2019-08-13 23:15:12 2019-08-23 23:15:12

Some HTTP/2 implementations are vulnerable to window size manipulation and stream prioritization manipulation, potentially leading to a denial of service. The attacker requests a large amount of data from a specified resource over multiple streams. They manipulate window size and stream priority to force the server to queue the data in 1-byte chunks. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both.

Vector

NETWORK

Complexity

LOW

Authentication

NONE

Confidentiality

NONE

Integrity

NONE

Availability

COMPLETE
Apple Swiftnio 1.1.0 (not an official CPE) Apple Swiftnio 1.0.1 (not an official CPE) Apple Swiftnio 1.0.0 (not an official CPE) Apache Traffic server 8.0.3 (not an official CPE) Apache Traffic server 8.0.2 (not an official CPE) Apache Traffic server 8.0.1 (not an official CPE) Apache Traffic server 8.0.0 Rc4 (not an official CPE) Apache Traffic server 8.0.0 Rc3 (not an official CPE) Apache Traffic server 8.0.0 Rc2 (not an official CPE) Apache Traffic server 8.0.0 Rc1 (not an official CPE) Apache Traffic server 8.0.0 Rc0 (not an official CPE) Apache Traffic server 8.0.0 (not an official CPE) Apache Traffic server 7.1.5 (not an official CPE) Apache Traffic server 7.1.4 Rc1 (not an official CPE) Apache Traffic server 7.1.4 Rc0 (not an official CPE) Apache Traffic server 7.1.4 (not an official CPE) Apache Traffic server 7.1.3 Rc0 (not an official CPE) Apache Traffic server 7.1.3 (not an official CPE) Apache Traffic server 7.1.2 Rc4 (not an official CPE) Apache Traffic server 7.1.2 Rc3 (not an official CPE) Apache Traffic server 7.1.2 Rc2 (not an official CPE) Apache Traffic server 7.1.2 Rc1 (not an official CPE) Apache Traffic server 7.1.2 Rc0 (not an official CPE) Apache Traffic server 7.1.2 (not an official CPE) Apache Traffic server 7.1.1 Rc1 (not an official CPE) Apache Traffic server 7.1.1 Rc0 (not an official CPE) Apache Traffic server 7.1.1 (not an official CPE) Apache Traffic server 7.1.0 Rc1 (not an official CPE) Apache Traffic server 7.1.0 Rc0 (not an official CPE) Apache Traffic server 7.1.0 (not an official CPE) Apache Traffic server 7.0.0 Rc2 (not an official CPE) Apache Traffic server 7.0.0 Rc1 (not an official CPE) Apache Traffic server 7.0.0 Rc0 (not an official CPE) Apache Traffic server 7.0.0 (not an official CPE) Apache Traffic server 6.2.3 (not an official CPE) Apache Traffic server 6.2.2 Rc0 (not an official CPE) Apache Traffic server 6.2.2 (not an official CPE) Apache Traffic server 6.2.1 Rc0 (not an official CPE) Apache Traffic server 6.2.1 (not an official CPE) Apache Traffic server 6.2.0 (not an official CPE) Apache Traffic server 6.1.1 (not an official CPE) Apache Traffic server 6.1.0 (not an official CPE) Apache Traffic server 6.0.3 (not an official CPE) Apache Traffic server 6.0.0 (not an official CPE) Apple Swiftnio 1.1.1 (not an official CPE) Apple Swiftnio 1.2.0 (not an official CPE) Apple Swiftnio 1.2.1 (not an official CPE) Apple Swiftnio 1.2.2 (not an official CPE) Apple Swiftnio 1.3.0 (not an official CPE) Apple Swiftnio 1.3.1 (not an official CPE) Apple Swiftnio 1.3.2 (not an official CPE) Apple Swiftnio 1.4.0 (not an official CPE) Synology Diskstation manager 6.2 (not an official CPE) Synology Skynas - (not an official CPE)