1369 matches found
PT-2018-2561 · Nginx +4 · Nginx +4
Name of the Vulnerable Software and Affected Versions: nginx versions prior to 1.15.6 nginx versions prior to 1.14.1 Description: The issue is related to the implementation of the HTTP/2 protocol in the nginx server, which can lead to uncontrolled resource consumption. This can allow a remote...
PT-2018-2562 · Nginx +4 · Nginx +4
Name of the Vulnerable Software and Affected Versions: nginx versions 1.14.0 through 1.14.1 nginx versions 1.15.0 through 1.15.6 Description: The issue is related to the implementation of HTTP/2 in nginx, which can lead to excessive CPU usage. This problem affects nginx compiled with the ngx http...
SUSE-SU-2018:3101-1 Security update for apache2
This update for apache2 fixes the following issues: Security issues fixed: - CVE-2018-11763: In Apache HTTP Server by sending continuous, large SETTINGS frames a client can occupy a connection, server thread and CPU time without any connection timeout coming to effect. This affects only HTTP/2...
CVE-2016-7475
Under some circumstances on BIG-IP 12.0.0-12.1.0, 11.6.0-11.6.1, or 11.4.0-11.5.4 HF1, the Traffic Management Microkernel TMM may not properly clean-up pool member network connections when using SPDY or HTTP/2 virtual server profiles...
USN-3783-1 apache2 vulnerabilities
Robert Swiecki discovered that the Apache HTTP Server HTTP/2 module incorrectly destroyed certain streams. A remote attacker could possibly use this issue to cause the server to crash, leading to a denial of service. CVE-2018-1302 Craig Young discovered that the Apache HTTP Server HTTP/2 module...
BSA-2018-711
Security Advisory ID : BSA-2018-711 Component : Apache HTTPD Revision : 1.0: Final The Apache HTTP Server 2.4.17 and 2.4.18, when modhttp2 is enabled, does not limit the number of simultaneous stream workers for a single HTTP/2 connection, which allows remote attackers to cause a denial of servic...
UBUNTU-CVE-2018-11763
In Apache HTTP Server 2.4.17 to 2.4.34, by sending continuous, large SETTINGS frames a client can occupy a connection, server thread and CPU time without any connection timeout coming to effect. This affects only HTTP/2 connections. A possible mitigation is to not enable the h2 protocol...
F5 BIG-IP Virtual Server Denial of Service Vulnerability
F5 BIG-IP LTM, etc. are products of F5 Corporation, U.S.A. F5 BIG-IP LTM is a local traffic manager; BIG-IP AAM is an application acceleration manager. A security vulnerability exists in the F5 BIG-IP virtual server. An attacker can exploit this vulnerability to cause a denial of service abnormal...
Wireshark Denial of Service Vulnerability (CNVD-2018-14106)
Wireshark formerly Ethereal is a suite of network packet analysis software developed by the Wireshark team. The function of the software is to intercept network packets and display detailed data for analysis.HTTP2 dissector is one of the hypertext transfer protocol parsers. A security vulnerabili...
CVE-2018-8226
A denial of service vulnerability exists in the HTTP 2.0 protocol stack HTTP.sys when HTTP.sys improperly parses specially crafted HTTP 2.0 requests, aka "HTTP.sys Denial of Service Vulnerability." This affects Windows Server 2016, Windows 10, Windows 10 Servers...
ALPINE-CVE-2018-7161
All versions of Node.js 8.x, 9.x, and 10.x are vulnerable and the severity is HIGH. An attacker can cause a denial of service DoS by causing a node server providing an http2 server to crash. This can be accomplished by interacting with the http2 server in a manner that triggers a cleanup bug wher...
DEBIAN-CVE-2017-5446
An out-of-bounds read when an HTTP/2 connection to a servers sends "DATA" frames with incorrect data content. This leads to a potentially exploitable crash. This vulnerability affects Thunderbird 52.1, Firefox ESR 45.9, Firefox ESR 52.1, and Firefox 53...
haproxy: Heap buffer overflow in mux_h2.c:h2_process_demux() can allow attackers to cause a denial of service
An issue was discovered in HAProxy before 1.8.8. The incoming H2 frame length was checked against the maxframesize setting instead of being checked against the bufsize. The maxframesize only applies to outgoing traffic and not to incoming, so if a large enough frame size is advertised in the...
DEBIAN-CVE-2018-10184
An issue was discovered in HAProxy before 1.8.8. The incoming H2 frame length was checked against the maxframesize setting instead of being checked against the bufsize. The maxframesize only applies to outgoing traffic and not to incoming, so if a large enough frame size is advertised in the...
UBUNTU-CVE-2018-10184
An issue was discovered in HAProxy before 1.8.8. The incoming H2 frame length was checked against the maxframesize setting instead of being checked against the bufsize. The maxframesize only applies to outgoing traffic and not to incoming, so if a large enough frame size is advertised in the...
Denial of Service Vulnerability in Multiple F5 Products (CNVD-2018-09412)
F5 BIG-IP LTM, etc. are products of F5 Corporation, U.S.A. F5 BIG-IP LTM is a local traffic manager; BIG-IP AAM is an application acceleration manager. Security vulnerabilities exist in several F5 products. An attacker can exploit this vulnerability by sending malformed SPDY or HTTP/2 requests to...
ALPINE-CVE-2018-1302
When an HTTP/2 stream was destroyed after being handled, the Apache HTTP Server prior to version 2.4.30 could have written a NULL pointer potentially to an already freed memory. The memory pools maintained by the server make this vulnerability hard to trigger in usual configurations, the reporter...
The vulnerability of the experimental implementation of the HTTP/2 protocol in the Apache Traffic Server allows a attacker to execute arbitrary code or cause a service failure.
The vulnerability of the experimental implementation of the HTTP/2 protocol in the Apache Traffic Server web server arises from an operation that goes beyond the buffer boundaries in memory. Exploiting this vulnerability allows a malicious actor to execute arbitrary code or cause a service failur...
HTTP/2 trailer out-of-bounds read
libcurl contains an out bounds read in code handling HTTP/2 trailers. It was reported that reading an HTTP/2 trailer could mess up future trailers since the stored size was one byte less than required. The problem is that the code that creates HTTP/1-like headers from the HTTP/2 trailer data once...
UBUNTU-CVE-2018-1000005
libcurl 7.49.0 to and including 7.57.0 contains an out bounds read in code handling HTTP/2 trailers. It was reported https://github.com/curl/curl/pull/2231 that reading an HTTP/2 trailer could mess up future trailers since the stored size was one byte less than required. The problem is that the...