HTTP/2 incoming headers exceeding the limit are temporarily buffered in nghttp2 in order to generate an informative HTTP 413 response. If a client does not stop sending headers, this leads to memory exhaustion.

References

seclists.org/fulldisclosure/2024/Jul/18

www.openwall.com/lists/oss-security/2024/04/04/4

httpd.apache.org/security/vulnerabilities_24.html

security.alpinelinux.org/vuln/CVE-2024-27316

support.apple.com/kb/HT214119

www.openwall.com/lists/oss-security/2024/04/03/16

openvas 47

redos 1

nessus 75

ibm 5

nvd 1

vulnrichment 1

redhat 15

rocky 2

debiancve 1

veracode 1

githubexploit 2

almalinux 3

oraclelinux 3

cbl_mariner 2

ubuntucve 1

hackerone 1

osv 12

amazon 2

fedora 3

alpinelinux 1

redhatcve 1

cvelist 1

f5 1

cve 1

photon 3

slackware 1

ubuntu 3

mageia 1

kaspersky 1

freebsd 1

debian 2

arista 1

cert 1

thn 1

gentoo 1

openvas

Huawei EulerOS: Security Advisory for mod_http2 (EulerOS-SA-2024-2042)

2024-07-22 00:00:00

Huawei EulerOS: Security Advisory for mod_http2 (EulerOS-SA-2024-2331)

2024-09-03 00:00:00

Huawei EulerOS: Security Advisory for mod_http2 (EulerOS-SA-2024-1819)

2024-06-25 00:00:00

redos

ROS-20240425-01

2024-04-25 00:00:00

nessus

EulerOS 2.0 SP11 : mod_http2 (EulerOS-SA-2024-1819)

2024-06-25 00:00:00

Photon OS 4.0: Httpd PHSA-2024-4.0-0591

2024-07-23 00:00:00

EulerOS 2.0 SP12 : mod_http2 (EulerOS-SA-2024-2244)

2024-08-20 00:00:00

ibm

Security Bulletin: IBM HTTP Server (powered by Apache) for IBM i is vulnerable to a denial of service attack using HTTP/2 protocol. [CVE-2024-27316]

2024-06-25 23:52:39

Security Bulletin: IBM Aspera Console has addressed a denial of service vulnerability (CVE-2024-27316)

2024-05-29 21:22:20

Security Bulletin: IBM MQ Operator and Queue manager container images are vulnerable to glibc, Golang Go , Apache HTTP, IBM GSKit-Crypto and GnuTLS packages/liberaries .

2024-05-22 09:19:09

nvd

CVE-2024-27316

2024-04-04 20:15:08

vulnrichment

CVE-2024-27316 Apache HTTP Server: HTTP/2 DoS by memory exhaustion on endless continuation frames

2024-04-04 19:21:41

redhat

(RHSA-2024:1872) Important: mod_http2 security update

2024-04-18 00:58:11

(RHSA-2024:4390) Moderate: Red Hat JBoss Enterprise Application Platform 8.0 security update

2024-07-08 21:26:13

(RHSA-2024:2907) Moderate: httpd:2.4 security update

2024-05-20 01:02:25

rocky

httpd:2.4/mod_http2 security update

2024-05-06 13:04:21

mod_http2 security update

2024-05-10 14:32:42

debiancve

CVE-2024-27316

2024-04-04 20:15:08

veracode

Memory Exhaustion

2024-04-10 19:25:29

githubexploit

Exploit for Allocation of Resources Without Limits or Throttling in Apache Http Server

2024-04-17 20:08:05

Exploit for Allocation of Resources Without Limits or Throttling in Apache Http Server

2024-04-09 08:08:07

almalinux

Moderate: mod_http2 security update

2024-04-30 00:00:00

Important: mod_http2 security update

2024-04-18 00:00:00

Important: httpd:2.4/mod_http2 security update

2024-04-11 00:00:00

oraclelinux

mod_http2 security update

2024-04-18 00:00:00

mod_http2 security update

2024-05-07 00:00:00

httpd:2.4/mod_http2 security update

2024-04-11 00:00:00

cbl_mariner

CVE-2024-27316 affecting package httpd for versions less than 2.4.61-1

2024-08-14 20:43:58

CVE-2024-27316 affecting package httpd for versions less than 2.4.59-1

2024-05-06 17:48:02

ubuntucve

CVE-2024-27316

2024-03-27 00:00:00

hackerone

Internet Bug Bounty: Apache HTTP Server: HTTP/2 DoS by memory exhaustion on endless continuation frames

2024-04-08 20:33:40

osv

Important: httpd:2.4/mod_http2 security update

2024-05-06 13:04:21

BIT-apache-2024-27316

2024-04-06 18:17:01

Moderate: mod_http2 security update

2024-05-10 14:32:42

amazon

Important: mod_http2

2024-04-24 22:15:00

Important: httpd24

2024-04-25 16:04:00

fedora

[SECURITY] Fedora 40 Update: mod_http2-2.0.27-1.fc40

2024-04-21 01:08:56

[SECURITY] Fedora 39 Update: mod_http2-2.0.27-1.fc39

2024-04-21 01:20:22

[SECURITY] Fedora 38 Update: mod_http2-2.0.27-1.fc38

2024-04-21 02:57:21

alpinelinux

CVE-2024-27316

2024-04-04 20:15:08

redhatcve

CVE-2024-27316

2024-04-03 19:27:03

cvelist

CVE-2024-27316 Apache HTTP Server: HTTP/2 DoS by memory exhaustion on endless continuation frames

2024-04-04 19:21:41

K000139214 : Apache httpd vulnerability CVE-2024-27316

2024-04-08 00:00:00

cve

CVE-2024-27316

2024-04-04 20:15:08

photon

Important Photon OS Security Update - PHSA-2024-3.0-0748

2024-04-11 00:00:00

Important Photon OS Security Update - PHSA-2024-5.0-0242

2024-04-10 00:00:00

Important Photon OS Security Update - PHSA-2024-4.0-0591

2024-04-11 00:00:00

slackware

[slackware-security] httpd

2024-04-04 19:16:44

ubuntu

Apache HTTP Server vulnerabilities

2024-04-17 00:00:00

Apache HTTP Server vulnerabilities

2024-04-11 00:00:00

Apache HTTP Server vulnerabilities

2024-04-29 00:00:00

mageia

Updated apache packages fix security vulnerabilities

2024-04-10 07:03:52

kaspersky

KLA65470 Multiple vulnerabilities in Apache HTTP Server

2024-04-04 00:00:00

freebsd

Apache httpd -- multiple vulnerabilities

2024-04-04 00:00:00

debian

[SECURITY] [DLA 3818-1] apache2 security update

2024-05-25 11:06:45

[SECURITY] [DSA 5662-1] apache2 security update

2024-04-16 18:32:07

arista

Security Advisory 0094

2024-04-03 00:00:00

cert

HTTP/2 CONTINUATION frames can be utilized for DoS attacks

2024-04-03 00:00:00

thn

New HTTP/2 Vulnerability Exposes Web Servers to DoS Attacks

2024-04-04 11:15:00

gentoo

Apache HTTPD: Multiple Vulnerabilities

2024-09-28 00:00:00

Solutions

Vulnerabilities intelligence
Perimeter control tool
Linux scanner
Windows scanner
Developers SDK
Security Intelligence feeds

Database

Vulnerabilities
Exploits
Security News
BugBounty
Wild Exploited
Top Vulnerabilities
CVE Feed

Resources

Statics & Sources
Plugins
API docs
FAQ
Blog
Glossary

Company

About
Contacts
Pricing
EULA
Privacy Policy
Submission Policy
OpenSource

@2024 Vulners Inc

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

AI Score

6.7

Confidence

Low

EPSS

0.001

Percentile

47.6%

JSON

Related for OSV:CVE-2024-27316