leading to a denial of service. The attacker sends a stream of headers with a 0-length header name and 0-length header value, optionally Huffman encoded into 1-byte or greater headers. Some implementations allocate memory for these headers and keep the allocation alive until the session dies. This can consume excess memory.
    CWE
    • CWE-400 - Uncontrolled Resource Consumption
    Assigner
    References
    URL Tags
    https://kb.cert.org/vuls/id/605641/ third-party-advisoryx_refsource_CERT-VN
    https://github.com/Netflix/security-bulletins/blo… x_refsource_MISC
    https://seclists.org/bugtraq/2019/Aug/24 mailing-listx_refsource_BUGTRAQ
    https://usn.ubuntu.com/4099-1/ vendor-advisoryx_refsource_UBUNTU
    http://seclists.org/fulldisclosure/2019/Aug/16 mailing-listx_refsource_FULLDISC
    https://www.synology.com/security/advisory/Synolo… x_refsource_CONFIRM
    https://support.f5.com/csp/article/K02591030 x_refsource_CONFIRM
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisoryx_refsource_FEDORA
    https://seclists.org/bugtraq/2019/Aug/40 mailing-listx_refsource_BUGTRAQ
    https://www.debian.org/security/2019/dsa-4505 vendor-advisoryx_refsource_DEBIAN
    https://security.netapp.com/advisory/ntap-2019082… x_refsource_CONFIRM
    https://security.netapp.com/advisory/ntap-2019082… x_refsource_CONFIRM
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisoryx_refsource_FEDORA
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisoryx_refsource_FEDORA
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisoryx_refsource_FEDORA
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisoryx_refsource_FEDORA
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisoryx_refsource_FEDORA
    http://lists.opensuse.org/opensuse-security-annou… vendor-advisoryx_refsource_SUSE
    http://lists.opensuse.org/opensuse-security-annou… vendor-advisoryx_refsource_SUSE
    http://lists.opensuse.org/opensuse-security-annou… vendor-advisoryx_refsource_SUSE
    https://kc.mcafee.com/corporate/index?page=conten… x_refsource_CONFIRM
    https://access.redhat.com/errata/RHSA-2019:2745 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2019:2746 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2019:2775 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2019:2799 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2019:2925 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2019:2939 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2019:2946 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2019:2950 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2019:2955 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2019:2966 vendor-advisoryx_refsource_REDHAT
    http://lists.opensuse.org/opensuse-security-annou… vendor-advisoryx_refsource_SUSE
    https://support.f5.com/csp/article/K02591030?utm_… x_refsource_CONFIRM
    https://access.redhat.com/errata/RHSA-2019:3933 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2019:3935 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2019:3932 vendor-advisoryx_refsource_REDHAT
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisoryx_refsource_FEDORA
    Credits
    Thanks to Jonathan Looney of Netflix for reporting this vulnerability.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T21:54:44.285Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "VU#605641",
                "tags": [
                  "third-party-advisory",
                  "x_refsource_CERT-VN",
                  "x_transferred"
                ],
                "url": "https://kb.cert.org/vuls/id/605641/"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md"
              },
              {
                "name": "20190814 APPLE-SA-2019-08-13-5 SwiftNIO HTTP/2 1.5.0",
                "tags": [
                  "mailing-list",
                  "x_refsource_BUGTRAQ",
                  "x_transferred"
                ],
                "url": "https://seclists.org/bugtraq/2019/Aug/24"
              },
              {
                "name": "USN-4099-1",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_UBUNTU",
                  "x_transferred"
                ],
                "url": "https://usn.ubuntu.com/4099-1/"
              },
              {
                "name": "20190816 APPLE-SA-2019-08-13-5 SwiftNIO HTTP/2 1.5.0",
                "tags": [
                  "mailing-list",
                  "x_refsource_FULLDISC",
                  "x_transferred"
                ],
                "url": "http://seclists.org/fulldisclosure/2019/Aug/16"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.synology.com/security/advisory/Synology_SA_19_33"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://support.f5.com/csp/article/K02591030"
              },
              {
                "name": "FEDORA-2019-befd924cfe",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_FEDORA",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TAZZEVTCN2B4WT6AIBJ7XGYJMBTORJU5/"
              },
              {
                "name": "20190822 [SECURITY] [DSA 4505-1] nginx security update",
                "tags": [
                  "mailing-list",
                  "x_refsource_BUGTRAQ",
                  "x_transferred"
                ],
                "url": "https://seclists.org/bugtraq/2019/Aug/40"
              },
              {
                "name": "DSA-4505",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_DEBIAN",
                  "x_transferred"
                ],
                "url": "https://www.debian.org/security/2019/dsa-4505"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://security.netapp.com/advisory/ntap-20190823-0002/"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://security.netapp.com/advisory/ntap-20190823-0005/"
              },
              {
                "name": "FEDORA-2019-5a6a7bc12c",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_FEDORA",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CMNFX5MNYRWWIMO4BTKYQCGUDMHO3AXP/"
              },
              {
                "name": "FEDORA-2019-6a2980de56",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_FEDORA",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4ZQGHE3WTYLYAYJEIDJVF2FIGQTAYPMC/"
              },
              {
                "name": "FEDORA-2019-4427fd65be",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_FEDORA",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BP556LEG3WENHZI5TAQ6ZEBFTJB4E2IS/"
              },
              {
                "name": "FEDORA-2019-63ba15cc83",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_FEDORA",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XHTKU7YQ5EEP2XNSAV4M4VJ7QCBOJMOD/"
              },
              {
                "name": "FEDORA-2019-7a0b45fdc4",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_FEDORA",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/POPAEC4FWL4UU4LDEGPY5NPALU24FFQD/"
              },
              {
                "name": "openSUSE-SU-2019:2120",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_SUSE",
                  "x_transferred"
                ],
                "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00035.html"
              },
              {
                "name": "openSUSE-SU-2019:2114",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_SUSE",
                  "x_transferred"
                ],
                "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00032.html"
              },
              {
                "name": "openSUSE-SU-2019:2115",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_SUSE",
                  "x_transferred"
                ],
                "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00031.html"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10296"
              },
              {
                "name": "RHSA-2019:2745",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:2745"
              },
              {
                "name": "RHSA-2019:2746",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:2746"
              },
              {
                "name": "RHSA-2019:2775",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:2775"
              },
              {
                "name": "RHSA-2019:2799",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:2799"
              },
              {
                "name": "RHSA-2019:2925",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:2925"
              },
              {
                "name": "RHSA-2019:2939",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:2939"
              },
              {
                "name": "RHSA-2019:2946",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:2946"
              },
              {
                "name": "RHSA-2019:2950",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:2950"
              },
              {
                "name": "RHSA-2019:2955",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:2955"
              },
              {
                "name": "RHSA-2019:2966",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:2966"
              },
              {
                "name": "openSUSE-SU-2019:2264",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_SUSE",
                  "x_transferred"
                ],
                "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00014.html"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://support.f5.com/csp/article/K02591030?utm_source=f5support\u0026amp%3Butm_medium=RSS"
              },
              {
                "name": "RHSA-2019:3933",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:3933"
              },
              {
                "name": "RHSA-2019:3935",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:3935"
              },
              {
                "name": "RHSA-2019:3932",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:3932"
              },
              {
                "name": "FEDORA-2021-d5b2c18fe6",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_FEDORA",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H472D5HPXN6RRXCNFML3BK5OYC52CXF2/"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Thanks to Jonathan Looney of Netflix for reporting this vulnerability."
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Some HTTP/2 implementations are vulnerable to a header leak, potentially leading to a denial of service. The attacker sends a stream of headers with a 0-length header name and 0-length header value, optionally Huffman encoded into 1-byte or greater headers. Some implementations allocate memory for these headers and keep the allocation alive until the session dies. This can consume excess memory."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-400",
                  "description": "CWE-400 Uncontrolled Resource Consumption",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-01-16T02:06:09.000Z",
            "orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
            "shortName": "certcc"
          },
          "references": [
            {
              "name": "VU#605641",
              "tags": [
                "third-party-advisory",
                "x_refsource_CERT-VN"
              ],
              "url": "https://kb.cert.org/vuls/id/605641/"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md"
            },
            {
              "name": "20190814 APPLE-SA-2019-08-13-5 SwiftNIO HTTP/2 1.5.0",
              "tags": [
                "mailing-list",
                "x_refsource_BUGTRAQ"
              ],
              "url": "https://seclists.org/bugtraq/2019/Aug/24"
            },
            {
              "name": "USN-4099-1",
              "tags": [
                "vendor-advisory",
                "x_refsource_UBUNTU"
              ],
              "url": "https://usn.ubuntu.com/4099-1/"
            },
            {
              "name": "20190816 APPLE-SA-2019-08-13-5 SwiftNIO HTTP/2 1.5.0",
              "tags": [
                "mailing-list",
                "x_refsource_FULLDISC"
              ],
              "url": "http://seclists.org/fulldisclosure/2019/Aug/16"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.synology.com/security/advisory/Synology_SA_19_33"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://support.f5.com/csp/article/K02591030"
            },
            {
              "name": "FEDORA-2019-befd924cfe",
              "tags": [
                "vendor-advisory",
                "x_refsource_FEDORA"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TAZZEVTCN2B4WT6AIBJ7XGYJMBTORJU5/"
            },
            {
              "name": "20190822 [SECURITY] [DSA 4505-1] nginx security update",
              "tags": [
                "mailing-list",
                "x_refsource_BUGTRAQ"
              ],
              "url": "https://seclists.org/bugtraq/2019/Aug/40"
            },
            {
              "name": "DSA-4505",
              "tags": [
                "vendor-advisory",
                "x_refsource_DEBIAN"
              ],
              "url": "https://www.debian.org/security/2019/dsa-4505"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://security.netapp.com/advisory/ntap-20190823-0002/"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://security.netapp.com/advisory/ntap-20190823-0005/"
            },
            {
              "name": "FEDORA-2019-5a6a7bc12c",
              "tags": [
                "vendor-advisory",
                "x_refsource_FEDORA"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CMNFX5MNYRWWIMO4BTKYQCGUDMHO3AXP/"
            },
            {
              "name": "FEDORA-2019-6a2980de56",
              "tags": [
                "vendor-advisory",
                "x_refsource_FEDORA"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4ZQGHE3WTYLYAYJEIDJVF2FIGQTAYPMC/"
            },
            {
              "name": "FEDORA-2019-4427fd65be",
              "tags": [
                "vendor-advisory",
                "x_refsource_FEDORA"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BP556LEG3WENHZI5TAQ6ZEBFTJB4E2IS/"
            },
            {
              "name": "FEDORA-2019-63ba15cc83",
              "tags": [
                "vendor-advisory",
                "x_refsource_FEDORA"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XHTKU7YQ5EEP2XNSAV4M4VJ7QCBOJMOD/"
            },
            {
              "name": "FEDORA-2019-7a0b45fdc4",
              "tags": [
                "vendor-advisory",
                "x_refsource_FEDORA"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/POPAEC4FWL4UU4LDEGPY5NPALU24FFQD/"
            },
            {
              "name": "openSUSE-SU-2019:2120",
              "tags": [
                "vendor-advisory",
                "x_refsource_SUSE"
              ],
              "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00035.html"
            },
            {
              "name": "openSUSE-SU-2019:2114",
              "tags": [
                "vendor-advisory",
                "x_refsource_SUSE"
              ],
              "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00032.html"
            },
            {
              "name": "openSUSE-SU-2019:2115",
              "tags": [
                "vendor-advisory",
                "x_refsource_SUSE"
              ],
              "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00031.html"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10296"
            },
            {
              "name": "RHSA-2019:2745",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:2745"
            },
            {
              "name": "RHSA-2019:2746",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:2746"
            },
            {
              "name": "RHSA-2019:2775",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:2775"
            },
            {
              "name": "RHSA-2019:2799",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:2799"
            },
            {
              "name": "RHSA-2019:2925",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:2925"
            },
            {
              "name": "RHSA-2019:2939",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:2939"
            },
            {
              "name": "RHSA-2019:2946",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:2946"
            },
            {
              "name": "RHSA-2019:2950",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:2950"
            },
            {
              "name": "RHSA-2019:2955",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:2955"
            },
            {
              "name": "RHSA-2019:2966",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:2966"
            },
            {
              "name": "openSUSE-SU-2019:2264",
              "tags": [
                "vendor-advisory",
                "x_refsource_SUSE"
              ],
              "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00014.html"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://support.f5.com/csp/article/K02591030?utm_source=f5support\u0026amp%3Butm_medium=RSS"
            },
            {
              "name": "RHSA-2019:3933",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:3933"
            },
            {
              "name": "RHSA-2019:3935",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:3935"
            },
            {
              "name": "RHSA-2019:3932",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:3932"
            },
            {
              "name": "FEDORA-2021-d5b2c18fe6",
              "tags": [
                "vendor-advisory",
                "x_refsource_FEDORA"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H472D5HPXN6RRXCNFML3BK5OYC52CXF2/"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Some HTTP/2 implementations are vulnerable to a header leak, potentially leading to a denial of service",
          "x_generator": {
            "engine": "Vulnogram 0.0.7"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "AKA": "HTTP/2 0-Length Headers Leak",
              "ASSIGNER": "cert@cert.org",
              "ID": "CVE-2019-9516",
              "STATE": "PUBLIC",
              "TITLE": "Some HTTP/2 implementations are vulnerable to a header leak, potentially leading to a denial of service"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "n/a",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "n/a"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "n/a"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "Thanks to Jonathan Looney of Netflix for reporting this vulnerability."
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Some HTTP/2 implementations are vulnerable to a header leak, potentially leading to a denial of service. The attacker sends a stream of headers with a 0-length header name and 0-length header value, optionally Huffman encoded into 1-byte or greater headers. Some implementations allocate memory for these headers and keep the allocation alive until the session dies. This can consume excess memory."
                }
              ]
            },
            "generator": {
              "engine": "Vulnogram 0.0.7"
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.0"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-400 Uncontrolled Resource Consumption"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "VU#605641",
                  "refsource": "CERT-VN",
                  "url": "https://kb.cert.org/vuls/id/605641/"
                },
                {
                  "name": "https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md",
                  "refsource": "MISC",
                  "url": "https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md"
                },
                {
                  "name": "20190814 APPLE-SA-2019-08-13-5 SwiftNIO HTTP/2 1.5.0",
                  "refsource": "BUGTRAQ",
                  "url": "https://seclists.org/bugtraq/2019/Aug/24"
                },
                {
                  "name": "USN-4099-1",
                  "refsource": "UBUNTU",
                  "url": "https://usn.ubuntu.com/4099-1/"
                },
                {
                  "name": "20190816 APPLE-SA-2019-08-13-5 SwiftNIO HTTP/2 1.5.0",
                  "refsource": "FULLDISC",
                  "url": "http://seclists.org/fulldisclosure/2019/Aug/16"
                },
                {
                  "name": "https://www.synology.com/security/advisory/Synology_SA_19_33",
                  "refsource": "CONFIRM",
                  "url": "https://www.synology.com/security/advisory/Synology_SA_19_33"
                },
                {
                  "name": "https://support.f5.com/csp/article/K02591030",
                  "refsource": "CONFIRM",
                  "url": "https://support.f5.com/csp/article/K02591030"
                },
                {
                  "name": "FEDORA-2019-befd924cfe",
                  "refsource": "FEDORA",
                  "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TAZZEVTCN2B4WT6AIBJ7XGYJMBTORJU5/"
                },
                {
                  "name": "20190822 [SECURITY] [DSA 4505-1] nginx security update",
                  "refsource": "BUGTRAQ",
                  "url": "https://seclists.org/bugtraq/2019/Aug/40"
                },
                {
                  "name": "DSA-4505",
                  "refsource": "DEBIAN",
                  "url": "https://www.debian.org/security/2019/dsa-4505"
                },
                {
                  "name": "https://security.netapp.com/advisory/ntap-20190823-0002/",
                  "refsource": "CONFIRM",
                  "url": "https://security.netapp.com/advisory/ntap-20190823-0002/"
                },
                {
                  "name": "https://security.netapp.com/advisory/ntap-20190823-0005/",
                  "refsource": "CONFIRM",
                  "url": "https://security.netapp.com/advisory/ntap-20190823-0005/"
                },
                {
                  "name": "FEDORA-2019-5a6a7bc12c",
                  "refsource": "FEDORA",
                  "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CMNFX5MNYRWWIMO4BTKYQCGUDMHO3AXP/"
                },
                {
                  "name": "FEDORA-2019-6a2980de56",
                  "refsource": "FEDORA",
                  "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4ZQGHE3WTYLYAYJEIDJVF2FIGQTAYPMC/"
                },
                {
                  "name": "FEDORA-2019-4427fd65be",
                  "refsource": "FEDORA",
                  "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BP556LEG3WENHZI5TAQ6ZEBFTJB4E2IS/"
                },
                {
                  "name": "FEDORA-2019-63ba15cc83",
                  "refsource": "FEDORA",
                  "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XHTKU7YQ5EEP2XNSAV4M4VJ7QCBOJMOD/"
                },
                {
                  "name": "FEDORA-2019-7a0b45fdc4",
                  "refsource": "FEDORA",
                  "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/POPAEC4FWL4UU4LDEGPY5NPALU24FFQD/"
                },
                {
                  "name": "openSUSE-SU-2019:2120",
                  "refsource": "SUSE",
                  "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00035.html"
                },
                {
                  "name": "openSUSE-SU-2019:2114",
                  "refsource": "SUSE",
                  "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00032.html"
                },
                {
                  "name": "openSUSE-SU-2019:2115",
                  "refsource": "SUSE",
                  "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00031.html"
                },
                {
                  "name": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10296",
                  "refsource": "CONFIRM",
                  "url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10296"
                },
                {
                  "name": "RHSA-2019:2745",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2019:2745"
                },
                {
                  "name": "RHSA-2019:2746",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2019:2746"
                },
                {
                  "name": "RHSA-2019:2775",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2019:2775"
                },
                {
                  "name": "RHSA-2019:2799",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2019:2799"
                },
                {
                  "name": "RHSA-2019:2925",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2019:2925"
                },
                {
                  "name": "RHSA-2019:2939",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2019:2939"
                },
                {
                  "name": "RHSA-2019:2946",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2019:2946"
                },
                {
                  "name": "RHSA-2019:2950",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2019:2950"
                },
                {
                  "name": "RHSA-2019:2955",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2019:2955"
                },
                {
                  "name": "RHSA-2019:2966",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2019:2966"
                },
                {
                  "name": "openSUSE-SU-2019:2264",
                  "refsource": "SUSE",
                  "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00014.html"
                },
                {
                  "name": "https://support.f5.com/csp/article/K02591030?utm_source=f5support\u0026amp;utm_medium=RSS",
                  "refsource": "CONFIRM",
                  "url": "https://support.f5.com/csp/article/K02591030?utm_source=f5support\u0026amp;utm_medium=RSS"
                },
                {
                  "name": "RHSA-2019:3933",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2019:3933"
                },
                {
                  "name": "RHSA-2019:3935",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2019:3935"
                },
                {
                  "name": "RHSA-2019:3932",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2019:3932"
                },
                {
                  "name": "FEDORA-2021-d5b2c18fe6",
                  "refsource": "FEDORA",
                  "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/H472D5HPXN6RRXCNFML3BK5OYC52CXF2/"
                }
              ]
            },
            "source": {
              "discovery": "UNKNOWN"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
        "assignerShortName": "certcc",
        "cveId": "CVE-2019-9516",
        "datePublished": "2019-08-13T20:50:59.000Z",
        "dateReserved": "2019-03-01T00:00:00.000Z",
        "dateUpdated": "2024-08-04T21:54:44.285Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2019-9515 (GCVE-0-2019-9515)

    Vulnerability from cvelistv5 – Published: 2019-08-13 20:50 – Updated: 2024-08-04 21:54
    VLAI
    Title
    Some HTTP/2 implementations are vulnerable to a settings flood, potentially leading to a denial of service
    Summary
    Some HTTP/2 implementations are vulnerable to a settings flood, potentially leading to a denial of service. The attacker sends a stream of SETTINGS frames to the peer. Since the RFC requires that the peer reply with one acknowledgement per SETTINGS frame, an empty SETTINGS frame is almost equivalent in behavior to a ping. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both.
    CWE
    • CWE-400 - Uncontrolled Resource Consumption
    Assigner
    References
    URL Tags
    https://kb.cert.org/vuls/id/605641/ third-party-advisoryx_refsource_CERT-VN
    https://github.com/Netflix/security-bulletins/blo… x_refsource_MISC
    https://lists.apache.org/thread.html/bde52309316a… mailing-listx_refsource_MLIST
    https://lists.apache.org/thread.html/392108390cef… mailing-listx_refsource_MLIST
    https://lists.apache.org/thread.html/ad3d01e76719… mailing-listx_refsource_MLIST
    https://seclists.org/bugtraq/2019/Aug/24 mailing-listx_refsource_BUGTRAQ
    http://seclists.org/fulldisclosure/2019/Aug/16 mailing-listx_refsource_FULLDISC
    https://www.synology.com/security/advisory/Synolo… x_refsource_CONFIRM
    https://support.f5.com/csp/article/K50233772 x_refsource_CONFIRM
    https://security.netapp.com/advisory/ntap-2019082… x_refsource_CONFIRM
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisoryx_refsource_FEDORA
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisoryx_refsource_FEDORA
    https://seclists.org/bugtraq/2019/Aug/43 mailing-listx_refsource_BUGTRAQ
    https://www.debian.org/security/2019/dsa-4508 vendor-advisoryx_refsource_DEBIAN
    https://www.debian.org/security/2019/dsa-4520 vendor-advisoryx_refsource_DEBIAN
    https://seclists.org/bugtraq/2019/Sep/18 mailing-listx_refsource_BUGTRAQ
    http://lists.opensuse.org/opensuse-security-annou… vendor-advisoryx_refsource_SUSE
    http://lists.opensuse.org/opensuse-security-annou… vendor-advisoryx_refsource_SUSE
    https://kc.mcafee.com/corporate/index?page=conten… x_refsource_CONFIRM
    https://access.redhat.com/errata/RHSA-2019:2766 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2019:2796 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2019:2861 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2019:2925 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2019:2939 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2019:2955 vendor-advisoryx_refsource_REDHAT
    https://support.f5.com/csp/article/K50233772?utm_… x_refsource_CONFIRM
    https://access.redhat.com/errata/RHSA-2019:3892 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2019:4018 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2019:4019 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2019:4021 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2019:4020 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2019:4045 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2019:4042 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2019:4040 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2019:4041 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2019:4352 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2020:0727 vendor-advisoryx_refsource_REDHAT
    https://usn.ubuntu.com/4308-1/ vendor-advisoryx_refsource_UBUNTU
    Credits
    Thanks to Jonathan Looney of Netflix for reporting this vulnerability.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T21:54:44.327Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "VU#605641",
                "tags": [
                  "third-party-advisory",
                  "x_refsource_CERT-VN",
                  "x_transferred"
                ],
                "url": "https://kb.cert.org/vuls/id/605641/"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md"
              },
              {
                "name": "[trafficserver-dev] 20190813 Apache Traffic Server is vulnerable to various HTTP/2 attacks",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/bde52309316ae798186d783a5e29f4ad1527f61c9219a289d0eee0a7%40%3Cdev.trafficserver.apache.org%3E"
              },
              {
                "name": "[trafficserver-users] 20190813 Apache Traffic Server is vulnerable to various HTTP/2 attacks",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/392108390cef48af647a2e47b7fd5380e050e35ae8d1aa2030254c04%40%3Cusers.trafficserver.apache.org%3E"
              },
              {
                "name": "[trafficserver-announce] 20190813 Apache Traffic Server is vulnerable to various HTTP/2 attacks",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/ad3d01e767199c1aed8033bb6b3f5bf98c011c7c536f07a5d34b3c19%40%3Cannounce.trafficserver.apache.org%3E"
              },
              {
                "name": "20190814 APPLE-SA-2019-08-13-5 SwiftNIO HTTP/2 1.5.0",
                "tags": [
                  "mailing-list",
                  "x_refsource_BUGTRAQ",
                  "x_transferred"
                ],
                "url": "https://seclists.org/bugtraq/2019/Aug/24"
              },
              {
                "name": "20190816 APPLE-SA-2019-08-13-5 SwiftNIO HTTP/2 1.5.0",
                "tags": [
                  "mailing-list",
                  "x_refsource_FULLDISC",
                  "x_transferred"
                ],
                "url": "http://seclists.org/fulldisclosure/2019/Aug/16"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.synology.com/security/advisory/Synology_SA_19_33"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://support.f5.com/csp/article/K50233772"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://security.netapp.com/advisory/ntap-20190823-0005/"
              },
              {
                "name": "FEDORA-2019-5a6a7bc12c",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_FEDORA",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CMNFX5MNYRWWIMO4BTKYQCGUDMHO3AXP/"
              },
              {
                "name": "FEDORA-2019-6a2980de56",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_FEDORA",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4ZQGHE3WTYLYAYJEIDJVF2FIGQTAYPMC/"
              },
              {
                "name": "20190825 [SECURITY] [DSA 4508-1] h2o security update",
                "tags": [
                  "mailing-list",
                  "x_refsource_BUGTRAQ",
                  "x_transferred"
                ],
                "url": "https://seclists.org/bugtraq/2019/Aug/43"
              },
              {
                "name": "DSA-4508",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_DEBIAN",
                  "x_transferred"
                ],
                "url": "https://www.debian.org/security/2019/dsa-4508"
              },
              {
                "name": "DSA-4520",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_DEBIAN",
                  "x_transferred"
                ],
                "url": "https://www.debian.org/security/2019/dsa-4520"
              },
              {
                "name": "20190910 [SECURITY] [DSA 4520-1] trafficserver security update",
                "tags": [
                  "mailing-list",
                  "x_refsource_BUGTRAQ",
                  "x_transferred"
                ],
                "url": "https://seclists.org/bugtraq/2019/Sep/18"
              },
              {
                "name": "openSUSE-SU-2019:2114",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_SUSE",
                  "x_transferred"
                ],
                "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00032.html"
              },
              {
                "name": "openSUSE-SU-2019:2115",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_SUSE",
                  "x_transferred"
                ],
                "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00031.html"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10296"
              },
              {
                "name": "RHSA-2019:2766",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:2766"
              },
              {
                "name": "RHSA-2019:2796",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:2796"
              },
              {
                "name": "RHSA-2019:2861",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:2861"
              },
              {
                "name": "RHSA-2019:2925",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:2925"
              },
              {
                "name": "RHSA-2019:2939",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:2939"
              },
              {
                "name": "RHSA-2019:2955",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:2955"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://support.f5.com/csp/article/K50233772?utm_source=f5support\u0026amp%3Butm_medium=RSS"
              },
              {
                "name": "RHSA-2019:3892",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:3892"
              },
              {
                "name": "RHSA-2019:4018",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:4018"
              },
              {
                "name": "RHSA-2019:4019",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:4019"
              },
              {
                "name": "RHSA-2019:4021",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:4021"
              },
              {
                "name": "RHSA-2019:4020",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:4020"
              },
              {
                "name": "RHSA-2019:4045",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:4045"
              },
              {
                "name": "RHSA-2019:4042",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:4042"
              },
              {
                "name": "RHSA-2019:4040",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:4040"
              },
              {
                "name": "RHSA-2019:4041",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:4041"
              },
              {
                "name": "RHSA-2019:4352",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:4352"
              },
              {
                "name": "RHSA-2020:0727",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2020:0727"
              },
              {
                "name": "USN-4308-1",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_UBUNTU",
                  "x_transferred"
                ],
                "url": "https://usn.ubuntu.com/4308-1/"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Thanks to Jonathan Looney of Netflix for reporting this vulnerability."
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Some HTTP/2 implementations are vulnerable to a settings flood, potentially leading to a denial of service. The attacker sends a stream of SETTINGS frames to the peer. Since the RFC requires that the peer reply with one acknowledgement per SETTINGS frame, an empty SETTINGS frame is almost equivalent in behavior to a ping. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-400",
                  "description": "CWE-400 Uncontrolled Resource Consumption",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2020-03-30T21:06:04.000Z",
            "orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
            "shortName": "certcc"
          },
          "references": [
            {
              "name": "VU#605641",
              "tags": [
                "third-party-advisory",
                "x_refsource_CERT-VN"
              ],
              "url": "https://kb.cert.org/vuls/id/605641/"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md"
            },
            {
              "name": "[trafficserver-dev] 20190813 Apache Traffic Server is vulnerable to various HTTP/2 attacks",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/bde52309316ae798186d783a5e29f4ad1527f61c9219a289d0eee0a7%40%3Cdev.trafficserver.apache.org%3E"
            },
            {
              "name": "[trafficserver-users] 20190813 Apache Traffic Server is vulnerable to various HTTP/2 attacks",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/392108390cef48af647a2e47b7fd5380e050e35ae8d1aa2030254c04%40%3Cusers.trafficserver.apache.org%3E"
            },
            {
              "name": "[trafficserver-announce] 20190813 Apache Traffic Server is vulnerable to various HTTP/2 attacks",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/ad3d01e767199c1aed8033bb6b3f5bf98c011c7c536f07a5d34b3c19%40%3Cannounce.trafficserver.apache.org%3E"
            },
            {
              "name": "20190814 APPLE-SA-2019-08-13-5 SwiftNIO HTTP/2 1.5.0",
              "tags": [
                "mailing-list",
                "x_refsource_BUGTRAQ"
              ],
              "url": "https://seclists.org/bugtraq/2019/Aug/24"
            },
            {
              "name": "20190816 APPLE-SA-2019-08-13-5 SwiftNIO HTTP/2 1.5.0",
              "tags": [
                "mailing-list",
                "x_refsource_FULLDISC"
              ],
              "url": "http://seclists.org/fulldisclosure/2019/Aug/16"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.synology.com/security/advisory/Synology_SA_19_33"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://support.f5.com/csp/article/K50233772"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://security.netapp.com/advisory/ntap-20190823-0005/"
            },
            {
              "name": "FEDORA-2019-5a6a7bc12c",
              "tags": [
                "vendor-advisory",
                "x_refsource_FEDORA"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CMNFX5MNYRWWIMO4BTKYQCGUDMHO3AXP/"
            },
            {
              "name": "FEDORA-2019-6a2980de56",
              "tags": [
                "vendor-advisory",
                "x_refsource_FEDORA"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4ZQGHE3WTYLYAYJEIDJVF2FIGQTAYPMC/"
            },
            {
              "name": "20190825 [SECURITY] [DSA 4508-1] h2o security update",
              "tags": [
                "mailing-list",
                "x_refsource_BUGTRAQ"
              ],
              "url": "https://seclists.org/bugtraq/2019/Aug/43"
            },
            {
              "name": "DSA-4508",
              "tags": [
                "vendor-advisory",
                "x_refsource_DEBIAN"
              ],
              "url": "https://www.debian.org/security/2019/dsa-4508"
            },
            {
              "name": "DSA-4520",
              "tags": [
                "vendor-advisory",
                "x_refsource_DEBIAN"
              ],
              "url": "https://www.debian.org/security/2019/dsa-4520"
            },
            {
              "name": "20190910 [SECURITY] [DSA 4520-1] trafficserver security update",
              "tags": [
                "mailing-list",
                "x_refsource_BUGTRAQ"
              ],
              "url": "https://seclists.org/bugtraq/2019/Sep/18"
            },
            {
              "name": "openSUSE-SU-2019:2114",
              "tags": [
                "vendor-advisory",
                "x_refsource_SUSE"
              ],
              "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00032.html"
            },
            {
              "name": "openSUSE-SU-2019:2115",
              "tags": [
                "vendor-advisory",
                "x_refsource_SUSE"
              ],
              "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00031.html"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10296"
            },
            {
              "name": "RHSA-2019:2766",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:2766"
            },
            {
              "name": "RHSA-2019:2796",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:2796"
            },
            {
              "name": "RHSA-2019:2861",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:2861"
            },
            {
              "name": "RHSA-2019:2925",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:2925"
            },
            {
              "name": "RHSA-2019:2939",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:2939"
            },
            {
              "name": "RHSA-2019:2955",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:2955"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://support.f5.com/csp/article/K50233772?utm_source=f5support\u0026amp%3Butm_medium=RSS"
            },
            {
              "name": "RHSA-2019:3892",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:3892"
            },
            {
              "name": "RHSA-2019:4018",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:4018"
            },
            {
              "name": "RHSA-2019:4019",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:4019"
            },
            {
              "name": "RHSA-2019:4021",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:4021"
            },
            {
              "name": "RHSA-2019:4020",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:4020"
            },
            {
              "name": "RHSA-2019:4045",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:4045"
            },
            {
              "name": "RHSA-2019:4042",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:4042"
            },
            {
              "name": "RHSA-2019:4040",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:4040"
            },
            {
              "name": "RHSA-2019:4041",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:4041"
            },
            {
              "name": "RHSA-2019:4352",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:4352"
            },
            {
              "name": "RHSA-2020:0727",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2020:0727"
            },
            {
              "name": "USN-4308-1",
              "tags": [
                "vendor-advisory",
                "x_refsource_UBUNTU"
              ],
              "url": "https://usn.ubuntu.com/4308-1/"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Some HTTP/2 implementations are vulnerable to a settings flood, potentially leading to a denial of service",
          "x_generator": {
            "engine": "Vulnogram 0.0.7"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "AKA": "HTTP/2 Settings Flood",
              "ASSIGNER": "cert@cert.org",
              "ID": "CVE-2019-9515",
              "STATE": "PUBLIC",
              "TITLE": "Some HTTP/2 implementations are vulnerable to a settings flood, potentially leading to a denial of service"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "n/a",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "n/a"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "n/a"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "Thanks to Jonathan Looney of Netflix for reporting this vulnerability."
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Some HTTP/2 implementations are vulnerable to a settings flood, potentially leading to a denial of service. The attacker sends a stream of SETTINGS frames to the peer. Since the RFC requires that the peer reply with one acknowledgement per SETTINGS frame, an empty SETTINGS frame is almost equivalent in behavior to a ping. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both."
                }
              ]
            },
            "generator": {
              "engine": "Vulnogram 0.0.7"
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.0"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-400 Uncontrolled Resource Consumption"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "VU#605641",
                  "refsource": "CERT-VN",
                  "url": "https://kb.cert.org/vuls/id/605641/"
                },
                {
                  "name": "https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md",
                  "refsource": "MISC",
                  "url": "https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md"
                },
                {
                  "name": "[trafficserver-dev] 20190813 Apache Traffic Server is vulnerable to various HTTP/2 attacks",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/bde52309316ae798186d783a5e29f4ad1527f61c9219a289d0eee0a7@%3Cdev.trafficserver.apache.org%3E"
                },
                {
                  "name": "[trafficserver-users] 20190813 Apache Traffic Server is vulnerable to various HTTP/2 attacks",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/392108390cef48af647a2e47b7fd5380e050e35ae8d1aa2030254c04@%3Cusers.trafficserver.apache.org%3E"
                },
                {
                  "name": "[trafficserver-announce] 20190813 Apache Traffic Server is vulnerable to various HTTP/2 attacks",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/ad3d01e767199c1aed8033bb6b3f5bf98c011c7c536f07a5d34b3c19@%3Cannounce.trafficserver.apache.org%3E"
                },
                {
                  "name": "20190814 APPLE-SA-2019-08-13-5 SwiftNIO HTTP/2 1.5.0",
                  "refsource": "BUGTRAQ",
                  "url": "https://seclists.org/bugtraq/2019/Aug/24"
                },
                {
                  "name": "20190816 APPLE-SA-2019-08-13-5 SwiftNIO HTTP/2 1.5.0",
                  "refsource": "FULLDISC",
                  "url": "http://seclists.org/fulldisclosure/2019/Aug/16"
                },
                {
                  "name": "https://www.synology.com/security/advisory/Synology_SA_19_33",
                  "refsource": "CONFIRM",
                  "url": "https://www.synology.com/security/advisory/Synology_SA_19_33"
                },
                {
                  "name": "https://support.f5.com/csp/article/K50233772",
                  "refsource": "CONFIRM",
                  "url": "https://support.f5.com/csp/article/K50233772"
                },
                {
                  "name": "https://security.netapp.com/advisory/ntap-20190823-0005/",
                  "refsource": "CONFIRM",
                  "url": "https://security.netapp.com/advisory/ntap-20190823-0005/"
                },
                {
                  "name": "FEDORA-2019-5a6a7bc12c",
                  "refsource": "FEDORA",
                  "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CMNFX5MNYRWWIMO4BTKYQCGUDMHO3AXP/"
                },
                {
                  "name": "FEDORA-2019-6a2980de56",
                  "refsource": "FEDORA",
                  "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4ZQGHE3WTYLYAYJEIDJVF2FIGQTAYPMC/"
                },
                {
                  "name": "20190825 [SECURITY] [DSA 4508-1] h2o security update",
                  "refsource": "BUGTRAQ",
                  "url": "https://seclists.org/bugtraq/2019/Aug/43"
                },
                {
                  "name": "DSA-4508",
                  "refsource": "DEBIAN",
                  "url": "https://www.debian.org/security/2019/dsa-4508"
                },
                {
                  "name": "DSA-4520",
                  "refsource": "DEBIAN",
                  "url": "https://www.debian.org/security/2019/dsa-4520"
                },
                {
                  "name": "20190910 [SECURITY] [DSA 4520-1] trafficserver security update",
                  "refsource": "BUGTRAQ",
                  "url": "https://seclists.org/bugtraq/2019/Sep/18"
                },
                {
                  "name": "openSUSE-SU-2019:2114",
                  "refsource": "SUSE",
                  "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00032.html"
                },
                {
                  "name": "openSUSE-SU-2019:2115",
                  "refsource": "SUSE",
                  "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00031.html"
                },
                {
                  "name": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10296",
                  "refsource": "CONFIRM",
                  "url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10296"
                },
                {
                  "name": "RHSA-2019:2766",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2019:2766"
                },
                {
                  "name": "RHSA-2019:2796",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2019:2796"
                },
                {
                  "name": "RHSA-2019:2861",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2019:2861"
                },
                {
                  "name": "RHSA-2019:2925",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2019:2925"
                },
                {
                  "name": "RHSA-2019:2939",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2019:2939"
                },
                {
                  "name": "RHSA-2019:2955",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2019:2955"
                },
                {
                  "name": "https://support.f5.com/csp/article/K50233772?utm_source=f5support\u0026amp;utm_medium=RSS",
                  "refsource": "CONFIRM",
                  "url": "https://support.f5.com/csp/article/K50233772?utm_source=f5support\u0026amp;utm_medium=RSS"
                },
                {
                  "name": "RHSA-2019:3892",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2019:3892"
                },
                {
                  "name": "RHSA-2019:4018",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2019:4018"
                },
                {
                  "name": "RHSA-2019:4019",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2019:4019"
                },
                {
                  "name": "RHSA-2019:4021",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2019:4021"
                },
                {
                  "name": "RHSA-2019:4020",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2019:4020"
                },
                {
                  "name": "RHSA-2019:4045",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2019:4045"
                },
                {
                  "name": "RHSA-2019:4042",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2019:4042"
                },
                {
                  "name": "RHSA-2019:4040",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2019:4040"
                },
                {
                  "name": "RHSA-2019:4041",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2019:4041"
                },
                {
                  "name": "RHSA-2019:4352",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2019:4352"
                },
                {
                  "name": "RHSA-2020:0727",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2020:0727"
                },
                {
                  "name": "USN-4308-1",
                  "refsource": "UBUNTU",
                  "url": "https://usn.ubuntu.com/4308-1/"
                }
              ]
            },
            "source": {
              "discovery": "UNKNOWN"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
        "assignerShortName": "certcc",
        "cveId": "CVE-2019-9515",
        "datePublished": "2019-08-13T20:50:59.000Z",
        "dateReserved": "2019-03-01T00:00:00.000Z",
        "dateUpdated": "2024-08-04T21:54:44.327Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2019-9513 (GCVE-0-2019-9513)

    Vulnerability from cvelistv5 – Published: 2019-08-13 20:50 – Updated: 2024-08-04 21:54
    VLAI
    Title
    Some HTTP/2 implementations are vulnerable to resource loops, potentially leading to a denial of service
    Summary
    Some HTTP/2 implementations are vulnerable to resource loops, potentially leading to a denial of service. The attacker creates multiple request streams and continually shuffles the priority of the streams in a way that causes substantial churn to the priority tree. This can consume excess CPU.
    CWE
    • CWE-400 - Uncontrolled Resource Consumption
    Assigner
    References
    URL Tags
    https://kb.cert.org/vuls/id/605641/ third-party-advisoryx_refsource_CERT-VN
    https://usn.ubuntu.com/4099-1/ vendor-advisoryx_refsource_UBUNTU
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisoryx_refsource_FEDORA
    https://seclists.org/bugtraq/2019/Aug/40 mailing-listx_refsource_BUGTRAQ
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisoryx_refsource_FEDORA
    https://www.debian.org/security/2019/dsa-4505 vendor-advisoryx_refsource_DEBIAN
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisoryx_refsource_FEDORA
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisoryx_refsource_FEDORA
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisoryx_refsource_FEDORA
    https://seclists.org/bugtraq/2019/Sep/1 mailing-listx_refsource_BUGTRAQ
    https://www.debian.org/security/2019/dsa-4511 vendor-advisoryx_refsource_DEBIAN
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisoryx_refsource_FEDORA
    https://access.redhat.com/errata/RHSA-2019:2692 vendor-advisoryx_refsource_REDHAT
    http://lists.opensuse.org/opensuse-security-annou… vendor-advisoryx_refsource_SUSE
    http://lists.opensuse.org/opensuse-security-annou… vendor-advisoryx_refsource_SUSE
    http://lists.opensuse.org/opensuse-security-annou… vendor-advisoryx_refsource_SUSE
    https://access.redhat.com/errata/RHSA-2019:2745 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2019:2746 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2019:2775 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2019:2799 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2019:2925 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2019:2939 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2019:2949 vendor-advisoryx_refsource_REDHAT
    http://lists.opensuse.org/opensuse-security-annou… vendor-advisoryx_refsource_SUSE
    http://lists.opensuse.org/opensuse-security-annou… vendor-advisoryx_refsource_SUSE
    https://access.redhat.com/errata/RHSA-2019:2955 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2019:2966 vendor-advisoryx_refsource_REDHAT
    http://lists.opensuse.org/opensuse-security-annou… vendor-advisoryx_refsource_SUSE
    https://access.redhat.com/errata/RHSA-2019:3041 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2019:3933 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2019:3935 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2019:3932 vendor-advisoryx_refsource_REDHAT
    https://www.debian.org/security/2020/dsa-4669 vendor-advisoryx_refsource_DEBIAN
    https://www.oracle.com/security-alerts/cpuoct2020.html x_refsource_MISC
    https://github.com/Netflix/security-bulletins/blo… x_refsource_MISC
    https://www.synology.com/security/advisory/Synolo… x_refsource_CONFIRM
    https://support.f5.com/csp/article/K02591030 x_refsource_CONFIRM
    https://security.netapp.com/advisory/ntap-2019082… x_refsource_CONFIRM
    https://security.netapp.com/advisory/ntap-2019082… x_refsource_CONFIRM
    https://kc.mcafee.com/corporate/index?page=conten… x_refsource_CONFIRM
    https://support.f5.com/csp/article/K02591030?utm_… x_refsource_CONFIRM
    https://www.oracle.com/security-alerts/cpujan2021.html x_refsource_MISC
    Credits
    Thanks to Jonathan Looney of Netflix for reporting this vulnerability.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T21:54:44.842Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "VU#605641",
                "tags": [
                  "third-party-advisory",
                  "x_refsource_CERT-VN",
                  "x_transferred"
                ],
                "url": "https://kb.cert.org/vuls/id/605641/"
              },
              {
                "name": "USN-4099-1",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_UBUNTU",
                  "x_transferred"
                ],
                "url": "https://usn.ubuntu.com/4099-1/"
              },
              {
                "name": "FEDORA-2019-befd924cfe",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_FEDORA",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TAZZEVTCN2B4WT6AIBJ7XGYJMBTORJU5/"
              },
              {
                "name": "20190822 [SECURITY] [DSA 4505-1] nginx security update",
                "tags": [
                  "mailing-list",
                  "x_refsource_BUGTRAQ",
                  "x_transferred"
                ],
                "url": "https://seclists.org/bugtraq/2019/Aug/40"
              },
              {
                "name": "FEDORA-2019-81985a8858",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_FEDORA",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LZLUYPYY3RX4ZJDWZRJIKSULYRJ4PXW7/"
              },
              {
                "name": "DSA-4505",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_DEBIAN",
                  "x_transferred"
                ],
                "url": "https://www.debian.org/security/2019/dsa-4505"
              },
              {
                "name": "FEDORA-2019-5a6a7bc12c",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_FEDORA",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CMNFX5MNYRWWIMO4BTKYQCGUDMHO3AXP/"
              },
              {
                "name": "FEDORA-2019-6a2980de56",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_FEDORA",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4ZQGHE3WTYLYAYJEIDJVF2FIGQTAYPMC/"
              },
              {
                "name": "FEDORA-2019-8a437d5c2f",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_FEDORA",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JUBYAF6ED3O4XCHQ5C2HYENJLXYXZC4M/"
              },
              {
                "name": "20190902 [SECURITY] [DSA 4511-1] nghttp2 security update",
                "tags": [
                  "mailing-list",
                  "x_refsource_BUGTRAQ",
                  "x_transferred"
                ],
                "url": "https://seclists.org/bugtraq/2019/Sep/1"
              },
              {
                "name": "DSA-4511",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_DEBIAN",
                  "x_transferred"
                ],
                "url": "https://www.debian.org/security/2019/dsa-4511"
              },
              {
                "name": "FEDORA-2019-7a0b45fdc4",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_FEDORA",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/POPAEC4FWL4UU4LDEGPY5NPALU24FFQD/"
              },
              {
                "name": "RHSA-2019:2692",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:2692"
              },
              {
                "name": "openSUSE-SU-2019:2120",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_SUSE",
                  "x_transferred"
                ],
                "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00035.html"
              },
              {
                "name": "openSUSE-SU-2019:2114",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_SUSE",
                  "x_transferred"
                ],
                "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00032.html"
              },
              {
                "name": "openSUSE-SU-2019:2115",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_SUSE",
                  "x_transferred"
                ],
                "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00031.html"
              },
              {
                "name": "RHSA-2019:2745",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:2745"
              },
              {
                "name": "RHSA-2019:2746",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:2746"
              },
              {
                "name": "RHSA-2019:2775",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:2775"
              },
              {
                "name": "RHSA-2019:2799",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:2799"
              },
              {
                "name": "RHSA-2019:2925",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:2925"
              },
              {
                "name": "RHSA-2019:2939",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:2939"
              },
              {
                "name": "RHSA-2019:2949",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:2949"
              },
              {
                "name": "openSUSE-SU-2019:2232",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_SUSE",
                  "x_transferred"
                ],
                "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00003.html"
              },
              {
                "name": "openSUSE-SU-2019:2234",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_SUSE",
                  "x_transferred"
                ],
                "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00005.html"
              },
              {
                "name": "RHSA-2019:2955",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:2955"
              },
              {
                "name": "RHSA-2019:2966",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:2966"
              },
              {
                "name": "openSUSE-SU-2019:2264",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_SUSE",
                  "x_transferred"
                ],
                "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00014.html"
              },
              {
                "name": "RHSA-2019:3041",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:3041"
              },
              {
                "name": "RHSA-2019:3933",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:3933"
              },
              {
                "name": "RHSA-2019:3935",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:3935"
              },
              {
                "name": "RHSA-2019:3932",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:3932"
              },
              {
                "name": "DSA-4669",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_DEBIAN",
                  "x_transferred"
                ],
                "url": "https://www.debian.org/security/2020/dsa-4669"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.oracle.com/security-alerts/cpuoct2020.html"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.synology.com/security/advisory/Synology_SA_19_33"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://support.f5.com/csp/article/K02591030"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://security.netapp.com/advisory/ntap-20190823-0002/"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://security.netapp.com/advisory/ntap-20190823-0005/"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10296"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://support.f5.com/csp/article/K02591030?utm_source=f5support\u0026amp%3Butm_medium=RSS"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.oracle.com/security-alerts/cpujan2021.html"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Thanks to Jonathan Looney of Netflix for reporting this vulnerability."
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Some HTTP/2 implementations are vulnerable to resource loops, potentially leading to a denial of service. The attacker creates multiple request streams and continually shuffles the priority of the streams in a way that causes substantial churn to the priority tree. This can consume excess CPU."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-400",
                  "description": "CWE-400 Uncontrolled Resource Consumption",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-01-20T14:42:02.000Z",
            "orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
            "shortName": "certcc"
          },
          "references": [
            {
              "name": "VU#605641",
              "tags": [
                "third-party-advisory",
                "x_refsource_CERT-VN"
              ],
              "url": "https://kb.cert.org/vuls/id/605641/"
            },
            {
              "name": "USN-4099-1",
              "tags": [
                "vendor-advisory",
                "x_refsource_UBUNTU"
              ],
              "url": "https://usn.ubuntu.com/4099-1/"
            },
            {
              "name": "FEDORA-2019-befd924cfe",
              "tags": [
                "vendor-advisory",
                "x_refsource_FEDORA"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TAZZEVTCN2B4WT6AIBJ7XGYJMBTORJU5/"
            },
            {
              "name": "20190822 [SECURITY] [DSA 4505-1] nginx security update",
              "tags": [
                "mailing-list",
                "x_refsource_BUGTRAQ"
              ],
              "url": "https://seclists.org/bugtraq/2019/Aug/40"
            },
            {
              "name": "FEDORA-2019-81985a8858",
              "tags": [
                "vendor-advisory",
                "x_refsource_FEDORA"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LZLUYPYY3RX4ZJDWZRJIKSULYRJ4PXW7/"
            },
            {
              "name": "DSA-4505",
              "tags": [
                "vendor-advisory",
                "x_refsource_DEBIAN"
              ],
              "url": "https://www.debian.org/security/2019/dsa-4505"
            },
            {
              "name": "FEDORA-2019-5a6a7bc12c",
              "tags": [
                "vendor-advisory",
                "x_refsource_FEDORA"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CMNFX5MNYRWWIMO4BTKYQCGUDMHO3AXP/"
            },
            {
              "name": "FEDORA-2019-6a2980de56",
              "tags": [
                "vendor-advisory",
                "x_refsource_FEDORA"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4ZQGHE3WTYLYAYJEIDJVF2FIGQTAYPMC/"
            },
            {
              "name": "FEDORA-2019-8a437d5c2f",
              "tags": [
                "vendor-advisory",
                "x_refsource_FEDORA"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JUBYAF6ED3O4XCHQ5C2HYENJLXYXZC4M/"
            },
            {
              "name": "20190902 [SECURITY] [DSA 4511-1] nghttp2 security update",
              "tags": [
                "mailing-list",
                "x_refsource_BUGTRAQ"
              ],
              "url": "https://seclists.org/bugtraq/2019/Sep/1"
            },
            {
              "name": "DSA-4511",
              "tags": [
                "vendor-advisory",
                "x_refsource_DEBIAN"
              ],
              "url": "https://www.debian.org/security/2019/dsa-4511"
            },
            {
              "name": "FEDORA-2019-7a0b45fdc4",
              "tags": [
                "vendor-advisory",
                "x_refsource_FEDORA"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/POPAEC4FWL4UU4LDEGPY5NPALU24FFQD/"
            },
            {
              "name": "RHSA-2019:2692",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:2692"
            },
            {
              "name": "openSUSE-SU-2019:2120",
              "tags": [
                "vendor-advisory",
                "x_refsource_SUSE"
              ],
              "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00035.html"
            },
            {
              "name": "openSUSE-SU-2019:2114",
              "tags": [
                "vendor-advisory",
                "x_refsource_SUSE"
              ],
              "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00032.html"
            },
            {
              "name": "openSUSE-SU-2019:2115",
              "tags": [
                "vendor-advisory",
                "x_refsource_SUSE"
              ],
              "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00031.html"
            },
            {
              "name": "RHSA-2019:2745",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:2745"
            },
            {
              "name": "RHSA-2019:2746",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:2746"
            },
            {
              "name": "RHSA-2019:2775",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:2775"
            },
            {
              "name": "RHSA-2019:2799",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:2799"
            },
            {
              "name": "RHSA-2019:2925",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:2925"
            },
            {
              "name": "RHSA-2019:2939",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:2939"
            },
            {
              "name": "RHSA-2019:2949",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:2949"
            },
            {
              "name": "openSUSE-SU-2019:2232",
              "tags": [
                "vendor-advisory",
                "x_refsource_SUSE"
              ],
              "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00003.html"
            },
            {
              "name": "openSUSE-SU-2019:2234",
              "tags": [
                "vendor-advisory",
                "x_refsource_SUSE"
              ],
              "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00005.html"
            },
            {
              "name": "RHSA-2019:2955",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:2955"
            },
            {
              "name": "RHSA-2019:2966",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:2966"
            },
            {
              "name": "openSUSE-SU-2019:2264",
              "tags": [
                "vendor-advisory",
                "x_refsource_SUSE"
              ],
              "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00014.html"
            },
            {
              "name": "RHSA-2019:3041",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:3041"
            },
            {
              "name": "RHSA-2019:3933",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:3933"
            },
            {
              "name": "RHSA-2019:3935",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:3935"
            },
            {
              "name": "RHSA-2019:3932",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:3932"
            },
            {
              "name": "DSA-4669",
              "tags": [
                "vendor-advisory",
                "x_refsource_DEBIAN"
              ],
              "url": "https://www.debian.org/security/2020/dsa-4669"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.oracle.com/security-alerts/cpuoct2020.html"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.synology.com/security/advisory/Synology_SA_19_33"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://support.f5.com/csp/article/K02591030"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://security.netapp.com/advisory/ntap-20190823-0002/"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://security.netapp.com/advisory/ntap-20190823-0005/"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10296"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://support.f5.com/csp/article/K02591030?utm_source=f5support\u0026amp%3Butm_medium=RSS"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.oracle.com/security-alerts/cpujan2021.html"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Some HTTP/2 implementations are vulnerable to resource loops, potentially leading to a denial of service",
          "x_generator": {
            "engine": "Vulnogram 0.0.7"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "AKA": "HTTP/2 Resource Loop",
              "ASSIGNER": "cert@cert.org",
              "ID": "CVE-2019-9513",
              "STATE": "PUBLIC",
              "TITLE": "Some HTTP/2 implementations are vulnerable to resource loops, potentially leading to a denial of service"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "n/a",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "n/a"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "n/a"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "Thanks to Jonathan Looney of Netflix for reporting this vulnerability."
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Some HTTP/2 implementations are vulnerable to resource loops, potentially leading to a denial of service. The attacker creates multiple request streams and continually shuffles the priority of the streams in a way that causes substantial churn to the priority tree. This can consume excess CPU."
                }
              ]
            },
            "generator": {
              "engine": "Vulnogram 0.0.7"
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.0"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-400 Uncontrolled Resource Consumption"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "VU#605641",
                  "refsource": "CERT-VN",
                  "url": "https://kb.cert.org/vuls/id/605641/"
                },
                {
                  "name": "USN-4099-1",
                  "refsource": "UBUNTU",
                  "url": "https://usn.ubuntu.com/4099-1/"
                },
                {
                  "name": "FEDORA-2019-befd924cfe",
                  "refsource": "FEDORA",
                  "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TAZZEVTCN2B4WT6AIBJ7XGYJMBTORJU5/"
                },
                {
                  "name": "20190822 [SECURITY] [DSA 4505-1] nginx security update",
                  "refsource": "BUGTRAQ",
                  "url": "https://seclists.org/bugtraq/2019/Aug/40"
                },
                {
                  "name": "FEDORA-2019-81985a8858",
                  "refsource": "FEDORA",
                  "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LZLUYPYY3RX4ZJDWZRJIKSULYRJ4PXW7/"
                },
                {
                  "name": "DSA-4505",
                  "refsource": "DEBIAN",
                  "url": "https://www.debian.org/security/2019/dsa-4505"
                },
                {
                  "name": "FEDORA-2019-5a6a7bc12c",
                  "refsource": "FEDORA",
                  "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CMNFX5MNYRWWIMO4BTKYQCGUDMHO3AXP/"
                },
                {
                  "name": "FEDORA-2019-6a2980de56",
                  "refsource": "FEDORA",
                  "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4ZQGHE3WTYLYAYJEIDJVF2FIGQTAYPMC/"
                },
                {
                  "name": "FEDORA-2019-8a437d5c2f",
                  "refsource": "FEDORA",
                  "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JUBYAF6ED3O4XCHQ5C2HYENJLXYXZC4M/"
                },
                {
                  "name": "20190902 [SECURITY] [DSA 4511-1] nghttp2 security update",
                  "refsource": "BUGTRAQ",
                  "url": "https://seclists.org/bugtraq/2019/Sep/1"
                },
                {
                  "name": "DSA-4511",
                  "refsource": "DEBIAN",
                  "url": "https://www.debian.org/security/2019/dsa-4511"
                },
                {
                  "name": "FEDORA-2019-7a0b45fdc4",
                  "refsource": "FEDORA",
                  "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/POPAEC4FWL4UU4LDEGPY5NPALU24FFQD/"
                },
                {
                  "name": "RHSA-2019:2692",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2019:2692"
                },
                {
                  "name": "openSUSE-SU-2019:2120",
                  "refsource": "SUSE",
                  "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00035.html"
                },
                {
                  "name": "openSUSE-SU-2019:2114",
                  "refsource": "SUSE",
                  "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00032.html"
                },
                {
                  "name": "openSUSE-SU-2019:2115",
                  "refsource": "SUSE",
                  "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00031.html"
                },
                {
                  "name": "RHSA-2019:2745",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2019:2745"
                },
                {
                  "name": "RHSA-2019:2746",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2019:2746"
                },
                {
                  "name": "RHSA-2019:2775",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2019:2775"
                },
                {
                  "name": "RHSA-2019:2799",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2019:2799"
                },
                {
                  "name": "RHSA-2019:2925",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2019:2925"
                },
                {
                  "name": "RHSA-2019:2939",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2019:2939"
                },
                {
                  "name": "RHSA-2019:2949",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2019:2949"
                },
                {
                  "name": "openSUSE-SU-2019:2232",
                  "refsource": "SUSE",
                  "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00003.html"
                },
                {
                  "name": "openSUSE-SU-2019:2234",
                  "refsource": "SUSE",
                  "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00005.html"
                },
                {
                  "name": "RHSA-2019:2955",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2019:2955"
                },
                {
                  "name": "RHSA-2019:2966",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2019:2966"
                },
                {
                  "name": "openSUSE-SU-2019:2264",
                  "refsource": "SUSE",
                  "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00014.html"
                },
                {
                  "name": "RHSA-2019:3041",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2019:3041"
                },
                {
                  "name": "RHSA-2019:3933",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2019:3933"
                },
                {
                  "name": "RHSA-2019:3935",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2019:3935"
                },
                {
                  "name": "RHSA-2019:3932",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2019:3932"
                },
                {
                  "name": "DSA-4669",
                  "refsource": "DEBIAN",
                  "url": "https://www.debian.org/security/2020/dsa-4669"
                },
                {
                  "name": "https://www.oracle.com/security-alerts/cpuoct2020.html",
                  "refsource": "MISC",
                  "url": "https://www.oracle.com/security-alerts/cpuoct2020.html"
                },
                {
                  "name": "https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md",
                  "refsource": "MISC",
                  "url": "https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md"
                },
                {
                  "name": "https://www.synology.com/security/advisory/Synology_SA_19_33",
                  "refsource": "CONFIRM",
                  "url": "https://www.synology.com/security/advisory/Synology_SA_19_33"
                },
                {
                  "name": "https://support.f5.com/csp/article/K02591030",
                  "refsource": "CONFIRM",
                  "url": "https://support.f5.com/csp/article/K02591030"
                },
                {
                  "name": "https://security.netapp.com/advisory/ntap-20190823-0002/",
                  "refsource": "CONFIRM",
                  "url": "https://security.netapp.com/advisory/ntap-20190823-0002/"
                },
                {
                  "name": "https://security.netapp.com/advisory/ntap-20190823-0005/",
                  "refsource": "CONFIRM",
                  "url": "https://security.netapp.com/advisory/ntap-20190823-0005/"
                },
                {
                  "name": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10296",
                  "refsource": "CONFIRM",
                  "url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10296"
                },
                {
                  "name": "https://support.f5.com/csp/article/K02591030?utm_source=f5support\u0026amp;utm_medium=RSS",
                  "refsource": "CONFIRM",
                  "url": "https://support.f5.com/csp/article/K02591030?utm_source=f5support\u0026amp;utm_medium=RSS"
                },
                {
                  "name": "https://www.oracle.com/security-alerts/cpujan2021.html",
                  "refsource": "MISC",
                  "url": "https://www.oracle.com/security-alerts/cpujan2021.html"
                }
              ]
            },
            "source": {
              "discovery": "UNKNOWN"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
        "assignerShortName": "certcc",
        "cveId": "CVE-2019-9513",
        "datePublished": "2019-08-13T20:50:59.000Z",
        "dateReserved": "2019-03-01T00:00:00.000Z",
        "dateUpdated": "2024-08-04T21:54:44.842Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }