Vulnerability Details : CVE-2024-27316
Potential exploit
HTTP/2 incoming headers exceeding the limit are temporarily buffered in nghttp2 in order to generate an informative HTTP 413 response. If a client does not stop sending headers, this leads to memory exhaustion.
Products affected by CVE-2024-27316
- cpe:2.3:a:apache:http_server:*:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:38:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:39:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:40:*:*:*:*:*:*:*
- cpe:2.3:a:netapp:ontap:9:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2024-27316
90.45%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 100 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2024-27316
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
7.5
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
3.9
|
3.6
|
134c704f-9b21-4f2e-91b3-4a467353bcc0 | 2024-08-01 |
|
7.5
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
3.9
|
3.6
|
NIST | 2024-06-06 |
|
7.5
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
N/A
|
N/A
|
RedHat-CVE-2024-27316 | 2024-04-03 |
CWE ids for CVE-2024-27316
-
The product does not properly control the allocation and maintenance of a limited resource.Assigned by: security@apache.org (Secondary)
-
The product allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor.Assigned by:
- nvd@nist.gov (Secondary)
- security@apache.org (Primary)
References for CVE-2024-27316
-
https://lists.debian.org/debian-lts-announce/2024/05/msg00013.html
[SECURITY] [DLA 3818-1] apache2 security update
-
http://www.openwall.com/lists/oss-security/2024/04/03/16
oss-security - CERT/CC VU#421644: HTTP/2 CONTINUATION frames can be utilized for DoS attacksMailing List
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QKKDVFWBKIHCC3WXNH3W75WWY4NW42OB/
[SECURITY] Fedora 40 Update: mod_http2-2.0.27-1.fc40 - package-announce - Fedora Mailing-ListsRelease Notes
-
https://security.netapp.com/advisory/ntap-20240415-0013/
April 2024 Apache HTTP Server Vulnerabilities in NetApp Products | NetApp Product SecurityThird Party Advisory
-
https://httpd.apache.org/security/vulnerabilities_24.html
httpd 2.4 vulnerabilities - The Apache HTTP Server ProjectProduct;Release Notes
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FO73U3SLBYFGIW2YKXOK7RI4D6DJSZ2B/
[SECURITY] Fedora 38 Update: mod_http2-2.0.27-1.fc38 - package-announce - Fedora Mailing-ListsRelease Notes
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MIUBKSCJGPJ6M2U63V6BKFDF725ODLG7/
[SECURITY] Fedora 39 Update: mod_http2-2.0.27-1.fc39 - package-announce - Fedora Mailing-ListsRelease Notes
-
https://support.apple.com/kb/HT214119
About the security content of macOS Sonoma 14.6 - Apple Support
-
http://seclists.org/fulldisclosure/2024/Jul/18
Full Disclosure: APPLE-SA-07-29-2024-4 macOS Sonoma 14.6
-
http://www.openwall.com/lists/oss-security/2024/04/04/4
oss-security - CVE-2024-27316: Apache HTTP Server: HTTP/2 DoS by memory exhaustion on endless continuation framesMailing List
-
https://www.openwall.com/lists/oss-security/2024/04/03/16
oss-security - CERT/CC VU#421644: HTTP/2 CONTINUATION frames can be utilized for DoS attacks
Jump to