CVE-2019-9516

January 16, 2021

Some HTTP/2 implementations are vulnerable to a header leak, potentially leading to a denial of service. The attacker sends a stream of headers with a 0-length header name and 0-length header value, optionally Huffman encoded into 1-byte or greater headers. Some implementations allocate memory for these headers and keep the allocation alive until the session dies. This can consume excess memory.

Summary:

Some HTTP/2 implementations are vulnerable to a header leak, potentially leading to a denial of service. The attacker sends a stream of headers with a 0-length header name and 0-length header value, optionally Huffman encoded into 1-byte or greater headers. Some implementations allocate memory for these headers and keep the allocation alive until the session dies. This can consume excess memory.

Reference Links(if available):

  • https://kb.cert.org/vuls/id/605641/
  • https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md
  • https://seclists.org/bugtraq/2019/Aug/24
  • https://usn.ubuntu.com/4099-1/
  • http://seclists.org/fulldisclosure/2019/Aug/16

    • CVSS Score (if available)

    v2: / MEDIUMAV:N/AC:L/Au:N/C:N/I:N/A:C

    v3: / HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

    Links to Exploits(if available)

  • You may have missed

    brute ratel c4

    Brute Ratel C4 Detected – 52[.]68[.]181[.]183:80

    November 17, 2024
    image

    [CHORT] – Ransomware Victim: texanscan[.]org

    November 17, 2024
    image

    [CHORT] – Ransomware Victim: hartwick[.]edu

    November 17, 2024
    image

    [CHORT] – Ransomware Victim: edwardsburgschoolsfoundation[.]org

    November 17, 2024
    image

    [CHORT] – Ransomware Victim: Tri-TechElectronics[.]com

    November 17, 2024