csaf_opensuse - opensuse-su-2024:11091-1

OPENSUSE-SU-2024:11091-1

Vulnerability from csaf_opensuse - Published: 2024-06-15 00:00 - Updated: 2024-06-15 00:00

Summary

libnghttp2-14-1.43.0-1.6 on GA media

Notes

Title of the patch

libnghttp2-14-1.43.0-1.6 on GA media

Description of the patch

These are all security issues fixed in the libnghttp2-14-1.43.0-1.6 package on the GA media of openSUSE Tumbleweed.

Patchnames

openSUSE-Tumbleweed-2024-11091

CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "libnghttp2-14-1.43.0-1.6 on GA media",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "These are all security issues fixed in the libnghttp2-14-1.43.0-1.6 package on the GA media of openSUSE Tumbleweed.",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "openSUSE-Tumbleweed-2024-11091",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2024_11091-1.json"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2018-1000168 page",
        "url": "https://www.suse.com/security/cve/CVE-2018-1000168/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2019-9511 page",
        "url": "https://www.suse.com/security/cve/CVE-2019-9511/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2020-11080 page",
        "url": "https://www.suse.com/security/cve/CVE-2020-11080/"
      }
    ],
    "title": "libnghttp2-14-1.43.0-1.6 on GA media",
    "tracking": {
      "current_release_date": "2024-06-15T00:00:00Z",
      "generator": {
        "date": "2024-06-15T00:00:00Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "openSUSE-SU-2024:11091-1",
      "initial_release_date": "2024-06-15T00:00:00Z",
      "revision_history": [
        {
          "date": "2024-06-15T00:00:00Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "libnghttp2-14-1.43.0-1.6.aarch64",
                "product": {
                  "name": "libnghttp2-14-1.43.0-1.6.aarch64",
                  "product_id": "libnghttp2-14-1.43.0-1.6.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "libnghttp2-14-32bit-1.43.0-1.6.aarch64",
                "product": {
                  "name": "libnghttp2-14-32bit-1.43.0-1.6.aarch64",
                  "product_id": "libnghttp2-14-32bit-1.43.0-1.6.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "libnghttp2-devel-1.43.0-1.6.aarch64",
                "product": {
                  "name": "libnghttp2-devel-1.43.0-1.6.aarch64",
                  "product_id": "libnghttp2-devel-1.43.0-1.6.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "libnghttp2_asio-devel-1.43.0-1.6.aarch64",
                "product": {
                  "name": "libnghttp2_asio-devel-1.43.0-1.6.aarch64",
                  "product_id": "libnghttp2_asio-devel-1.43.0-1.6.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "libnghttp2_asio1-1.43.0-1.6.aarch64",
                "product": {
                  "name": "libnghttp2_asio1-1.43.0-1.6.aarch64",
                  "product_id": "libnghttp2_asio1-1.43.0-1.6.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "libnghttp2_asio1-32bit-1.43.0-1.6.aarch64",
                "product": {
                  "name": "libnghttp2_asio1-32bit-1.43.0-1.6.aarch64",
                  "product_id": "libnghttp2_asio1-32bit-1.43.0-1.6.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "nghttp2-1.43.0-1.6.aarch64",
                "product": {
                  "name": "nghttp2-1.43.0-1.6.aarch64",
                  "product_id": "nghttp2-1.43.0-1.6.aarch64"
                }
              }
            ],
            "category": "architecture",
            "name": "aarch64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "libnghttp2-14-1.43.0-1.6.ppc64le",
                "product": {
                  "name": "libnghttp2-14-1.43.0-1.6.ppc64le",
                  "product_id": "libnghttp2-14-1.43.0-1.6.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "libnghttp2-14-32bit-1.43.0-1.6.ppc64le",
                "product": {
                  "name": "libnghttp2-14-32bit-1.43.0-1.6.ppc64le",
                  "product_id": "libnghttp2-14-32bit-1.43.0-1.6.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "libnghttp2-devel-1.43.0-1.6.ppc64le",
                "product": {
                  "name": "libnghttp2-devel-1.43.0-1.6.ppc64le",
                  "product_id": "libnghttp2-devel-1.43.0-1.6.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "libnghttp2_asio-devel-1.43.0-1.6.ppc64le",
                "product": {
                  "name": "libnghttp2_asio-devel-1.43.0-1.6.ppc64le",
                  "product_id": "libnghttp2_asio-devel-1.43.0-1.6.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "libnghttp2_asio1-1.43.0-1.6.ppc64le",
                "product": {
                  "name": "libnghttp2_asio1-1.43.0-1.6.ppc64le",
                  "product_id": "libnghttp2_asio1-1.43.0-1.6.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "libnghttp2_asio1-32bit-1.43.0-1.6.ppc64le",
                "product": {
                  "name": "libnghttp2_asio1-32bit-1.43.0-1.6.ppc64le",
                  "product_id": "libnghttp2_asio1-32bit-1.43.0-1.6.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "nghttp2-1.43.0-1.6.ppc64le",
                "product": {
                  "name": "nghttp2-1.43.0-1.6.ppc64le",
                  "product_id": "nghttp2-1.43.0-1.6.ppc64le"
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "libnghttp2-14-1.43.0-1.6.s390x",
                "product": {
                  "name": "libnghttp2-14-1.43.0-1.6.s390x",
                  "product_id": "libnghttp2-14-1.43.0-1.6.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "libnghttp2-14-32bit-1.43.0-1.6.s390x",
                "product": {
                  "name": "libnghttp2-14-32bit-1.43.0-1.6.s390x",
                  "product_id": "libnghttp2-14-32bit-1.43.0-1.6.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "libnghttp2-devel-1.43.0-1.6.s390x",
                "product": {
                  "name": "libnghttp2-devel-1.43.0-1.6.s390x",
                  "product_id": "libnghttp2-devel-1.43.0-1.6.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "libnghttp2_asio-devel-1.43.0-1.6.s390x",
                "product": {
                  "name": "libnghttp2_asio-devel-1.43.0-1.6.s390x",
                  "product_id": "libnghttp2_asio-devel-1.43.0-1.6.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "libnghttp2_asio1-1.43.0-1.6.s390x",
                "product": {
                  "name": "libnghttp2_asio1-1.43.0-1.6.s390x",
                  "product_id": "libnghttp2_asio1-1.43.0-1.6.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "libnghttp2_asio1-32bit-1.43.0-1.6.s390x",
                "product": {
                  "name": "libnghttp2_asio1-32bit-1.43.0-1.6.s390x",
                  "product_id": "libnghttp2_asio1-32bit-1.43.0-1.6.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "nghttp2-1.43.0-1.6.s390x",
                "product": {
                  "name": "nghttp2-1.43.0-1.6.s390x",
                  "product_id": "nghttp2-1.43.0-1.6.s390x"
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "libnghttp2-14-1.43.0-1.6.x86_64",
                "product": {
                  "name": "libnghttp2-14-1.43.0-1.6.x86_64",
                  "product_id": "libnghttp2-14-1.43.0-1.6.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "libnghttp2-14-32bit-1.43.0-1.6.x86_64",
                "product": {
                  "name": "libnghttp2-14-32bit-1.43.0-1.6.x86_64",
                  "product_id": "libnghttp2-14-32bit-1.43.0-1.6.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "libnghttp2-devel-1.43.0-1.6.x86_64",
                "product": {
                  "name": "libnghttp2-devel-1.43.0-1.6.x86_64",
                  "product_id": "libnghttp2-devel-1.43.0-1.6.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "libnghttp2_asio-devel-1.43.0-1.6.x86_64",
                "product": {
                  "name": "libnghttp2_asio-devel-1.43.0-1.6.x86_64",
                  "product_id": "libnghttp2_asio-devel-1.43.0-1.6.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "libnghttp2_asio1-1.43.0-1.6.x86_64",
                "product": {
                  "name": "libnghttp2_asio1-1.43.0-1.6.x86_64",
                  "product_id": "libnghttp2_asio1-1.43.0-1.6.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "libnghttp2_asio1-32bit-1.43.0-1.6.x86_64",
                "product": {
                  "name": "libnghttp2_asio1-32bit-1.43.0-1.6.x86_64",
                  "product_id": "libnghttp2_asio1-32bit-1.43.0-1.6.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "nghttp2-1.43.0-1.6.x86_64",
                "product": {
                  "name": "nghttp2-1.43.0-1.6.x86_64",
                  "product_id": "nghttp2-1.43.0-1.6.x86_64"
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "openSUSE Tumbleweed",
                "product": {
                  "name": "openSUSE Tumbleweed",
                  "product_id": "openSUSE Tumbleweed",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:opensuse:tumbleweed"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "libnghttp2-14-1.43.0-1.6.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:libnghttp2-14-1.43.0-1.6.aarch64"
        },
        "product_reference": "libnghttp2-14-1.43.0-1.6.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "libnghttp2-14-1.43.0-1.6.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:libnghttp2-14-1.43.0-1.6.ppc64le"
        },
        "product_reference": "libnghttp2-14-1.43.0-1.6.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "libnghttp2-14-1.43.0-1.6.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:libnghttp2-14-1.43.0-1.6.s390x"
        },
        "product_reference": "libnghttp2-14-1.43.0-1.6.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "libnghttp2-14-1.43.0-1.6.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:libnghttp2-14-1.43.0-1.6.x86_64"
        },
        "product_reference": "libnghttp2-14-1.43.0-1.6.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "libnghttp2-14-32bit-1.43.0-1.6.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:libnghttp2-14-32bit-1.43.0-1.6.aarch64"
        },
        "product_reference": "libnghttp2-14-32bit-1.43.0-1.6.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "libnghttp2-14-32bit-1.43.0-1.6.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:libnghttp2-14-32bit-1.43.0-1.6.ppc64le"
        },
        "product_reference": "libnghttp2-14-32bit-1.43.0-1.6.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "libnghttp2-14-32bit-1.43.0-1.6.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:libnghttp2-14-32bit-1.43.0-1.6.s390x"
        },
        "product_reference": "libnghttp2-14-32bit-1.43.0-1.6.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "libnghttp2-14-32bit-1.43.0-1.6.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:libnghttp2-14-32bit-1.43.0-1.6.x86_64"
        },
        "product_reference": "libnghttp2-14-32bit-1.43.0-1.6.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "libnghttp2-devel-1.43.0-1.6.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:libnghttp2-devel-1.43.0-1.6.aarch64"
        },
        "product_reference": "libnghttp2-devel-1.43.0-1.6.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "libnghttp2-devel-1.43.0-1.6.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:libnghttp2-devel-1.43.0-1.6.ppc64le"
        },
        "product_reference": "libnghttp2-devel-1.43.0-1.6.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "libnghttp2-devel-1.43.0-1.6.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:libnghttp2-devel-1.43.0-1.6.s390x"
        },
        "product_reference": "libnghttp2-devel-1.43.0-1.6.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "libnghttp2-devel-1.43.0-1.6.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:libnghttp2-devel-1.43.0-1.6.x86_64"
        },
        "product_reference": "libnghttp2-devel-1.43.0-1.6.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "libnghttp2_asio-devel-1.43.0-1.6.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:libnghttp2_asio-devel-1.43.0-1.6.aarch64"
        },
        "product_reference": "libnghttp2_asio-devel-1.43.0-1.6.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "libnghttp2_asio-devel-1.43.0-1.6.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:libnghttp2_asio-devel-1.43.0-1.6.ppc64le"
        },
        "product_reference": "libnghttp2_asio-devel-1.43.0-1.6.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "libnghttp2_asio-devel-1.43.0-1.6.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:libnghttp2_asio-devel-1.43.0-1.6.s390x"
        },
        "product_reference": "libnghttp2_asio-devel-1.43.0-1.6.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "libnghttp2_asio-devel-1.43.0-1.6.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:libnghttp2_asio-devel-1.43.0-1.6.x86_64"
        },
        "product_reference": "libnghttp2_asio-devel-1.43.0-1.6.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "libnghttp2_asio1-1.43.0-1.6.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:libnghttp2_asio1-1.43.0-1.6.aarch64"
        },
        "product_reference": "libnghttp2_asio1-1.43.0-1.6.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "libnghttp2_asio1-1.43.0-1.6.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:libnghttp2_asio1-1.43.0-1.6.ppc64le"
        },
        "product_reference": "libnghttp2_asio1-1.43.0-1.6.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "libnghttp2_asio1-1.43.0-1.6.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:libnghttp2_asio1-1.43.0-1.6.s390x"
        },
        "product_reference": "libnghttp2_asio1-1.43.0-1.6.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "libnghttp2_asio1-1.43.0-1.6.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:libnghttp2_asio1-1.43.0-1.6.x86_64"
        },
        "product_reference": "libnghttp2_asio1-1.43.0-1.6.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "libnghttp2_asio1-32bit-1.43.0-1.6.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:libnghttp2_asio1-32bit-1.43.0-1.6.aarch64"
        },
        "product_reference": "libnghttp2_asio1-32bit-1.43.0-1.6.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "libnghttp2_asio1-32bit-1.43.0-1.6.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:libnghttp2_asio1-32bit-1.43.0-1.6.ppc64le"
        },
        "product_reference": "libnghttp2_asio1-32bit-1.43.0-1.6.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "libnghttp2_asio1-32bit-1.43.0-1.6.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:libnghttp2_asio1-32bit-1.43.0-1.6.s390x"
        },
        "product_reference": "libnghttp2_asio1-32bit-1.43.0-1.6.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "libnghttp2_asio1-32bit-1.43.0-1.6.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:libnghttp2_asio1-32bit-1.43.0-1.6.x86_64"
        },
        "product_reference": "libnghttp2_asio1-32bit-1.43.0-1.6.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "nghttp2-1.43.0-1.6.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:nghttp2-1.43.0-1.6.aarch64"
        },
        "product_reference": "nghttp2-1.43.0-1.6.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "nghttp2-1.43.0-1.6.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:nghttp2-1.43.0-1.6.ppc64le"
        },
        "product_reference": "nghttp2-1.43.0-1.6.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "nghttp2-1.43.0-1.6.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:nghttp2-1.43.0-1.6.s390x"
        },
        "product_reference": "nghttp2-1.43.0-1.6.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "nghttp2-1.43.0-1.6.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:nghttp2-1.43.0-1.6.x86_64"
        },
        "product_reference": "nghttp2-1.43.0-1.6.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2018-1000168",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2018-1000168"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "nghttp2 version \u003e= 1.10.0 and nghttp2 \u003c= v1.31.0 contains an Improper Input Validation CWE-20 vulnerability in ALTSVC frame handling that can result in segmentation fault leading to denial of service. This attack appears to be exploitable via network client. This vulnerability appears to have been fixed in \u003e= 1.31.1.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:libnghttp2-14-1.43.0-1.6.aarch64",
          "openSUSE Tumbleweed:libnghttp2-14-1.43.0-1.6.ppc64le",
          "openSUSE Tumbleweed:libnghttp2-14-1.43.0-1.6.s390x",
          "openSUSE Tumbleweed:libnghttp2-14-1.43.0-1.6.x86_64",
          "openSUSE Tumbleweed:libnghttp2-14-32bit-1.43.0-1.6.aarch64",
          "openSUSE Tumbleweed:libnghttp2-14-32bit-1.43.0-1.6.ppc64le",
          "openSUSE Tumbleweed:libnghttp2-14-32bit-1.43.0-1.6.s390x",
          "openSUSE Tumbleweed:libnghttp2-14-32bit-1.43.0-1.6.x86_64",
          "openSUSE Tumbleweed:libnghttp2-devel-1.43.0-1.6.aarch64",
          "openSUSE Tumbleweed:libnghttp2-devel-1.43.0-1.6.ppc64le",
          "openSUSE Tumbleweed:libnghttp2-devel-1.43.0-1.6.s390x",
          "openSUSE Tumbleweed:libnghttp2-devel-1.43.0-1.6.x86_64",
          "openSUSE Tumbleweed:libnghttp2_asio-devel-1.43.0-1.6.aarch64",
          "openSUSE Tumbleweed:libnghttp2_asio-devel-1.43.0-1.6.ppc64le",
          "openSUSE Tumbleweed:libnghttp2_asio-devel-1.43.0-1.6.s390x",
          "openSUSE Tumbleweed:libnghttp2_asio-devel-1.43.0-1.6.x86_64",
          "openSUSE Tumbleweed:libnghttp2_asio1-1.43.0-1.6.aarch64",
          "openSUSE Tumbleweed:libnghttp2_asio1-1.43.0-1.6.ppc64le",
          "openSUSE Tumbleweed:libnghttp2_asio1-1.43.0-1.6.s390x",
          "openSUSE Tumbleweed:libnghttp2_asio1-1.43.0-1.6.x86_64",
          "openSUSE Tumbleweed:libnghttp2_asio1-32bit-1.43.0-1.6.aarch64",
          "openSUSE Tumbleweed:libnghttp2_asio1-32bit-1.43.0-1.6.ppc64le",
          "openSUSE Tumbleweed:libnghttp2_asio1-32bit-1.43.0-1.6.s390x",
          "openSUSE Tumbleweed:libnghttp2_asio1-32bit-1.43.0-1.6.x86_64",
          "openSUSE Tumbleweed:nghttp2-1.43.0-1.6.aarch64",
          "openSUSE Tumbleweed:nghttp2-1.43.0-1.6.ppc64le",
          "openSUSE Tumbleweed:nghttp2-1.43.0-1.6.s390x",
          "openSUSE Tumbleweed:nghttp2-1.43.0-1.6.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2018-1000168",
          "url": "https://www.suse.com/security/cve/CVE-2018-1000168"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1088639 for CVE-2018-1000168",
          "url": "https://bugzilla.suse.com/1088639"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1097401 for CVE-2018-1000168",
          "url": "https://bugzilla.suse.com/1097401"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:libnghttp2-14-1.43.0-1.6.aarch64",
            "openSUSE Tumbleweed:libnghttp2-14-1.43.0-1.6.ppc64le",
            "openSUSE Tumbleweed:libnghttp2-14-1.43.0-1.6.s390x",
            "openSUSE Tumbleweed:libnghttp2-14-1.43.0-1.6.x86_64",
            "openSUSE Tumbleweed:libnghttp2-14-32bit-1.43.0-1.6.aarch64",
            "openSUSE Tumbleweed:libnghttp2-14-32bit-1.43.0-1.6.ppc64le",
            "openSUSE Tumbleweed:libnghttp2-14-32bit-1.43.0-1.6.s390x",
            "openSUSE Tumbleweed:libnghttp2-14-32bit-1.43.0-1.6.x86_64",
            "openSUSE Tumbleweed:libnghttp2-devel-1.43.0-1.6.aarch64",
            "openSUSE Tumbleweed:libnghttp2-devel-1.43.0-1.6.ppc64le",
            "openSUSE Tumbleweed:libnghttp2-devel-1.43.0-1.6.s390x",
            "openSUSE Tumbleweed:libnghttp2-devel-1.43.0-1.6.x86_64",
            "openSUSE Tumbleweed:libnghttp2_asio-devel-1.43.0-1.6.aarch64",
            "openSUSE Tumbleweed:libnghttp2_asio-devel-1.43.0-1.6.ppc64le",
            "openSUSE Tumbleweed:libnghttp2_asio-devel-1.43.0-1.6.s390x",
            "openSUSE Tumbleweed:libnghttp2_asio-devel-1.43.0-1.6.x86_64",
            "openSUSE Tumbleweed:libnghttp2_asio1-1.43.0-1.6.aarch64",
            "openSUSE Tumbleweed:libnghttp2_asio1-1.43.0-1.6.ppc64le",
            "openSUSE Tumbleweed:libnghttp2_asio1-1.43.0-1.6.s390x",
            "openSUSE Tumbleweed:libnghttp2_asio1-1.43.0-1.6.x86_64",
            "openSUSE Tumbleweed:libnghttp2_asio1-32bit-1.43.0-1.6.aarch64",
            "openSUSE Tumbleweed:libnghttp2_asio1-32bit-1.43.0-1.6.ppc64le",
            "openSUSE Tumbleweed:libnghttp2_asio1-32bit-1.43.0-1.6.s390x",
            "openSUSE Tumbleweed:libnghttp2_asio1-32bit-1.43.0-1.6.x86_64",
            "openSUSE Tumbleweed:nghttp2-1.43.0-1.6.aarch64",
            "openSUSE Tumbleweed:nghttp2-1.43.0-1.6.ppc64le",
            "openSUSE Tumbleweed:nghttp2-1.43.0-1.6.s390x",
            "openSUSE Tumbleweed:nghttp2-1.43.0-1.6.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 5.9,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.0"
          },
          "products": [
            "openSUSE Tumbleweed:libnghttp2-14-1.43.0-1.6.aarch64",
            "openSUSE Tumbleweed:libnghttp2-14-1.43.0-1.6.ppc64le",
            "openSUSE Tumbleweed:libnghttp2-14-1.43.0-1.6.s390x",
            "openSUSE Tumbleweed:libnghttp2-14-1.43.0-1.6.x86_64",
            "openSUSE Tumbleweed:libnghttp2-14-32bit-1.43.0-1.6.aarch64",
            "openSUSE Tumbleweed:libnghttp2-14-32bit-1.43.0-1.6.ppc64le",
            "openSUSE Tumbleweed:libnghttp2-14-32bit-1.43.0-1.6.s390x",
            "openSUSE Tumbleweed:libnghttp2-14-32bit-1.43.0-1.6.x86_64",
            "openSUSE Tumbleweed:libnghttp2-devel-1.43.0-1.6.aarch64",
            "openSUSE Tumbleweed:libnghttp2-devel-1.43.0-1.6.ppc64le",
            "openSUSE Tumbleweed:libnghttp2-devel-1.43.0-1.6.s390x",
            "openSUSE Tumbleweed:libnghttp2-devel-1.43.0-1.6.x86_64",
            "openSUSE Tumbleweed:libnghttp2_asio-devel-1.43.0-1.6.aarch64",
            "openSUSE Tumbleweed:libnghttp2_asio-devel-1.43.0-1.6.ppc64le",
            "openSUSE Tumbleweed:libnghttp2_asio-devel-1.43.0-1.6.s390x",
            "openSUSE Tumbleweed:libnghttp2_asio-devel-1.43.0-1.6.x86_64",
            "openSUSE Tumbleweed:libnghttp2_asio1-1.43.0-1.6.aarch64",
            "openSUSE Tumbleweed:libnghttp2_asio1-1.43.0-1.6.ppc64le",
            "openSUSE Tumbleweed:libnghttp2_asio1-1.43.0-1.6.s390x",
            "openSUSE Tumbleweed:libnghttp2_asio1-1.43.0-1.6.x86_64",
            "openSUSE Tumbleweed:libnghttp2_asio1-32bit-1.43.0-1.6.aarch64",
            "openSUSE Tumbleweed:libnghttp2_asio1-32bit-1.43.0-1.6.ppc64le",
            "openSUSE Tumbleweed:libnghttp2_asio1-32bit-1.43.0-1.6.s390x",
            "openSUSE Tumbleweed:libnghttp2_asio1-32bit-1.43.0-1.6.x86_64",
            "openSUSE Tumbleweed:nghttp2-1.43.0-1.6.aarch64",
            "openSUSE Tumbleweed:nghttp2-1.43.0-1.6.ppc64le",
            "openSUSE Tumbleweed:nghttp2-1.43.0-1.6.s390x",
            "openSUSE Tumbleweed:nghttp2-1.43.0-1.6.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2024-06-15T00:00:00Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2018-1000168"
    },
    {
      "cve": "CVE-2019-9511",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2019-9511"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Some HTTP/2 implementations are vulnerable to window size manipulation and stream prioritization manipulation, potentially leading to a denial of service. The attacker requests a large amount of data from a specified resource over multiple streams. They manipulate window size and stream priority to force the server to queue the data in 1-byte chunks. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:libnghttp2-14-1.43.0-1.6.aarch64",
          "openSUSE Tumbleweed:libnghttp2-14-1.43.0-1.6.ppc64le",
          "openSUSE Tumbleweed:libnghttp2-14-1.43.0-1.6.s390x",
          "openSUSE Tumbleweed:libnghttp2-14-1.43.0-1.6.x86_64",
          "openSUSE Tumbleweed:libnghttp2-14-32bit-1.43.0-1.6.aarch64",
          "openSUSE Tumbleweed:libnghttp2-14-32bit-1.43.0-1.6.ppc64le",
          "openSUSE Tumbleweed:libnghttp2-14-32bit-1.43.0-1.6.s390x",
          "openSUSE Tumbleweed:libnghttp2-14-32bit-1.43.0-1.6.x86_64",
          "openSUSE Tumbleweed:libnghttp2-devel-1.43.0-1.6.aarch64",
          "openSUSE Tumbleweed:libnghttp2-devel-1.43.0-1.6.ppc64le",
          "openSUSE Tumbleweed:libnghttp2-devel-1.43.0-1.6.s390x",
          "openSUSE Tumbleweed:libnghttp2-devel-1.43.0-1.6.x86_64",
          "openSUSE Tumbleweed:libnghttp2_asio-devel-1.43.0-1.6.aarch64",
          "openSUSE Tumbleweed:libnghttp2_asio-devel-1.43.0-1.6.ppc64le",
          "openSUSE Tumbleweed:libnghttp2_asio-devel-1.43.0-1.6.s390x",
          "openSUSE Tumbleweed:libnghttp2_asio-devel-1.43.0-1.6.x86_64",
          "openSUSE Tumbleweed:libnghttp2_asio1-1.43.0-1.6.aarch64",
          "openSUSE Tumbleweed:libnghttp2_asio1-1.43.0-1.6.ppc64le",
          "openSUSE Tumbleweed:libnghttp2_asio1-1.43.0-1.6.s390x",
          "openSUSE Tumbleweed:libnghttp2_asio1-1.43.0-1.6.x86_64",
          "openSUSE Tumbleweed:libnghttp2_asio1-32bit-1.43.0-1.6.aarch64",
          "openSUSE Tumbleweed:libnghttp2_asio1-32bit-1.43.0-1.6.ppc64le",
          "openSUSE Tumbleweed:libnghttp2_asio1-32bit-1.43.0-1.6.s390x",
          "openSUSE Tumbleweed:libnghttp2_asio1-32bit-1.43.0-1.6.x86_64",
          "openSUSE Tumbleweed:nghttp2-1.43.0-1.6.aarch64",
          "openSUSE Tumbleweed:nghttp2-1.43.0-1.6.ppc64le",
          "openSUSE Tumbleweed:nghttp2-1.43.0-1.6.s390x",
          "openSUSE Tumbleweed:nghttp2-1.43.0-1.6.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2019-9511",
          "url": "https://www.suse.com/security/cve/CVE-2019-9511"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1145579 for CVE-2019-9511",
          "url": "https://bugzilla.suse.com/1145579"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1146091 for CVE-2019-9511",
          "url": "https://bugzilla.suse.com/1146091"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1146182 for CVE-2019-9511",
          "url": "https://bugzilla.suse.com/1146182"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1193427 for CVE-2019-9511",
          "url": "https://bugzilla.suse.com/1193427"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1202787 for CVE-2019-9511",
          "url": "https://bugzilla.suse.com/1202787"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:libnghttp2-14-1.43.0-1.6.aarch64",
            "openSUSE Tumbleweed:libnghttp2-14-1.43.0-1.6.ppc64le",
            "openSUSE Tumbleweed:libnghttp2-14-1.43.0-1.6.s390x",
            "openSUSE Tumbleweed:libnghttp2-14-1.43.0-1.6.x86_64",
            "openSUSE Tumbleweed:libnghttp2-14-32bit-1.43.0-1.6.aarch64",
            "openSUSE Tumbleweed:libnghttp2-14-32bit-1.43.0-1.6.ppc64le",
            "openSUSE Tumbleweed:libnghttp2-14-32bit-1.43.0-1.6.s390x",
            "openSUSE Tumbleweed:libnghttp2-14-32bit-1.43.0-1.6.x86_64",
            "openSUSE Tumbleweed:libnghttp2-devel-1.43.0-1.6.aarch64",
            "openSUSE Tumbleweed:libnghttp2-devel-1.43.0-1.6.ppc64le",
            "openSUSE Tumbleweed:libnghttp2-devel-1.43.0-1.6.s390x",
            "openSUSE Tumbleweed:libnghttp2-devel-1.43.0-1.6.x86_64",
            "openSUSE Tumbleweed:libnghttp2_asio-devel-1.43.0-1.6.aarch64",
            "openSUSE Tumbleweed:libnghttp2_asio-devel-1.43.0-1.6.ppc64le",
            "openSUSE Tumbleweed:libnghttp2_asio-devel-1.43.0-1.6.s390x",
            "openSUSE Tumbleweed:libnghttp2_asio-devel-1.43.0-1.6.x86_64",
            "openSUSE Tumbleweed:libnghttp2_asio1-1.43.0-1.6.aarch64",
            "openSUSE Tumbleweed:libnghttp2_asio1-1.43.0-1.6.ppc64le",
            "openSUSE Tumbleweed:libnghttp2_asio1-1.43.0-1.6.s390x",
            "openSUSE Tumbleweed:libnghttp2_asio1-1.43.0-1.6.x86_64",
            "openSUSE Tumbleweed:libnghttp2_asio1-32bit-1.43.0-1.6.aarch64",
            "openSUSE Tumbleweed:libnghttp2_asio1-32bit-1.43.0-1.6.ppc64le",
            "openSUSE Tumbleweed:libnghttp2_asio1-32bit-1.43.0-1.6.s390x",
            "openSUSE Tumbleweed:libnghttp2_asio1-32bit-1.43.0-1.6.x86_64",
            "openSUSE Tumbleweed:nghttp2-1.43.0-1.6.aarch64",
            "openSUSE Tumbleweed:nghttp2-1.43.0-1.6.ppc64le",
            "openSUSE Tumbleweed:nghttp2-1.43.0-1.6.s390x",
            "openSUSE Tumbleweed:nghttp2-1.43.0-1.6.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.0"
          },
          "products": [
            "openSUSE Tumbleweed:libnghttp2-14-1.43.0-1.6.aarch64",
            "openSUSE Tumbleweed:libnghttp2-14-1.43.0-1.6.ppc64le",
            "openSUSE Tumbleweed:libnghttp2-14-1.43.0-1.6.s390x",
            "openSUSE Tumbleweed:libnghttp2-14-1.43.0-1.6.x86_64",
            "openSUSE Tumbleweed:libnghttp2-14-32bit-1.43.0-1.6.aarch64",
            "openSUSE Tumbleweed:libnghttp2-14-32bit-1.43.0-1.6.ppc64le",
            "openSUSE Tumbleweed:libnghttp2-14-32bit-1.43.0-1.6.s390x",
            "openSUSE Tumbleweed:libnghttp2-14-32bit-1.43.0-1.6.x86_64",
            "openSUSE Tumbleweed:libnghttp2-devel-1.43.0-1.6.aarch64",
            "openSUSE Tumbleweed:libnghttp2-devel-1.43.0-1.6.ppc64le",
            "openSUSE Tumbleweed:libnghttp2-devel-1.43.0-1.6.s390x",
            "openSUSE Tumbleweed:libnghttp2-devel-1.43.0-1.6.x86_64",
            "openSUSE Tumbleweed:libnghttp2_asio-devel-1.43.0-1.6.aarch64",
            "openSUSE Tumbleweed:libnghttp2_asio-devel-1.43.0-1.6.ppc64le",
            "openSUSE Tumbleweed:libnghttp2_asio-devel-1.43.0-1.6.s390x",
            "openSUSE Tumbleweed:libnghttp2_asio-devel-1.43.0-1.6.x86_64",
            "openSUSE Tumbleweed:libnghttp2_asio1-1.43.0-1.6.aarch64",
            "openSUSE Tumbleweed:libnghttp2_asio1-1.43.0-1.6.ppc64le",
            "openSUSE Tumbleweed:libnghttp2_asio1-1.43.0-1.6.s390x",
            "openSUSE Tumbleweed:libnghttp2_asio1-1.43.0-1.6.x86_64",
            "openSUSE Tumbleweed:libnghttp2_asio1-32bit-1.43.0-1.6.aarch64",
            "openSUSE Tumbleweed:libnghttp2_asio1-32bit-1.43.0-1.6.ppc64le",
            "openSUSE Tumbleweed:libnghttp2_asio1-32bit-1.43.0-1.6.s390x",
            "openSUSE Tumbleweed:libnghttp2_asio1-32bit-1.43.0-1.6.x86_64",
            "openSUSE Tumbleweed:nghttp2-1.43.0-1.6.aarch64",
            "openSUSE Tumbleweed:nghttp2-1.43.0-1.6.ppc64le",
            "openSUSE Tumbleweed:nghttp2-1.43.0-1.6.s390x",
            "openSUSE Tumbleweed:nghttp2-1.43.0-1.6.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2024-06-15T00:00:00Z",
          "details": "important"
        }
      ],
      "title": "CVE-2019-9511"
    },
    {
      "cve": "CVE-2020-11080",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2020-11080"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "In nghttp2 before version 1.41.0, the overly large HTTP/2 SETTINGS frame payload causes denial of service. The proof of concept attack involves a malicious client constructing a SETTINGS frame with a length of 14,400 bytes (2400 individual settings entries) over and over again. The attack causes the CPU to spike at 100%. nghttp2 v1.41.0 fixes this vulnerability. There is a workaround to this vulnerability. Implement nghttp2_on_frame_recv_callback callback, and if received frame is SETTINGS frame and the number of settings entries are large (e.g., \u003e 32), then drop the connection.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:libnghttp2-14-1.43.0-1.6.aarch64",
          "openSUSE Tumbleweed:libnghttp2-14-1.43.0-1.6.ppc64le",
          "openSUSE Tumbleweed:libnghttp2-14-1.43.0-1.6.s390x",
          "openSUSE Tumbleweed:libnghttp2-14-1.43.0-1.6.x86_64",
          "openSUSE Tumbleweed:libnghttp2-14-32bit-1.43.0-1.6.aarch64",
          "openSUSE Tumbleweed:libnghttp2-14-32bit-1.43.0-1.6.ppc64le",
          "openSUSE Tumbleweed:libnghttp2-14-32bit-1.43.0-1.6.s390x",
          "openSUSE Tumbleweed:libnghttp2-14-32bit-1.43.0-1.6.x86_64",
          "openSUSE Tumbleweed:libnghttp2-devel-1.43.0-1.6.aarch64",
          "openSUSE Tumbleweed:libnghttp2-devel-1.43.0-1.6.ppc64le",
          "openSUSE Tumbleweed:libnghttp2-devel-1.43.0-1.6.s390x",
          "openSUSE Tumbleweed:libnghttp2-devel-1.43.0-1.6.x86_64",
          "openSUSE Tumbleweed:libnghttp2_asio-devel-1.43.0-1.6.aarch64",
          "openSUSE Tumbleweed:libnghttp2_asio-devel-1.43.0-1.6.ppc64le",
          "openSUSE Tumbleweed:libnghttp2_asio-devel-1.43.0-1.6.s390x",
          "openSUSE Tumbleweed:libnghttp2_asio-devel-1.43.0-1.6.x86_64",
          "openSUSE Tumbleweed:libnghttp2_asio1-1.43.0-1.6.aarch64",
          "openSUSE Tumbleweed:libnghttp2_asio1-1.43.0-1.6.ppc64le",
          "openSUSE Tumbleweed:libnghttp2_asio1-1.43.0-1.6.s390x",
          "openSUSE Tumbleweed:libnghttp2_asio1-1.43.0-1.6.x86_64",
          "openSUSE Tumbleweed:libnghttp2_asio1-32bit-1.43.0-1.6.aarch64",
          "openSUSE Tumbleweed:libnghttp2_asio1-32bit-1.43.0-1.6.ppc64le",
          "openSUSE Tumbleweed:libnghttp2_asio1-32bit-1.43.0-1.6.s390x",
          "openSUSE Tumbleweed:libnghttp2_asio1-32bit-1.43.0-1.6.x86_64",
          "openSUSE Tumbleweed:nghttp2-1.43.0-1.6.aarch64",
          "openSUSE Tumbleweed:nghttp2-1.43.0-1.6.ppc64le",
          "openSUSE Tumbleweed:nghttp2-1.43.0-1.6.s390x",
          "openSUSE Tumbleweed:nghttp2-1.43.0-1.6.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2020-11080",
          "url": "https://www.suse.com/security/cve/CVE-2020-11080"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1172441 for CVE-2020-11080",
          "url": "https://bugzilla.suse.com/1172441"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1172442 for CVE-2020-11080",
          "url": "https://bugzilla.suse.com/1172442"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1181358 for CVE-2020-11080",
          "url": "https://bugzilla.suse.com/1181358"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:libnghttp2-14-1.43.0-1.6.aarch64",
            "openSUSE Tumbleweed:libnghttp2-14-1.43.0-1.6.ppc64le",
            "openSUSE Tumbleweed:libnghttp2-14-1.43.0-1.6.s390x",
            "openSUSE Tumbleweed:libnghttp2-14-1.43.0-1.6.x86_64",
            "openSUSE Tumbleweed:libnghttp2-14-32bit-1.43.0-1.6.aarch64",
            "openSUSE Tumbleweed:libnghttp2-14-32bit-1.43.0-1.6.ppc64le",
            "openSUSE Tumbleweed:libnghttp2-14-32bit-1.43.0-1.6.s390x",
            "openSUSE Tumbleweed:libnghttp2-14-32bit-1.43.0-1.6.x86_64",
            "openSUSE Tumbleweed:libnghttp2-devel-1.43.0-1.6.aarch64",
            "openSUSE Tumbleweed:libnghttp2-devel-1.43.0-1.6.ppc64le",
            "openSUSE Tumbleweed:libnghttp2-devel-1.43.0-1.6.s390x",
            "openSUSE Tumbleweed:libnghttp2-devel-1.43.0-1.6.x86_64",
            "openSUSE Tumbleweed:libnghttp2_asio-devel-1.43.0-1.6.aarch64",
            "openSUSE Tumbleweed:libnghttp2_asio-devel-1.43.0-1.6.ppc64le",
            "openSUSE Tumbleweed:libnghttp2_asio-devel-1.43.0-1.6.s390x",
            "openSUSE Tumbleweed:libnghttp2_asio-devel-1.43.0-1.6.x86_64",
            "openSUSE Tumbleweed:libnghttp2_asio1-1.43.0-1.6.aarch64",
            "openSUSE Tumbleweed:libnghttp2_asio1-1.43.0-1.6.ppc64le",
            "openSUSE Tumbleweed:libnghttp2_asio1-1.43.0-1.6.s390x",
            "openSUSE Tumbleweed:libnghttp2_asio1-1.43.0-1.6.x86_64",
            "openSUSE Tumbleweed:libnghttp2_asio1-32bit-1.43.0-1.6.aarch64",
            "openSUSE Tumbleweed:libnghttp2_asio1-32bit-1.43.0-1.6.ppc64le",
            "openSUSE Tumbleweed:libnghttp2_asio1-32bit-1.43.0-1.6.s390x",
            "openSUSE Tumbleweed:libnghttp2_asio1-32bit-1.43.0-1.6.x86_64",
            "openSUSE Tumbleweed:nghttp2-1.43.0-1.6.aarch64",
            "openSUSE Tumbleweed:nghttp2-1.43.0-1.6.ppc64le",
            "openSUSE Tumbleweed:nghttp2-1.43.0-1.6.s390x",
            "openSUSE Tumbleweed:nghttp2-1.43.0-1.6.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:libnghttp2-14-1.43.0-1.6.aarch64",
            "openSUSE Tumbleweed:libnghttp2-14-1.43.0-1.6.ppc64le",
            "openSUSE Tumbleweed:libnghttp2-14-1.43.0-1.6.s390x",
            "openSUSE Tumbleweed:libnghttp2-14-1.43.0-1.6.x86_64",
            "openSUSE Tumbleweed:libnghttp2-14-32bit-1.43.0-1.6.aarch64",
            "openSUSE Tumbleweed:libnghttp2-14-32bit-1.43.0-1.6.ppc64le",
            "openSUSE Tumbleweed:libnghttp2-14-32bit-1.43.0-1.6.s390x",
            "openSUSE Tumbleweed:libnghttp2-14-32bit-1.43.0-1.6.x86_64",
            "openSUSE Tumbleweed:libnghttp2-devel-1.43.0-1.6.aarch64",
            "openSUSE Tumbleweed:libnghttp2-devel-1.43.0-1.6.ppc64le",
            "openSUSE Tumbleweed:libnghttp2-devel-1.43.0-1.6.s390x",
            "openSUSE Tumbleweed:libnghttp2-devel-1.43.0-1.6.x86_64",
            "openSUSE Tumbleweed:libnghttp2_asio-devel-1.43.0-1.6.aarch64",
            "openSUSE Tumbleweed:libnghttp2_asio-devel-1.43.0-1.6.ppc64le",
            "openSUSE Tumbleweed:libnghttp2_asio-devel-1.43.0-1.6.s390x",
            "openSUSE Tumbleweed:libnghttp2_asio-devel-1.43.0-1.6.x86_64",
            "openSUSE Tumbleweed:libnghttp2_asio1-1.43.0-1.6.aarch64",
            "openSUSE Tumbleweed:libnghttp2_asio1-1.43.0-1.6.ppc64le",
            "openSUSE Tumbleweed:libnghttp2_asio1-1.43.0-1.6.s390x",
            "openSUSE Tumbleweed:libnghttp2_asio1-1.43.0-1.6.x86_64",
            "openSUSE Tumbleweed:libnghttp2_asio1-32bit-1.43.0-1.6.aarch64",
            "openSUSE Tumbleweed:libnghttp2_asio1-32bit-1.43.0-1.6.ppc64le",
            "openSUSE Tumbleweed:libnghttp2_asio1-32bit-1.43.0-1.6.s390x",
            "openSUSE Tumbleweed:libnghttp2_asio1-32bit-1.43.0-1.6.x86_64",
            "openSUSE Tumbleweed:nghttp2-1.43.0-1.6.aarch64",
            "openSUSE Tumbleweed:nghttp2-1.43.0-1.6.ppc64le",
            "openSUSE Tumbleweed:nghttp2-1.43.0-1.6.s390x",
            "openSUSE Tumbleweed:nghttp2-1.43.0-1.6.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2024-06-15T00:00:00Z",
          "details": "important"
        }
      ],
      "title": "CVE-2020-11080"
    }
  ]
}

CVE-2020-11080 (GCVE-0-2020-11080)

Vulnerability from cvelistv5 – Published: 2020-06-03 00:00 – Updated: 2025-06-09 15:45

Summary

In nghttp2 before version 1.41.0, the overly large HTTP/2 SETTINGS frame payload causes denial of service. The proof of concept attack involves a malicious client constructing a SETTINGS frame with a length of 14,400 bytes (2400 individual settings entries) over and over again. The attack causes the CPU to spike at 100%. nghttp2 v1.41.0 fixes this vulnerability. There is a workaround to this vulnerability. Implement nghttp2_on_frame_recv_callback callback, and if received frame is SETTINGS frame and the number of settings entries are large (e.g., > 32), then drop the connection.

Severity ?

3.7 (Low)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L

CWE

CWE-707 - Improper Enforcement of Message or Data Structure

Assigner

GitHub_M

References

URL

Tags

	https://www.debian.org/security/2020/dsa-4696	vendor-advisory
	http://lists.opensuse.org/opensuse-security-annou…	vendor-advisory
	https://lists.fedoraproject.org/archives/list/pac…	vendor-advisory
	https://www.oracle.com/security-alerts/cpujul2020.html
	https://github.com/nghttp2/nghttp2/security/advis…
	https://github.com/nghttp2/nghttp2/commit/336a98f…
	https://github.com/nghttp2/nghttp2/commit/f8da73b…
	https://www.oracle.com/security-alerts/cpuoct2020.html
	https://lists.fedoraproject.org/archives/list/pac…	vendor-advisory
	https://www.oracle.com/security-alerts/cpujan2021.html
	https://www.oracle.com//security-alerts/cpujul2021.html
	https://lists.debian.org/debian-lts-announce/2021…	mailing-list
	https://www.oracle.com/security-alerts/cpuapr2022.html
	https://lists.debian.org/debian-lts-announce/2023…	mailing-list

Impacted products

	Vendor	Product	Version
	nghttp2	nghttp2	Affected: < 1.41.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T11:21:14.514Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "DSA-4696",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://www.debian.org/security/2020/dsa-4696"
          },
          {
            "name": "openSUSE-SU-2020:0802",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00024.html"
          },
          {
            "name": "FEDORA-2020-f7d15c8b77",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AAC2AA36OTRHKSVM5OV7TTVB3CZIGEFL/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.oracle.com/security-alerts/cpujul2020.html"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/nghttp2/nghttp2/security/advisories/GHSA-q5wr-xfw9-q7xr"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/nghttp2/nghttp2/commit/336a98feb0d56b9ac54e12736b18785c27f75090"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/nghttp2/nghttp2/commit/f8da73bd042f810f34d19f9eae02b46d870af394"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.oracle.com/security-alerts/cpuoct2020.html"
          },
          {
            "name": "FEDORA-2020-43d5a372fc",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4OOYAMJVLLCLXDTHW3V5UXNULZBBK4O6/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.oracle.com/security-alerts/cpujan2021.html"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.oracle.com//security-alerts/cpujul2021.html"
          },
          {
            "name": "[debian-lts-announce] 20211017 [SECURITY] [DLA 2786-1] nghttp2 security update",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2021/10/msg00011.html"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
          },
          {
            "name": "[debian-lts-announce] 20231016 [SECURITY] [DLA 3621-1] nghttp2 security update",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00023.html"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2020-11080",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-06-09T15:44:48.717109Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-06-09T15:45:50.711Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "nghttp2",
          "vendor": "nghttp2",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 1.41.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In nghttp2 before version 1.41.0, the overly large HTTP/2 SETTINGS frame payload causes denial of service. The proof of concept attack involves a malicious client constructing a SETTINGS frame with a length of 14,400 bytes (2400 individual settings entries) over and over again. The attack causes the CPU to spike at 100%. nghttp2 v1.41.0 fixes this vulnerability. There is a workaround to this vulnerability. Implement nghttp2_on_frame_recv_callback callback, and if received frame is SETTINGS frame and the number of settings entries are large (e.g., \u003e 32), then drop the connection."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 3.7,
            "baseSeverity": "LOW",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-707",
              "description": "CWE-707 Improper Enforcement of Message or Data Structure",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-10-16T17:06:24.016Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "DSA-4696",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://www.debian.org/security/2020/dsa-4696"
        },
        {
          "name": "openSUSE-SU-2020:0802",
          "tags": [
            "vendor-advisory"
          ],
          "url": "http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00024.html"
        },
        {
          "name": "FEDORA-2020-f7d15c8b77",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AAC2AA36OTRHKSVM5OV7TTVB3CZIGEFL/"
        },
        {
          "url": "https://www.oracle.com/security-alerts/cpujul2020.html"
        },
        {
          "url": "https://github.com/nghttp2/nghttp2/security/advisories/GHSA-q5wr-xfw9-q7xr"
        },
        {
          "url": "https://github.com/nghttp2/nghttp2/commit/336a98feb0d56b9ac54e12736b18785c27f75090"
        },
        {
          "url": "https://github.com/nghttp2/nghttp2/commit/f8da73bd042f810f34d19f9eae02b46d870af394"
        },
        {
          "url": "https://www.oracle.com/security-alerts/cpuoct2020.html"
        },
        {
          "name": "FEDORA-2020-43d5a372fc",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4OOYAMJVLLCLXDTHW3V5UXNULZBBK4O6/"
        },
        {
          "url": "https://www.oracle.com/security-alerts/cpujan2021.html"
        },
        {
          "url": "https://www.oracle.com//security-alerts/cpujul2021.html"
        },
        {
          "name": "[debian-lts-announce] 20211017 [SECURITY] [DLA 2786-1] nghttp2 security update",
          "tags": [
            "mailing-list"
          ],
          "url": "https://lists.debian.org/debian-lts-announce/2021/10/msg00011.html"
        },
        {
          "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
        },
        {
          "name": "[debian-lts-announce] 20231016 [SECURITY] [DLA 3621-1] nghttp2 security update",
          "tags": [
            "mailing-list"
          ],
          "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00023.html"
        }
      ],
      "source": {
        "advisory": "GHSA-q5wr-xfw9-q7xr",
        "discovery": "UNKNOWN"
      },
      "title": "Denial of service in nghttp2"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2020-11080",
    "datePublished": "2020-06-03T00:00:00.000Z",
    "dateReserved": "2020-03-30T00:00:00.000Z",
    "dateUpdated": "2025-06-09T15:45:50.711Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2018-1000168 (GCVE-0-2018-1000168)

Vulnerability from cvelistv5 – Published: 2018-05-08 15:00 – Updated: 2025-06-09 15:47

Summary

nghttp2 version >= 1.10.0 and nghttp2 <= v1.31.0 contains an Improper Input Validation CWE-20 vulnerability in ALTSVC frame handling that can result in segmentation fault leading to denial of service. This attack appears to be exploitable via network client. This vulnerability appears to have been fixed in >= 1.31.1.

Severity ?

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE

Assigner

mitre

References

URL

Tags

	https://access.redhat.com/errata/RHSA-2019:0367	vendor-advisoryx_refsource_REDHAT
	https://nodejs.org/en/blog/vulnerability/june-201…	x_refsource_CONFIRM
	http://www.securityfocus.com/bid/103952	vdb-entryx_refsource_BID
	https://nghttp2.org/blog/2018/04/12/nghttp2-v1-31-1/	x_refsource_CONFIRM
	https://access.redhat.com/errata/RHSA-2019:0366	vendor-advisoryx_refsource_REDHAT
	https://lists.debian.org/debian-lts-announce/2021…	mailing-listx_refsource_MLIST

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T12:33:49.411Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "RHSA-2019:0367",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:0367"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://nodejs.org/en/blog/vulnerability/june-2018-security-releases/"
          },
          {
            "name": "103952",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/103952"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://nghttp2.org/blog/2018/04/12/nghttp2-v1-31-1/"
          },
          {
            "name": "RHSA-2019:0366",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:0366"
          },
          {
            "name": "[debian-lts-announce] 20211017 [SECURITY] [DLA 2786-1] nghttp2 security update",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2021/10/msg00011.html"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 7.5,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2018-1000168",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-06-09T15:47:48.395592Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-476",
                "description": "CWE-476 NULL Pointer Dereference",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-06-09T15:47:51.888Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "dateAssigned": "2018-04-30T00:00:00.000Z",
      "datePublic": "2018-04-12T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "nghttp2 version \u003e= 1.10.0 and nghttp2 \u003c= v1.31.0 contains an Improper Input Validation CWE-20 vulnerability in ALTSVC frame handling that can result in segmentation fault leading to denial of service. This attack appears to be exploitable via network client. This vulnerability appears to have been fixed in \u003e= 1.31.1."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-10-17T07:06:17.000Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "name": "RHSA-2019:0367",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:0367"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://nodejs.org/en/blog/vulnerability/june-2018-security-releases/"
        },
        {
          "name": "103952",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/103952"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://nghttp2.org/blog/2018/04/12/nghttp2-v1-31-1/"
        },
        {
          "name": "RHSA-2019:0366",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:0366"
        },
        {
          "name": "[debian-lts-announce] 20211017 [SECURITY] [DLA 2786-1] nghttp2 security update",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.debian.org/debian-lts-announce/2021/10/msg00011.html"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "DATE_ASSIGNED": "2018-04-30T20:15:49.358836",
          "DATE_REQUESTED": "2018-04-09T10:52:35",
          "ID": "CVE-2018-1000168",
          "REQUESTER": "tatsuhiro.t@gmail.com",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "nghttp2 version \u003e= 1.10.0 and nghttp2 \u003c= v1.31.0 contains an Improper Input Validation CWE-20 vulnerability in ALTSVC frame handling that can result in segmentation fault leading to denial of service. This attack appears to be exploitable via network client. This vulnerability appears to have been fixed in \u003e= 1.31.1."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "RHSA-2019:0367",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2019:0367"
            },
            {
              "name": "https://nodejs.org/en/blog/vulnerability/june-2018-security-releases/",
              "refsource": "CONFIRM",
              "url": "https://nodejs.org/en/blog/vulnerability/june-2018-security-releases/"
            },
            {
              "name": "103952",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/103952"
            },
            {
              "name": "https://nghttp2.org/blog/2018/04/12/nghttp2-v1-31-1/",
              "refsource": "CONFIRM",
              "url": "https://nghttp2.org/blog/2018/04/12/nghttp2-v1-31-1/"
            },
            {
              "name": "RHSA-2019:0366",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2019:0366"
            },
            {
              "name": "[debian-lts-announce] 20211017 [SECURITY] [DLA 2786-1] nghttp2 security update",
              "refsource": "MLIST",
              "url": "https://lists.debian.org/debian-lts-announce/2021/10/msg00011.html"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2018-1000168",
    "datePublished": "2018-05-08T15:00:00.000Z",
    "dateReserved": "2018-04-09T00:00:00.000Z",
    "dateUpdated": "2025-06-09T15:47:51.888Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2019-9511 (GCVE-0-2019-9511)

Vulnerability from cvelistv5 – Published: 2019-08-13 20:50 – Updated: 2024-08-04 21:54

Summary

Some HTTP/2 implementations are vulnerable to window size manipulation and stream prioritization manipulation, potentially leading to a denial of service. The attacker requests a large amount of data from a specified resource over multiple streams. They manipulate window size and stream priority to force the server to queue the data in 1-byte chunks. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both.

Severity ?

7.5 (High)


                        
                          CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-400 - Uncontrolled Resource Consumption

Assigner

certcc

References

URL

Tags

	https://kb.cert.org/vuls/id/605641/	third-party-advisoryx_refsource_CERT-VN
	https://usn.ubuntu.com/4099-1/	vendor-advisoryx_refsource_UBUNTU
	https://lists.fedoraproject.org/archives/list/pac…	vendor-advisoryx_refsource_FEDORA
	https://seclists.org/bugtraq/2019/Aug/40	mailing-listx_refsource_BUGTRAQ
	https://lists.fedoraproject.org/archives/list/pac…	vendor-advisoryx_refsource_FEDORA
	https://www.debian.org/security/2019/dsa-4505	vendor-advisoryx_refsource_DEBIAN
	https://lists.fedoraproject.org/archives/list/pac…	vendor-advisoryx_refsource_FEDORA
	https://lists.fedoraproject.org/archives/list/pac…	vendor-advisoryx_refsource_FEDORA
	https://lists.fedoraproject.org/archives/list/pac…	vendor-advisoryx_refsource_FEDORA
	https://seclists.org/bugtraq/2019/Sep/1	mailing-listx_refsource_BUGTRAQ
	https://www.debian.org/security/2019/dsa-4511	vendor-advisoryx_refsource_DEBIAN
	https://lists.fedoraproject.org/archives/list/pac…	vendor-advisoryx_refsource_FEDORA
	https://access.redhat.com/errata/RHSA-2019:2692	vendor-advisoryx_refsource_REDHAT
	http://lists.opensuse.org/opensuse-security-annou…	vendor-advisoryx_refsource_SUSE
	http://lists.opensuse.org/opensuse-security-annou…	vendor-advisoryx_refsource_SUSE
	http://lists.opensuse.org/opensuse-security-annou…	vendor-advisoryx_refsource_SUSE
	https://access.redhat.com/errata/RHSA-2019:2745	vendor-advisoryx_refsource_REDHAT
	https://access.redhat.com/errata/RHSA-2019:2746	vendor-advisoryx_refsource_REDHAT
	https://access.redhat.com/errata/RHSA-2019:2775	vendor-advisoryx_refsource_REDHAT
	https://access.redhat.com/errata/RHSA-2019:2799	vendor-advisoryx_refsource_REDHAT
	https://access.redhat.com/errata/RHSA-2019:2925	vendor-advisoryx_refsource_REDHAT
	https://access.redhat.com/errata/RHSA-2019:2939	vendor-advisoryx_refsource_REDHAT
	https://access.redhat.com/errata/RHSA-2019:2949	vendor-advisoryx_refsource_REDHAT
	http://lists.opensuse.org/opensuse-security-annou…	vendor-advisoryx_refsource_SUSE
	http://lists.opensuse.org/opensuse-security-annou…	vendor-advisoryx_refsource_SUSE
	https://access.redhat.com/errata/RHSA-2019:2955	vendor-advisoryx_refsource_REDHAT
	https://access.redhat.com/errata/RHSA-2019:2966	vendor-advisoryx_refsource_REDHAT
	http://lists.opensuse.org/opensuse-security-annou…	vendor-advisoryx_refsource_SUSE
	https://access.redhat.com/errata/RHSA-2019:3041	vendor-advisoryx_refsource_REDHAT
	https://access.redhat.com/errata/RHSA-2019:3933	vendor-advisoryx_refsource_REDHAT
	https://access.redhat.com/errata/RHSA-2019:3935	vendor-advisoryx_refsource_REDHAT
	https://access.redhat.com/errata/RHSA-2019:3932	vendor-advisoryx_refsource_REDHAT
	https://access.redhat.com/errata/RHSA-2019:4018	vendor-advisoryx_refsource_REDHAT
	https://access.redhat.com/errata/RHSA-2019:4019	vendor-advisoryx_refsource_REDHAT
	https://access.redhat.com/errata/RHSA-2019:4021	vendor-advisoryx_refsource_REDHAT
	https://access.redhat.com/errata/RHSA-2019:4020	vendor-advisoryx_refsource_REDHAT
	https://www.debian.org/security/2020/dsa-4669	vendor-advisoryx_refsource_DEBIAN
	https://www.oracle.com/technetwork/security-advis…	x_refsource_MISC
	https://www.oracle.com/security-alerts/cpuoct2020.html	x_refsource_MISC
	https://github.com/Netflix/security-bulletins/blo…	x_refsource_MISC
	https://www.synology.com/security/advisory/Synolo…	x_refsource_CONFIRM
	https://support.f5.com/csp/article/K02591030	x_refsource_CONFIRM
	https://security.netapp.com/advisory/ntap-2019082…	x_refsource_CONFIRM
	https://security.netapp.com/advisory/ntap-2019082…	x_refsource_CONFIRM
	https://kc.mcafee.com/corporate/index?page=conten…	x_refsource_CONFIRM
	https://support.f5.com/csp/article/K02591030?utm_…	x_refsource_CONFIRM
	https://www.oracle.com/security-alerts/cpujan2021.html	x_refsource_MISC

Credits

Thanks to Jonathan Looney of Netflix for reporting this vulnerability.

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T21:54:44.157Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "VU#605641",
            "tags": [
              "third-party-advisory",
              "x_refsource_CERT-VN",
              "x_transferred"
            ],
            "url": "https://kb.cert.org/vuls/id/605641/"
          },
          {
            "name": "USN-4099-1",
            "tags": [
              "vendor-advisory",
              "x_refsource_UBUNTU",
              "x_transferred"
            ],
            "url": "https://usn.ubuntu.com/4099-1/"
          },
          {
            "name": "FEDORA-2019-befd924cfe",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TAZZEVTCN2B4WT6AIBJ7XGYJMBTORJU5/"
          },
          {
            "name": "20190822 [SECURITY] [DSA 4505-1] nginx security update",
            "tags": [
              "mailing-list",
              "x_refsource_BUGTRAQ",
              "x_transferred"
            ],
            "url": "https://seclists.org/bugtraq/2019/Aug/40"
          },
          {
            "name": "FEDORA-2019-81985a8858",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LZLUYPYY3RX4ZJDWZRJIKSULYRJ4PXW7/"
          },
          {
            "name": "DSA-4505",
            "tags": [
              "vendor-advisory",
              "x_refsource_DEBIAN",
              "x_transferred"
            ],
            "url": "https://www.debian.org/security/2019/dsa-4505"
          },
          {
            "name": "FEDORA-2019-8a437d5c2f",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JUBYAF6ED3O4XCHQ5C2HYENJLXYXZC4M/"
          },
          {
            "name": "FEDORA-2019-4427fd65be",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BP556LEG3WENHZI5TAQ6ZEBFTJB4E2IS/"
          },
          {
            "name": "FEDORA-2019-63ba15cc83",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XHTKU7YQ5EEP2XNSAV4M4VJ7QCBOJMOD/"
          },
          {
            "name": "20190902 [SECURITY] [DSA 4511-1] nghttp2 security update",
            "tags": [
              "mailing-list",
              "x_refsource_BUGTRAQ",
              "x_transferred"
            ],
            "url": "https://seclists.org/bugtraq/2019/Sep/1"
          },
          {
            "name": "DSA-4511",
            "tags": [
              "vendor-advisory",
              "x_refsource_DEBIAN",
              "x_transferred"
            ],
            "url": "https://www.debian.org/security/2019/dsa-4511"
          },
          {
            "name": "FEDORA-2019-7a0b45fdc4",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/POPAEC4FWL4UU4LDEGPY5NPALU24FFQD/"
          },
          {
            "name": "RHSA-2019:2692",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:2692"
          },
          {
            "name": "openSUSE-SU-2019:2120",
            "tags": [
              "vendor-advisory",
              "x_refsource_SUSE",
              "x_transferred"
            ],
            "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00035.html"
          },
          {
            "name": "openSUSE-SU-2019:2114",
            "tags": [
              "vendor-advisory",
              "x_refsource_SUSE",
              "x_transferred"
            ],
            "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00032.html"
          },
          {
            "name": "openSUSE-SU-2019:2115",
            "tags": [
              "vendor-advisory",
              "x_refsource_SUSE",
              "x_transferred"
            ],
            "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00031.html"
          },
          {
            "name": "RHSA-2019:2745",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:2745"
          },
          {
            "name": "RHSA-2019:2746",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:2746"
          },
          {
            "name": "RHSA-2019:2775",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:2775"
          },
          {
            "name": "RHSA-2019:2799",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:2799"
          },
          {
            "name": "RHSA-2019:2925",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:2925"
          },
          {
            "name": "RHSA-2019:2939",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:2939"
          },
          {
            "name": "RHSA-2019:2949",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:2949"
          },
          {
            "name": "openSUSE-SU-2019:2232",
            "tags": [
              "vendor-advisory",
              "x_refsource_SUSE",
              "x_transferred"
            ],
            "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00003.html"
          },
          {
            "name": "openSUSE-SU-2019:2234",
            "tags": [
              "vendor-advisory",
              "x_refsource_SUSE",
              "x_transferred"
            ],
            "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00005.html"
          },
          {
            "name": "RHSA-2019:2955",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:2955"
          },
          {
            "name": "RHSA-2019:2966",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:2966"
          },
          {
            "name": "openSUSE-SU-2019:2264",
            "tags": [
              "vendor-advisory",
              "x_refsource_SUSE",
              "x_transferred"
            ],
            "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00014.html"
          },
          {
            "name": "RHSA-2019:3041",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:3041"
          },
          {
            "name": "RHSA-2019:3933",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:3933"
          },
          {
            "name": "RHSA-2019:3935",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:3935"
          },
          {
            "name": "RHSA-2019:3932",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:3932"
          },
          {
            "name": "RHSA-2019:4018",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:4018"
          },
          {
            "name": "RHSA-2019:4019",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:4019"
          },
          {
            "name": "RHSA-2019:4021",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:4021"
          },
          {
            "name": "RHSA-2019:4020",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:4020"
          },
          {
            "name": "DSA-4669",
            "tags": [
              "vendor-advisory",
              "x_refsource_DEBIAN",
              "x_transferred"
            ],
            "url": "https://www.debian.org/security/2020/dsa-4669"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.oracle.com/security-alerts/cpuoct2020.html"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://www.synology.com/security/advisory/Synology_SA_19_33"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://support.f5.com/csp/article/K02591030"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20190823-0002/"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20190823-0005/"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10296"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://support.f5.com/csp/article/K02591030?utm_source=f5support\u0026amp%3Butm_medium=RSS"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.oracle.com/security-alerts/cpujan2021.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Thanks to Jonathan Looney of Netflix for reporting this vulnerability."
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Some HTTP/2 implementations are vulnerable to window size manipulation and stream prioritization manipulation, potentially leading to a denial of service. The attacker requests a large amount of data from a specified resource over multiple streams. They manipulate window size and stream priority to force the server to queue the data in 1-byte chunks. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both."
        }
      ],
      "metrics": [
        {
          "cvssV3_0": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-400",
              "description": "CWE-400 Uncontrolled Resource Consumption",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-01-20T14:42:02",
        "orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
        "shortName": "certcc"
      },
      "references": [
        {
          "name": "VU#605641",
          "tags": [
            "third-party-advisory",
            "x_refsource_CERT-VN"
          ],
          "url": "https://kb.cert.org/vuls/id/605641/"
        },
        {
          "name": "USN-4099-1",
          "tags": [
            "vendor-advisory",
            "x_refsource_UBUNTU"
          ],
          "url": "https://usn.ubuntu.com/4099-1/"
        },
        {
          "name": "FEDORA-2019-befd924cfe",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TAZZEVTCN2B4WT6AIBJ7XGYJMBTORJU5/"
        },
        {
          "name": "20190822 [SECURITY] [DSA 4505-1] nginx security update",
          "tags": [
            "mailing-list",
            "x_refsource_BUGTRAQ"
          ],
          "url": "https://seclists.org/bugtraq/2019/Aug/40"
        },
        {
          "name": "FEDORA-2019-81985a8858",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LZLUYPYY3RX4ZJDWZRJIKSULYRJ4PXW7/"
        },
        {
          "name": "DSA-4505",
          "tags": [
            "vendor-advisory",
            "x_refsource_DEBIAN"
          ],
          "url": "https://www.debian.org/security/2019/dsa-4505"
        },
        {
          "name": "FEDORA-2019-8a437d5c2f",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JUBYAF6ED3O4XCHQ5C2HYENJLXYXZC4M/"
        },
        {
          "name": "FEDORA-2019-4427fd65be",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BP556LEG3WENHZI5TAQ6ZEBFTJB4E2IS/"
        },
        {
          "name": "FEDORA-2019-63ba15cc83",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XHTKU7YQ5EEP2XNSAV4M4VJ7QCBOJMOD/"
        },
        {
          "name": "20190902 [SECURITY] [DSA 4511-1] nghttp2 security update",
          "tags": [
            "mailing-list",
            "x_refsource_BUGTRAQ"
          ],
          "url": "https://seclists.org/bugtraq/2019/Sep/1"
        },
        {
          "name": "DSA-4511",
          "tags": [
            "vendor-advisory",
            "x_refsource_DEBIAN"
          ],
          "url": "https://www.debian.org/security/2019/dsa-4511"
        },
        {
          "name": "FEDORA-2019-7a0b45fdc4",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/POPAEC4FWL4UU4LDEGPY5NPALU24FFQD/"
        },
        {
          "name": "RHSA-2019:2692",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:2692"
        },
        {
          "name": "openSUSE-SU-2019:2120",
          "tags": [
            "vendor-advisory",
            "x_refsource_SUSE"
          ],
          "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00035.html"
        },
        {
          "name": "openSUSE-SU-2019:2114",
          "tags": [
            "vendor-advisory",
            "x_refsource_SUSE"
          ],
          "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00032.html"
        },
        {
          "name": "openSUSE-SU-2019:2115",
          "tags": [
            "vendor-advisory",
            "x_refsource_SUSE"
          ],
          "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00031.html"
        },
        {
          "name": "RHSA-2019:2745",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:2745"
        },
        {
          "name": "RHSA-2019:2746",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:2746"
        },
        {
          "name": "RHSA-2019:2775",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:2775"
        },
        {
          "name": "RHSA-2019:2799",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:2799"
        },
        {
          "name": "RHSA-2019:2925",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:2925"
        },
        {
          "name": "RHSA-2019:2939",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:2939"
        },
        {
          "name": "RHSA-2019:2949",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:2949"
        },
        {
          "name": "openSUSE-SU-2019:2232",
          "tags": [
            "vendor-advisory",
            "x_refsource_SUSE"
          ],
          "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00003.html"
        },
        {
          "name": "openSUSE-SU-2019:2234",
          "tags": [
            "vendor-advisory",
            "x_refsource_SUSE"
          ],
          "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00005.html"
        },
        {
          "name": "RHSA-2019:2955",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:2955"
        },
        {
          "name": "RHSA-2019:2966",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:2966"
        },
        {
          "name": "openSUSE-SU-2019:2264",
          "tags": [
            "vendor-advisory",
            "x_refsource_SUSE"
          ],
          "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00014.html"
        },
        {
          "name": "RHSA-2019:3041",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:3041"
        },
        {
          "name": "RHSA-2019:3933",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:3933"
        },
        {
          "name": "RHSA-2019:3935",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:3935"
        },
        {
          "name": "RHSA-2019:3932",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:3932"
        },
        {
          "name": "RHSA-2019:4018",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:4018"
        },
        {
          "name": "RHSA-2019:4019",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:4019"
        },
        {
          "name": "RHSA-2019:4021",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:4021"
        },
        {
          "name": "RHSA-2019:4020",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:4020"
        },
        {
          "name": "DSA-4669",
          "tags": [
            "vendor-advisory",
            "x_refsource_DEBIAN"
          ],
          "url": "https://www.debian.org/security/2020/dsa-4669"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.oracle.com/security-alerts/cpuoct2020.html"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://www.synology.com/security/advisory/Synology_SA_19_33"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://support.f5.com/csp/article/K02591030"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://security.netapp.com/advisory/ntap-20190823-0002/"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://security.netapp.com/advisory/ntap-20190823-0005/"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10296"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://support.f5.com/csp/article/K02591030?utm_source=f5support\u0026amp%3Butm_medium=RSS"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.oracle.com/security-alerts/cpujan2021.html"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Some HTTP/2 implementations are vulnerable to window size manipulation and stream prioritization manipulation, potentially leading to a denial of service",
      "x_generator": {
        "engine": "Vulnogram 0.0.7"
      },
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "AKA": "HTTP/2 Data Dribble",
          "ASSIGNER": "cert@cert.org",
          "ID": "CVE-2019-9511",
          "STATE": "PUBLIC",
          "TITLE": "Some HTTP/2 implementations are vulnerable to window size manipulation and stream prioritization manipulation, potentially leading to a denial of service"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "credit": [
          {
            "lang": "eng",
            "value": "Thanks to Jonathan Looney of Netflix for reporting this vulnerability."
          }
        ],
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Some HTTP/2 implementations are vulnerable to window size manipulation and stream prioritization manipulation, potentially leading to a denial of service. The attacker requests a large amount of data from a specified resource over multiple streams. They manipulate window size and stream priority to force the server to queue the data in 1-byte chunks. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both."
            }
          ]
        },
        "generator": {
          "engine": "Vulnogram 0.0.7"
        },
        "impact": {
          "cvss": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.0"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-400 Uncontrolled Resource Consumption"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "VU#605641",
              "refsource": "CERT-VN",
              "url": "https://kb.cert.org/vuls/id/605641/"
            },
            {
              "name": "USN-4099-1",
              "refsource": "UBUNTU",
              "url": "https://usn.ubuntu.com/4099-1/"
            },
            {
              "name": "FEDORA-2019-befd924cfe",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TAZZEVTCN2B4WT6AIBJ7XGYJMBTORJU5/"
            },
            {
              "name": "20190822 [SECURITY] [DSA 4505-1] nginx security update",
              "refsource": "BUGTRAQ",
              "url": "https://seclists.org/bugtraq/2019/Aug/40"
            },
            {
              "name": "FEDORA-2019-81985a8858",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LZLUYPYY3RX4ZJDWZRJIKSULYRJ4PXW7/"
            },
            {
              "name": "DSA-4505",
              "refsource": "DEBIAN",
              "url": "https://www.debian.org/security/2019/dsa-4505"
            },
            {
              "name": "FEDORA-2019-8a437d5c2f",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JUBYAF6ED3O4XCHQ5C2HYENJLXYXZC4M/"
            },
            {
              "name": "FEDORA-2019-4427fd65be",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BP556LEG3WENHZI5TAQ6ZEBFTJB4E2IS/"
            },
            {
              "name": "FEDORA-2019-63ba15cc83",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XHTKU7YQ5EEP2XNSAV4M4VJ7QCBOJMOD/"
            },
            {
              "name": "20190902 [SECURITY] [DSA 4511-1] nghttp2 security update",
              "refsource": "BUGTRAQ",
              "url": "https://seclists.org/bugtraq/2019/Sep/1"
            },
            {
              "name": "DSA-4511",
              "refsource": "DEBIAN",
              "url": "https://www.debian.org/security/2019/dsa-4511"
            },
            {
              "name": "FEDORA-2019-7a0b45fdc4",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/POPAEC4FWL4UU4LDEGPY5NPALU24FFQD/"
            },
            {
              "name": "RHSA-2019:2692",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2019:2692"
            },
            {
              "name": "openSUSE-SU-2019:2120",
              "refsource": "SUSE",
              "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00035.html"
            },
            {
              "name": "openSUSE-SU-2019:2114",
              "refsource": "SUSE",
              "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00032.html"
            },
            {
              "name": "openSUSE-SU-2019:2115",
              "refsource": "SUSE",
              "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00031.html"
            },
            {
              "name": "RHSA-2019:2745",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2019:2745"
            },
            {
              "name": "RHSA-2019:2746",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2019:2746"
            },
            {
              "name": "RHSA-2019:2775",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2019:2775"
            },
            {
              "name": "RHSA-2019:2799",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2019:2799"
            },
            {
              "name": "RHSA-2019:2925",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2019:2925"
            },
            {
              "name": "RHSA-2019:2939",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2019:2939"
            },
            {
              "name": "RHSA-2019:2949",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2019:2949"
            },
            {
              "name": "openSUSE-SU-2019:2232",
              "refsource": "SUSE",
              "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00003.html"
            },
            {
              "name": "openSUSE-SU-2019:2234",
              "refsource": "SUSE",
              "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00005.html"
            },
            {
              "name": "RHSA-2019:2955",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2019:2955"
            },
            {
              "name": "RHSA-2019:2966",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2019:2966"
            },
            {
              "name": "openSUSE-SU-2019:2264",
              "refsource": "SUSE",
              "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00014.html"
            },
            {
              "name": "RHSA-2019:3041",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2019:3041"
            },
            {
              "name": "RHSA-2019:3933",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2019:3933"
            },
            {
              "name": "RHSA-2019:3935",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2019:3935"
            },
            {
              "name": "RHSA-2019:3932",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2019:3932"
            },
            {
              "name": "RHSA-2019:4018",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2019:4018"
            },
            {
              "name": "RHSA-2019:4019",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2019:4019"
            },
            {
              "name": "RHSA-2019:4021",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2019:4021"
            },
            {
              "name": "RHSA-2019:4020",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2019:4020"
            },
            {
              "name": "DSA-4669",
              "refsource": "DEBIAN",
              "url": "https://www.debian.org/security/2020/dsa-4669"
            },
            {
              "name": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html",
              "refsource": "MISC",
              "url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html"
            },
            {
              "name": "https://www.oracle.com/security-alerts/cpuoct2020.html",
              "refsource": "MISC",
              "url": "https://www.oracle.com/security-alerts/cpuoct2020.html"
            },
            {
              "name": "https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md",
              "refsource": "MISC",
              "url": "https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md"
            },
            {
              "name": "https://www.synology.com/security/advisory/Synology_SA_19_33",
              "refsource": "CONFIRM",
              "url": "https://www.synology.com/security/advisory/Synology_SA_19_33"
            },
            {
              "name": "https://support.f5.com/csp/article/K02591030",
              "refsource": "CONFIRM",
              "url": "https://support.f5.com/csp/article/K02591030"
            },
            {
              "name": "https://security.netapp.com/advisory/ntap-20190823-0002/",
              "refsource": "CONFIRM",
              "url": "https://security.netapp.com/advisory/ntap-20190823-0002/"
            },
            {
              "name": "https://security.netapp.com/advisory/ntap-20190823-0005/",
              "refsource": "CONFIRM",
              "url": "https://security.netapp.com/advisory/ntap-20190823-0005/"
            },
            {
              "name": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10296",
              "refsource": "CONFIRM",
              "url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10296"
            },
            {
              "name": "https://support.f5.com/csp/article/K02591030?utm_source=f5support\u0026amp;utm_medium=RSS",
              "refsource": "CONFIRM",
              "url": "https://support.f5.com/csp/article/K02591030?utm_source=f5support\u0026amp;utm_medium=RSS"
            },
            {
              "name": "https://www.oracle.com/security-alerts/cpujan2021.html",
              "refsource": "MISC",
              "url": "https://www.oracle.com/security-alerts/cpujan2021.html"
            }
          ]
        },
        "source": {
          "discovery": "UNKNOWN"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
    "assignerShortName": "certcc",
    "cveId": "CVE-2019-9511",
    "datePublished": "2019-08-13T20:50:59",
    "dateReserved": "2019-03-01T00:00:00",
    "dateUpdated": "2024-08-04T21:54:44.157Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Tags

Taxonomy of the tags.

All sightings related to this event Export sightings related to this event

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

OPENSUSE-SU-2024:11091-1

CVE-2020-11080 (GCVE-0-2020-11080)

CVE-2018-1000168 (GCVE-0-2018-1000168)

CVE-2019-9511 (GCVE-0-2019-9511)

Tags

Sightings

Nomenclature