CVE-2018-16843

nginx before versions 1.15.6 and 1.14.1 has a vulnerability in the implementation of HTTP/2 that can allow for excessive memory consumption. This issue affects nginx compiled with the ngxhttpv2module not compiled by default if the 'http2' option of the 'listen' directive is used in a configuratio...

CVE-2018-16843

CVE-2018-16843 affects nginx before 1.15.6 and 1.14.1, where HTTP/2 implementation vulnerabilities in ngx_http_v2_module (if http2 is enabled) can cause excessive memory usage. Connected advisories also reference related CVEs (16844/16845) and show multiple distributions (Debian, Fedora/Red Hat, ...

CVE-2018-16843

nginx before versions 1.15.6 and 1.14.1 has a vulnerability in the implementation of HTTP/2 that can allow for excessive memory consumption. This issue affects nginx compiled with the ngxhttpv2module not compiled by default if the 'http2' option of the 'listen' directive is used in a configuratio...

CVE-2018-16844

nginx before versions 1.15.6 and 1.14.1 has a vulnerability in the implementation of HTTP/2 that can allow for excessive CPU usage. This issue affects nginx compiled with the ngxhttpv2module not compiled by default if the 'http2' option of the 'listen' directive is used in a configuration file...

CVE-2018-16844

CVE-2018-16844 affects nginx before versions 1.15.6 and 1.14.1 where HTTP/2 implementation can cause excessive CPU usage when nginx is built with the ngx_http_v2_module and the listen directive uses http2. The issue is triggered by HTTP/2 handling and is report-backed across multiple providers (D...

Excessive memory usage in HTTP/2

Excessive memory usage in HTTP/2 Severity: low CVE-2018-16843 Not vulnerable: 1.15.6+, 1.14.1+ Vulnerable: 1.9.5-1.15.5...

Excessive CPU usage in HTTP/2

Excessive CPU usage in HTTP/2 Severity: low CVE-2018-16844 Not vulnerable: 1.15.6+, 1.14.1+ Vulnerable: 1.9.5-1.15.5...

CVE-2018-16843

nginx before versions 1.15.6 and 1.14.1 has a vulnerability in the implementation of HTTP/2 that can allow for excessive memory consumption. This issue affects nginx compiled with the ngxhttpv2module not compiled by default if the 'http2' option of the 'listen' directive is used in a configuratio...

CVE-2018-16843

nginx before versions 1.15.6 and 1.14.1 has a vulnerability in the implementation of HTTP/2 that can allow for excessive memory consumption. This issue affects nginx compiled with the ngxhttpv2module not compiled by default if the 'http2' option of the 'listen' directive is used in a configuratio...

FreeBSD : NGINX -- Multiple vulnerabilities (84ca56be-e1de-11e8-bcfd-00e04c1ea73d)

NGINX Team reports : Two security issues were identified in nginx HTTP/2 implementation, which might cause excessive memory consumption CVE-2018-16843 and CPU usage CVE-2018-16844. The issues affect nginx compiled with the ngxhttpv2module not compiled by default if the 'http2' option of the...

CVE-2018-16844

nginx before versions 1.15.6 and 1.14.1 has a vulnerability in the implementation of HTTP/2 that can allow for excessive CPU usage. This issue affects nginx compiled with the ngxhttpv2module not compiled by default if the 'http2' option of the 'listen' directive is used in a configuration file...

CVE-2018-16843

nginx before versions 1.15.6 and 1.14.1 has a vulnerability in the implementation of HTTP/2 that can allow for excessive memory consumption. This issue affects nginx compiled with the ngxhttpv2module not compiled by default if the 'http2' option of the 'listen' directive is used in a configuratio...

NGINX -- Multiple vulnerabilities

NGINX Team reports: Two security issues were identified in nginx HTTP/2 implementation, which might cause excessive memory consumption CVE-2018-16843 and CPU usage CVE-2018-16844. The issues affect nginx compiled with the ngxhttpv2module not compiled by default if the "http2" option of the "liste...

Apache Tomcat 9.0.0.M1 < 9.0.0.M22 Multiple Vulnerabilities

The version of Apache Tomcat installed on the remote host is 9.0.0.M1 or later but prior to 9.0.0.M22. It is, therefore, affected by multiple vulnerabilities : - A flaw exists in the CORS filter because the HTTP Vary header was not properly added. This allows a remote attacker to conduct...

Apache Tomcat 8.5.x < 8.5.16 Multiple Vulnerabilities

The version of Apache Tomcat installed on the remote host is 8.5.x prior to 8.5.16. It is, therefore, affected by multiple vulnerabilities : - A flaw exists in the CORS filter because the HTTP Vary header was not properly added. This allows a remote attacker to conduct client-side and server-side...

Apache Tomcat 8.5.x < 8.5.13 Multiple Vulnerabilities

According to its self-reported version number, the Apache Tomcat service running on the remote host is 8.5.x prior to 8.5.13. It is therefore affected by multiple vulnerabilities : - A flaw exists in the handling of pipelined requests when send file processing is used that results in the pipeline...

F5 Networks BIG-IP : TMM vulnerability (K45611803)

F5 BIG-IP 13.0.0-13.1.0.5, 12.1.0-12.1.3.5, or 11.6.0-11.6.3.1 virtual servers with HTTP/2 profiles enabled are vulnerable to 'HPACK Bomb'. CVE-2018-5530 Impact HPACK bombs are designed to consume an abnormal amount of memory resources on a target system, which can result in a denial of service...

F5 Networks BIG-IP : TMM vulnerability (K07369970)

In F5 BIG-IP LTM, AAM, AFM, Analytics, APM, ASM, DNS, Edge Gateway, GTM, Link Controller, PEM, WebAccelerator and WebSafe software version 13.0.0, undisclosed requests made to BIG-IP virtual servers which make use of the 'HTTP/2 profile' may result in a disruption of service to TMM. CVE-2017-6151...

F5 Networks BIG-IP : TMM with HTTP/2 vulnerability (K45320419)

Maliciously crafted HTTP/2 request frames can lead to denial of service. There is data plane exposure for virtual servers when the HTTP2 profile is enabled. There is no control plane exposure to this issue. CVE-2018-5514 Impact The BIG-IP system may temporarily fail to process traffic as it...

F5 Networks BIG-IP : TMM vulnerability (K10930474)

Malformed SPDY or HTTP/2 requests may result in a disruption of service to TMM. Data plane is only exposed when a SPDY or HTTP/2 profile is attached to a virtual server. There is no control plane exposure. CVE-2017-6155 Impact An attacker may be able to disrupt traffic or cause the BIG-IP system ...