Vulnerability DatabaseCVE-2019-9515
Mend.io Vulnerability Database
The largest open source vulnerability database
What is a Vulnerability ID?
New vulnerability? Tell us about it!
CVE-2019-9515
August 13, 2019
Some HTTP/2 implementations are vulnerable to a settings flood, potentially leading to a denial of service. The attacker sends a stream of SETTINGS frames to the peer. Since the RFC requires that the peer reply with one acknowledgement per SETTINGS frame, an empty SETTINGS frame is almost equivalent in behavior to a ping. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both.
Related Resources (48)
http://seclists.org/fulldisclosure/2019/Aug/16
https://www.debian.org/security/2019/dsa-4520
https://access.redhat.com/errata/RHSA-2019:2925
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CMNFX5MNYRWWIMO4BTKYQCGUDMHO3AXP/
https://access.redhat.com/errata/RHSA-2019:4045
https://seclists.org/bugtraq/2019/Aug/24
https://usn.ubuntu.com/4308-1/
https://lists.apache.org/thread.html/ad3d01e767199c1aed8033bb6b3f5bf98c011c7c536f07a5d34b3c19@%3Cannounce.trafficserver.apache.org%3E
https://access.redhat.com/errata/RHSA-2019:2861
https://support.f5.com/csp/article/K50233772
https://seclists.org/bugtraq/2019/Sep/18
https://access.redhat.com/errata/RHSA-2019:4020
http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00032.html
https://lists.apache.org/thread.html/ad3d01e767199c1aed8033bb6b3f5bf98c011c7c536f07a5d34b3c19%40%3Cannounce.trafficserver.apache.org%3E
https://security.alpinelinux.org/vuln/CVE-2019-9515
https://access.redhat.com/errata/RHSA-2019:4021
https://support.f5.com/csp/article/K50233772?utm_source=f5support&amp%3Butm_medium=RSS
https://access.redhat.com/errata/RHSA-2019:2939
https://support.f5.com/csp/article/K50233772?utm_source=f5support&utm_medium=RSS
https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md
https://access.redhat.com/errata/RHSA-2019:4352
https://lists.apache.org/thread.html/bde52309316ae798186d783a5e29f4ad1527f61c9219a289d0eee0a7%40%3Cdev.trafficserver.apache.org%3E
https://access.redhat.com/errata/RHSA-2019:2796
https://people.canonical.com/~ubuntu-security/cve/CVE-2019-9515
https://security.netapp.com/advisory/ntap-20190823-0005/
https://access.redhat.com/errata/RHSA-2020:0727
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4ZQGHE3WTYLYAYJEIDJVF2FIGQTAYPMC/
https://lists.apache.org/thread.html/bde52309316ae798186d783a5e29f4ad1527f61c9219a289d0eee0a7@%3Cdev.trafficserver.apache.org%3E
https://access.redhat.com/security/cve/CVE-2019-9515
https://access.redhat.com/errata/RHSA-2019:4041
https://security-tracker.debian.org/tracker/CVE-2019-9515
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4ZQGHE3WTYLYAYJEIDJVF2FIGQTAYPMC/
https://access.redhat.com/errata/RHSA-2019:3892
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CMNFX5MNYRWWIMO4BTKYQCGUDMHO3AXP/
https://access.redhat.com/errata/RHSA-2019:2766
https://access.redhat.com/errata/RHSA-2019:4018
https://access.redhat.com/errata/RHSA-2019:2955
https://seclists.org/bugtraq/2019/Aug/43
https://www.synology.com/security/advisory/Synology_SA_19_33
https://access.redhat.com/errata/RHSA-2019:4019
http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00031.html
https://access.redhat.com/errata/RHSA-2019:4040
https://access.redhat.com/errata/RHSA-2019:4042
https://kc.mcafee.com/corporate/index?page=content&id=SB10296
https://www.debian.org/security/2019/dsa-4508
https://kb.cert.org/vuls/id/605641/
https://lists.apache.org/thread.html/392108390cef48af647a2e47b7fd5380e050e35ae8d1aa2030254c04%40%3Cusers.trafficserver.apache.org%3E
https://lists.apache.org/thread.html/392108390cef48af647a2e47b7fd5380e050e35ae8d1aa2030254c04@%3Cusers.trafficserver.apache.org%3E
Do you need more information?
Contact Us
CVSS v4
Base Score:
8.7
Attack Vector
NETWORK
Attack Complexity
LOW
Attack Requirements
NONE
Privileges Required
NONE
User Interaction
NONE
Vulnerable System Confidentiality
NONE
Vulnerable System Integrity
NONE
Vulnerable System Availability
HIGH
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
CVSS v3
Base Score:
7.5
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
NONE
Integrity
NONE
Availability
HIGH
CVSS v2
Base Score:
7.8
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
COMPLETE
Weakness Type (CWE)
Uncontrolled Resource Consumption
CWE-400
Allocation of Resources Without Limits or Throttling
CWE-770
EPSS
Base Score:
10.39