CVE-2019-9513

high-risk

Published 2019-08-13

Some HTTP/2 implementations are vulnerable to resource loops, potentially leading to a denial of service. The attacker creates multiple request streams and continually shuffles the priority of the streams in a way that causes substantial churn to the priority tree. This can consume excess CPU.

Do I need to act?

6.7% chance of exploitation in next 30 days

EPSS score — moderate exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 7.5/10 High

NETWORK / LOW complexity

Affected Products (20)

Swiftnio

Traffic Server

Ubuntu Linux

Debian Linux

Fedora

Skynas

Diskstation Manager

Vs960Hd Firmware

Fedora

Leap

Jboss Core Services

Jboss Enterprise Application Platform

Openshift Service Mesh

Quay

Software Collections

Affected Vendors

Debian Redhat Apache Apple Oracle F5 Mcafee Canonical Fedoraproject Opensuse Synology Nodejs

References (84)

Mailing List http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00031.html

Mailing List http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00032.html

Mailing List http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00035.html

Mailing List http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00003.html

Mailing List http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00005.html

Mailing List http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00014.html

Third Party Advisory https://access.redhat.com/errata/RHSA-2019:2692

Third Party Advisory https://access.redhat.com/errata/RHSA-2019:2745

Third Party Advisory https://access.redhat.com/errata/RHSA-2019:2746

Third Party Advisory https://access.redhat.com/errata/RHSA-2019:2775

Third Party Advisory https://access.redhat.com/errata/RHSA-2019:2799

Third Party Advisory https://access.redhat.com/errata/RHSA-2019:2925

Third Party Advisory https://access.redhat.com/errata/RHSA-2019:2939

Third Party Advisory https://access.redhat.com/errata/RHSA-2019:2949

Third Party Advisory https://access.redhat.com/errata/RHSA-2019:2955

Third Party Advisory https://access.redhat.com/errata/RHSA-2019:2966

Third Party Advisory https://access.redhat.com/errata/RHSA-2019:3041

Third Party Advisory https://access.redhat.com/errata/RHSA-2019:3932

Third Party Advisory https://access.redhat.com/errata/RHSA-2019:3933

Third Party Advisory https://access.redhat.com/errata/RHSA-2019:3935

and 64 more references

/ 100

high-risk

Severity 26/34 · High

Exploitability 9/34 · Low

Exposure 22/34 · High