Lucene search
K

1355 matches found

RedHat Linux
RedHat Linux
added 2021/02/11 1:51 p.m.2 views

tomcat: Apache Tomcat HTTP/2 Request mix-up

A flaw was found in Apache Tomcat. If an HTTP/2 client exceeded the agreed maximum number of concurrent streams for a connection in violation of the HTTP/2 protocol, it is possible that a subsequent request made on that connection could contain HTTP headers - including HTTP/2 pseudo headers - fro...

4.3CVSS7.1AI score0.57286EPSS
Exploits0References8
RedHat Linux
RedHat Linux
added 2021/02/11 1:51 p.m.5 views

tomcat: HTTP/2 request header mix-up

While investigating bug 64830 it was discovered that Apache Tomcat 10.0.0-M1 to 10.0.0-M9, 9.0.0-M1 to 9.0.39 and 8.5.0 to 8.5.59 could re-use an HTTP request header value from the previous stream received on an HTTP/2 connection for the request associated with the subsequent stream. While this...

7.5CVSS7.2AI score0.24622EPSS
Exploits0References7
RedHat Linux
RedHat Linux
added 2021/02/02 10:25 a.m.4 views

tomcat: specially crafted sequence of HTTP/2 requests can lead to DoS

A specially crafted sequence of HTTP/2 requests sent to Apache Tomcat 10.0.0-M1 to 10.0.0-M5, 9.0.0.M1 to 9.0.35 and 8.5.0 to 8.5.55 could trigger high CPU usage for several seconds. If a sufficient number of such requests were made on concurrent HTTP/2 connections, the server could become...

7.5CVSS7.2AI score0.26699EPSS
Exploits0References8
RedHat Linux
RedHat Linux
added 2021/01/13 7:13 p.m.3 views

dotnet: ASP.NET Core Callbacks outside of locks cause Krestel deadlock when using HTTP2

A flaw was found in dotnet. Running callbacks outside of locks results in Krestel deadlock using HTTP2. The highest threat from this vulnerability is to system availability...

7.5CVSS5.7AI score0.04908EPSS
Exploits0References6
RedHat Linux
RedHat Linux
added 2021/01/13 3:3 p.m.2 views

dotnet: ASP.NET Core Callbacks outside of locks cause Krestel deadlock when using HTTP2

A flaw was found in dotnet. Running callbacks outside of locks results in Krestel deadlock using HTTP2. The highest threat from this vulnerability is to system availability...

7.5CVSS5.7AI score0.04908EPSS
Exploits0References6
RedHat Linux
RedHat Linux
added 2021/01/13 3:3 p.m.6 views

dotnet: ASP.NET Core Callbacks outside of locks cause Krestel deadlock when using HTTP2

A flaw was found in dotnet. Running callbacks outside of locks results in Krestel deadlock using HTTP2. The highest threat from this vulnerability is to system availability...

7.5CVSS5.7AI score0.04908EPSS
Exploits0References6
OSV
OSV
added 2021/01/07 10:51 a.m.6 views

SUSE-SU-2021:0041-1 Security update for tomcat

This update for tomcat fixes the following issue: - CVE-2020-17527: Fixed a HTTP/2 request header mix-up bsc1179602...

7.5CVSS7.5AI score0.24622EPSS
Exploits0References3
OSV
OSV
added 2020/12/03 7:15 p.m.3 views

DEBIAN-CVE-2020-17527

While investigating bug 64830 it was discovered that Apache Tomcat 10.0.0-M1 to 10.0.0-M9, 9.0.0-M1 to 9.0.39 and 8.5.0 to 8.5.59 could re-use an HTTP request header value from the previous stream received on an HTTP/2 connection for the request associated with the subsequent stream. While this...

7.5CVSS7.1AI score0.24622EPSS
Exploits0References1
OSV
OSV
added 2020/12/03 7:15 p.m.6 views

AZL-6909 CVE-2020-17527 affecting package tomcat 9.0.39-5

While investigating bug 64830 it was discovered that Apache Tomcat 10.0.0-M1 to 10.0.0-M9, 9.0.0-M1 to 9.0.39 and 8.5.0 to 8.5.59 could re-use an HTTP request header value from the previous stream received on an HTTP/2 connection for the request associated with the subsequent stream. While this...

7.5CVSS6.7AI score0.24622EPSS
Exploits0References1
OSV
OSV
added 2020/10/21 1:55 p.m.3 views

USN-4596-1 tomcat9 vulnerabilities

It was discovered that Tomcat did not properly manage HTTP/2 streams. An attacker could possibly use this to cause Tomcat to consume resources, resulting in a denial of service. CVE-2020-11996 It was discovered that Tomcat did not properly release the HTTP/1.1 processor after the upgrade to HTTP/...

7.5CVSS7AI score0.87553EPSS
Exploits16References5
BDU FSTEC
BDU FSTEC
added 2020/09/29 12:0 a.m.5 views

The vulnerability of the nghttp2 library, related to errors occurring when using allocated memory during the processing of HTTP/2 SETTINGS, allows a attacker to cause a service failure.

The vulnerability of the nghttp2 library is related to errors that occur when using allocated memory during the processing of HTTP/2 SETTINGS packets. Exploiting this vulnerability can allow a malicious actor to cause service interruptions by sending numerous HTTP/2 SETTINGS packets...

7.8CVSS6.5AI score0.05316EPSS
Exploits0References15Affected Software10
Microsoft CVE
Microsoft CVE
added 2020/08/18 7:0 a.m.10 views

Apache HTTP Server versions 2.4.20 to 2.4.43 When trace/debug was enabled for the HTTP/2 module and on certain traffic edge patterns logging statements were made on the wrong connection causing concurrent use of memory pools. Configuring the LogLevel of mod_http2 above "info" will mitigate this vulnerability for unpatched servers.

...

7.5CVSS7AI score0.58716EPSS
Exploits2
OSV
OSV
added 2020/08/13 2:27 p.m.2 views

USN-4458-1 apache2 vulnerabilities

Fabrice Perez discovered that the Apache modrewrite module incorrectly handled certain redirects. A remote attacker could possibly use this issue to perform redirects to an unexpected URL. CVE-2020-1927 Chamal De Silva discovered that the Apache modproxyftp module incorrectly handled memory when...

9.8CVSS7.1AI score0.90039EPSS
Exploits4References6
OSV
OSV
added 2020/08/07 4:15 p.m.6 views

DEBIAN-CVE-2020-11993

Apache HTTP Server versions 2.4.20 to 2.4.43 When trace/debug was enabled for the HTTP/2 module and on certain traffic edge patterns, logging statements were made on the wrong connection, causing concurrent use of memory pools. Configuring the LogLevel of modhttp2 above "info" will mitigate this...

7.5CVSS6.6AI score0.58716EPSS
Exploits2References1
OSV
OSV
added 2020/08/07 4:15 p.m.3 views

UBUNTU-CVE-2020-9490

Apache HTTP Server versions 2.4.20 to 2.4.43. A specially crafted value for the 'Cache-Digest' header in a HTTP/2 request would result in a crash when the server actually tries to HTTP/2 PUSH a resource afterwards. Configuring the HTTP/2 feature via "H2Push off" will mitigate this vulnerability f...

7.5CVSS7.3AI score0.89744EPSS
Exploits0References5
RedHat Linux
RedHat Linux
added 2020/07/29 6:6 a.m.5 views

HTTP/2: flood using SETTINGS frames results in unbounded memory growth

A flaw was found in HTTP/2. Using SETTINGS frames and queuing of SETTINGS ACK frames, a flood could occur resulting in unbounded memory growth. The highest threat from this vulnerability is to system availability...

7.8CVSS7.1AI score0.87806EPSS
Exploits0References7
RedHat Linux
RedHat Linux
added 2020/07/28 3:54 p.m.4 views

HTTP/2: large amount of data requests leads to denial of service

A flaw was found in HTTP/2. An attacker can request a large amount of data by manipulating window size and stream priority to force the server to queue the data in 1-byte chunks. Depending on how efficiently this data is queued, this queue can consume excess CPU, memory, or both, leading to a...

7.8CVSS7.2AI score0.58373EPSS
Exploits0References8
OSV
OSV
added 2020/07/26 10:20 a.m.6 views

OPENSUSE-SU-2020:1063-1 Security update for tomcat

This update for tomcat fixes the following issues: Tomcat was updated to 9.0.36 See changelog at - CVE-2020-11996: Fixed an issue which by sending a specially crafted sequence of HTTP/2 requests could have triggered high CPU usage for several seconds making potentially the server unresponsive...

7.5CVSS7.5AI score0.26699EPSS
Exploits0References3
OSV
OSV
added 2020/07/14 3:15 p.m.1 views

UBUNTU-CVE-2020-13934

An h2c direct connection to Apache Tomcat 10.0.0-M1 to 10.0.0-M6, 9.0.0.M5 to 9.0.36 and 8.5.1 to 8.5.56 did not release the HTTP/1.1 processor after the upgrade to HTTP/2. If a sufficient number of such requests were made, an OutOfMemoryException could occur leading to a denial of service...

7.5CVSS7.2AI score0.64124EPSS
Exploits0References5
RedHat Linux
RedHat Linux
added 2020/07/01 6:46 p.m.7 views

envoy: Resource exhaustion via HTTP/2 client requests with large payloads and improper stream windows

Envoy version 1.14.2, 1.13.2, 1.12.4 or earlier is susceptible to increased memory usage in the case where an HTTP/2 client requests a large payload but does not send enough window updates to consume the entire stream and does not reset the stream...

7.5CVSS7.1AI score0.01703EPSS
Exploits0References5
Rows per page
Query Builder