Vulnerability Details : CVE-2019-9511
Some HTTP/2 implementations are vulnerable to window size manipulation and stream prioritization manipulation, potentially leading to a denial of service. The attacker requests a large amount of data from a specified resource over multiple streams. They manipulate window size and stream priority to force the server to queue the data in 1-byte chunks. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both.
Vulnerability category: Denial of service
Threat overview for CVE-2019-9511
Top countries where our scanners detected CVE-2019-9511
Top open port discovered on systems with this issue
80
IPs affected by CVE-2019-9511 816,808
Threat actors abusing to this issue?
Yes
Find out if you* are
affected by CVE-2019-9511!
*Directly or indirectly through your vendors, service providers and 3rd parties.
Powered by
attack surface intelligence
from SecurityScorecard.
Exploit prediction scoring system (EPSS) score for CVE-2019-9511
Probability of exploitation activity in the next 30 days: 9.69%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 95 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2019-9511
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
|---|---|---|---|---|---|
|
7.8
|
HIGH | AV:N/AC:L/Au:N/C:N/I:N/A:C |
10.0
|
6.9
|
NIST |
|
7.5
|
HIGH | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
3.9
|
3.6
|
CERT/CC |
|
7.5
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
3.9
|
3.6
|
NIST |
CWE ids for CVE-2019-9511
-
The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.Assigned by: cret@cert.org (Secondary)
-
The product allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor.Assigned by: nvd@nist.gov (Primary)
References for CVE-2019-9511
-
https://access.redhat.com/errata/RHSA-2019:2775
RHSA-2019:2775 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/POPAEC4FWL4UU4LDEGPY5NPALU24FFQD/
[SECURITY] Fedora 29 Update: nginx-1.16.1-1.fc29 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BP556LEG3WENHZI5TAQ6ZEBFTJB4E2IS/
[SECURITY] Fedora 29 Update: mod_http2-1.15.3-2.fc29 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
-
https://www.debian.org/security/2020/dsa-4669
Debian -- Security Information -- DSA-4669-1 nodejsThird Party Advisory
-
https://access.redhat.com/errata/RHSA-2019:2745
RHSA-2019:2745 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://usn.ubuntu.com/4099-1/
USN-4099-1: nginx vulnerabilities | Ubuntu security noticesThird Party Advisory
-
https://www.oracle.com/security-alerts/cpuoct2020.html
Oracle Critical Patch Update Advisory - October 2020Third Party Advisory
-
https://access.redhat.com/errata/RHSA-2019:2939
RHSA-2019:2939 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
Page not found | OraclePatch;Third Party Advisory
-
http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00014.html
[security-announce] openSUSE-SU-2019:2264-1: moderate: Security update fMailing List;Third Party Advisory
-
https://www.synology.com/security/advisory/Synology_SA_19_33
Synology Inc.Third Party Advisory
-
https://access.redhat.com/errata/RHSA-2019:2966
RHSA-2019:2966 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://access.redhat.com/errata/RHSA-2019:2955
RHSA-2019:2955 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JUBYAF6ED3O4XCHQ5C2HYENJLXYXZC4M/
[SECURITY] Fedora 29 Update: nghttp2-1.39.2-1.fc29 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
-
https://access.redhat.com/errata/RHSA-2019:2925
RHSA-2019:2925 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://seclists.org/bugtraq/2019/Aug/40
Bugtraq: [SECURITY] [DSA 4505-1] nginx security updateMailing List;Third Party Advisory
-
https://access.redhat.com/errata/RHSA-2019:2949
RHSA-2019:2949 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://access.redhat.com/errata/RHSA-2019:2799
RHSA-2019:2799 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://access.redhat.com/errata/RHSA-2019:2746
RHSA-2019:2746 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00003.html
[security-announce] openSUSE-SU-2019:2232-1: moderate: Security update fMailing List;Third Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LZLUYPYY3RX4ZJDWZRJIKSULYRJ4PXW7/
[SECURITY] Fedora 30 Update: nghttp2-1.39.2-1.fc30 - package-announce - Fedora Mailing-ListsThird Party Advisory
-
https://access.redhat.com/errata/RHSA-2019:4020
RHSA-2019:4020 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://security.netapp.com/advisory/ntap-20190823-0002/
August 2019 NGINX Vulnerabilities in NetApp Products | NetApp Product SecurityThird Party Advisory
-
https://seclists.org/bugtraq/2019/Sep/1
Bugtraq: [SECURITY] [DSA 4511-1] nghttp2 security updateMailing List;Third Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TAZZEVTCN2B4WT6AIBJ7XGYJMBTORJU5/
[SECURITY] Fedora 30 Update: nginx-1.16.1-1.fc30 - package-announce - Fedora Mailing-ListsThird Party Advisory
-
https://access.redhat.com/errata/RHSA-2019:4018
RHSA-2019:4018 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://www.oracle.com/security-alerts/cpujan2021.html
Oracle Critical Patch Update Advisory - January 2021Third Party Advisory
-
https://www.debian.org/security/2019/dsa-4511
Debian -- Security Information -- DSA-4511-1 nghttp2Third Party Advisory
-
https://kb.cert.org/vuls/id/605641/
VU#605641 - HTTP/2 implementations do not robustly handle abnormal traffic and resource exhaustionThird Party Advisory;US Government Resource
-
https://access.redhat.com/errata/RHSA-2019:3041
RHSA-2019:3041 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://access.redhat.com/errata/RHSA-2019:2692
RHSA-2019:2692 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00032.html
[security-announce] openSUSE-SU-2019:2114-1: important: Security updateMailing List;Third Party Advisory
-
https://access.redhat.com/errata/RHSA-2019:3935
RHSA-2019:3935 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://support.f5.com/csp/article/K02591030
Third Party Advisory
-
https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md
security-bulletins/2019-002.md at master · Netflix/security-bulletins · GitHubThird Party Advisory
-
https://access.redhat.com/errata/RHSA-2019:3932
RHSA-2019:3932 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://support.f5.com/csp/article/K02591030?utm_source=f5support&utm_medium=RSS
Third Party Advisory
-
https://access.redhat.com/errata/RHSA-2019:3933
RHSA-2019:3933 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00035.html
[security-announce] openSUSE-SU-2019:2120-1: important: Security updateMailing List;Third Party Advisory
-
https://www.debian.org/security/2019/dsa-4505
Debian -- Security Information -- DSA-4505-1 nginxThird Party Advisory
-
https://security.netapp.com/advisory/ntap-20190823-0005/
August 2019 Node.js Vulnerabilities in NetApp Products | NetApp Product SecurityThird Party Advisory
-
https://access.redhat.com/errata/RHSA-2019:4019
RHSA-2019:4019 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://kc.mcafee.com/corporate/index?page=content&id=SB10296
McAfee Security Bulletin - Updates and product status for HTTP/2 vulnerabilities (CVE-2019-9511, CVE-2019-9512, CVE-2019-9513, CVE-2019-9514, CVE-2019-9515, CVE-2019-9516, CVE-2019-9517, CVE-2019-9518Third Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XHTKU7YQ5EEP2XNSAV4M4VJ7QCBOJMOD/
[SECURITY] Fedora 30 Update: mod_http2-1.15.3-2.fc30 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
-
http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00031.html
[security-announce] openSUSE-SU-2019:2115-1: important: Security updateMailing List;Third Party Advisory
-
https://access.redhat.com/errata/RHSA-2019:4021
RHSA-2019:4021 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00005.html
[security-announce] openSUSE-SU-2019:2234-1: moderate: Security update fMailing List;Third Party Advisory
Products affected by CVE-2019-9511
- cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:software_collections:1.0:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:jboss_core_services:1.0:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:quay:3.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:openshift_service_mesh:1.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:traffic_server:*:*:*:*:*:*:*:*
- cpe:2.3:a:apache:traffic_server:*:*:*:*:*:*:*:*
- cpe:2.3:a:apache:traffic_server:*:*:*:*:*:*:*:*
- cpe:2.3:a:apple:swiftnio:*:*:*:*:*:*:*:*When used together with: Canonical » Ubuntu Linux
- cpe:2.3:a:oracle:enterprise_communications_broker:3.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:enterprise_communications_broker:3.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:graalvm:19.2.0:*:*:*:enterprise:*:*:*
- cpe:2.3:a:f5:nginx:*:*:*:*:*:*:*:*
- cpe:2.3:a:f5:nginx:*:*:*:*:*:*:*:*
- cpe:2.3:a:mcafee:web_gateway:*:*:*:*:*:*:*:*
- cpe:2.3:a:mcafee:web_gateway:*:*:*:*:*:*:*:*
- cpe:2.3:a:mcafee:web_gateway:*:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:19.04:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:29:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*
- cpe:2.3:o:opensuse:leap:15.0:*:*:*:*:*:*:*
- cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*
- cpe:2.3:a:synology:diskstation_manager:6.2:*:*:*:*:*:*:*
- cpe:2.3:a:synology:skynas:-:*:*:*:*:*:*:*
- cpe:2.3:o:synology:vs960hd_firmware:-:*:*:*:*:*:*:*
- cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:*
- cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*
- cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:*
- cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*
- cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*