Lucene search

K
cveApacheCVE-2018-17189
HistoryJan 30, 2019 - 10:29 p.m.

CVE-2018-17189

2019-01-3022:29:00
CWE-400
apache
web.nvd.nist.gov
949
3
cve-2018-17189
apache http server
security
vulnerability
slow loris
nvd

CVSS2

5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

AI Score

6.1

Confidence

High

EPSS

0.003

Percentile

71.8%

In Apache HTTP server versions 2.4.37 and prior, by sending request bodies in a slow loris way to plain resources, the h2 stream for that request unnecessarily occupied a server thread cleaning up that incoming data. This affects only HTTP/2 (mod_http2) connections.

Affected configurations

Nvd
Vulners
Node
apachehttp_serverMatch2.4.17
OR
apachehttp_serverMatch2.4.18
OR
apachehttp_serverMatch2.4.20
OR
apachehttp_serverMatch2.4.23
OR
apachehttp_serverMatch2.4.25
OR
apachehttp_serverMatch2.4.26
OR
apachehttp_serverMatch2.4.27
OR
apachehttp_serverMatch2.4.28
OR
apachehttp_serverMatch2.4.29
OR
apachehttp_serverMatch2.4.30
OR
apachehttp_serverMatch2.4.33
OR
apachehttp_serverMatch2.4.34
OR
apachehttp_serverMatch2.4.35
OR
apachehttp_serverMatch2.4.37
Node
netappsantricity_cloud_connectorMatch-
OR
netappstorage_automation_storeMatch-
Node
fedoraprojectfedoraMatch28
OR
fedoraprojectfedoraMatch29
Node
debiandebian_linuxMatch9.0
Node
oracleenterprise_manager_ops_centerMatch12.3.3
OR
oraclehospitality_guest_accessMatch4.2.0
OR
oraclehospitality_guest_accessMatch4.2.1
OR
oracleinstantis_enterprisetrackMatch17.1
OR
oracleinstantis_enterprisetrackMatch17.2
OR
oracleinstantis_enterprisetrackMatch17.3
OR
oracleretail_xstore_point_of_serviceMatch7.0
OR
oracleretail_xstore_point_of_serviceMatch7.1
OR
oraclesun_zfs_storage_appliance_kitMatch8.8.6
Node
canonicalubuntu_linuxMatch14.04esm
OR
canonicalubuntu_linuxMatch16.04esm
OR
canonicalubuntu_linuxMatch18.04lts
OR
canonicalubuntu_linuxMatch18.10
Node
redhatjboss_core_servicesMatch1.0
AND
redhatenterprise_linuxMatch6.0
OR
redhatenterprise_linuxMatch7.0
VendorProductVersionCPE
apachehttp_server2.4.17cpe:2.3:a:apache:http_server:2.4.17:*:*:*:*:*:*:*
apachehttp_server2.4.18cpe:2.3:a:apache:http_server:2.4.18:*:*:*:*:*:*:*
apachehttp_server2.4.20cpe:2.3:a:apache:http_server:2.4.20:*:*:*:*:*:*:*
apachehttp_server2.4.23cpe:2.3:a:apache:http_server:2.4.23:*:*:*:*:*:*:*
apachehttp_server2.4.25cpe:2.3:a:apache:http_server:2.4.25:*:*:*:*:*:*:*
apachehttp_server2.4.26cpe:2.3:a:apache:http_server:2.4.26:*:*:*:*:*:*:*
apachehttp_server2.4.27cpe:2.3:a:apache:http_server:2.4.27:*:*:*:*:*:*:*
apachehttp_server2.4.28cpe:2.3:a:apache:http_server:2.4.28:*:*:*:*:*:*:*
apachehttp_server2.4.29cpe:2.3:a:apache:http_server:2.4.29:*:*:*:*:*:*:*
apachehttp_server2.4.30cpe:2.3:a:apache:http_server:2.4.30:*:*:*:*:*:*:*
Rows per page:
1-10 of 351

CNA Affected

[
  {
    "product": "Apache HTTP Server",
    "vendor": "Apache Software Foundation",
    "versions": [
      {
        "status": "affected",
        "version": "2.4.17 to 2.4.37"
      }
    ]
  }
]

References

Social References

More

CVSS2

5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

AI Score

6.1

Confidence

High

EPSS

0.003

Percentile

71.8%