CVE-2018-11763
high-risk
Published 2018-09-25
In Apache HTTP Server 2.4.17 to 2.4.34, by sending continuous, large SETTINGS frames a client can occupy a connection, server thread and CPU time without any connection timeout coming to effect. This affects only HTTP/2 connections. A possible mitigation is to not enable the h2 protocol.
Do I need to act?
!
17.4% chance of exploitation in next 30 days
EPSS score — higher than 83% of all CVEs
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
5
CVSS 5.9/10
Medium
NETWORK
/ HIGH complexity
Affected Products (17)
References (52)
Third Party Advisory
http://www.securityfocus.com/bid/105414
Third Party Advisory
http://www.securitytracker.com/id/1041713
Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:3558
Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:0366
Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:0367
Vendor Advisory
https://httpd.apache.org/security/vulnerabilities_24.html
and 32 more references
50
/ 100
high-risk
Severity
18/34 · Moderate
Exploitability
13/34 · Low
Exposure
19/34 · Moderate