7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.8 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:N/I:N/A:C
0.154 Low
EPSS
Percentile
95.8%
Some HTTP/2 implementations are vulnerable to ping floods, potentially
leading to a denial of service. The attacker sends continual pings to an
HTTP/2 peer, causing the peer to build an internal queue of responses.
Depending on how efficiently this data is queued, this can consume excess
CPU, memory, or both.
Author | Note |
---|---|
sbeattie | nginx added http2 support in 1.9.5 nginx previously fixed issue for CVE-2018-16844 netty added http2 support in 4.1.0 nghttp2: nghttpd and nghttp are affected, libnghttp2 is not twisted added http2 support in 16.3 trafficserver enabled http2 support by default in 7.0 |
mdeslaur | Packages built using golang need to be rebuilt once the vulnerability has been fixed. This CVE entry does not list packages that need rebuilding outside of the main repository or the Ubuntu variants with PPA overlays. |
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 18.04 | noarch | golang-1.10 | < any | UNKNOWN |
ubuntu | 14.04 | noarch | golang-1.10 | < any | UNKNOWN |
ubuntu | 16.04 | noarch | golang-1.10 | < any | UNKNOWN |
ubuntu | 16.04 | noarch | golang-1.6 | < any | UNKNOWN |
ubuntu | 18.04 | noarch | golang-1.8 | < any | UNKNOWN |
ubuntu | 18.04 | noarch | golang-1.9 | < any | UNKNOWN |
ubuntu | 18.04 | noarch | h2o | < any | UNKNOWN |
ubuntu | 19.04 | noarch | h2o | < 2.2.5+dfsg2-2+deb10u1build0.19.04.1 | UNKNOWN |
ubuntu | 18.04 | noarch | netty | < 1:4.1.7-4ubuntu0.1+esm1 | UNKNOWN |
ubuntu | 20.04 | noarch | netty | < any | UNKNOWN |
blog.kazuhooku.com/2019/08/h2o-version-226-230-beta2-released.html
github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md
github.com/netty/netty/pull/9460
labs.twistedmatrix.com/2019/11/twisted-19100-released.html
launchpad.net/bugs/cve/CVE-2019-9512
netty.io/news/2019/08/13/4-1-39-Final.html
nvd.nist.gov/vuln/detail/CVE-2019-9512
security-tracker.debian.org/tracker/CVE-2019-9512
ubuntu.com/security/notices/USN-4308-1
ubuntu.com/security/notices/USN-4866-1
www.cve.org/CVERecord?id=CVE-2019-9512
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.8 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:N/I:N/A:C
0.154 Low
EPSS
Percentile
95.8%