Some HTTP/2 implementations are vulnerable to unconstrained interal data buffering, potentially leading to a denial of service. The attacker opens the HTTP/2 window so the peer can send without constraint; however, they leave the TCP window closed so the peer cannot actually write (many of) the bytes on the wire. The attacker then sends a stream of requests for a large response object. Depending on how the servers queue the responses, this can consume excess memory, CPU, or both.
Vector
NETWORK
Complexity
LOW
Authentication
NONE
Confidentiality
NONE
Integrity
NONE
Availability
COMPLETE
Apache Traffic server 8.0.0 Rc1 (not an official CPE)
Apache Traffic server 8.0.0 Rc0 (not an official CPE)
Apache Traffic server 8.0.0 (not an official CPE)
Apache Traffic server 7.1.5 (not an official CPE)
Apache Traffic server 7.1.4 Rc1 (not an official CPE)
Apache Traffic server 7.1.4 Rc0 (not an official CPE)
Apache Traffic server 7.1.4 (not an official CPE)
Apache Traffic server 7.1.3 Rc0 (not an official CPE)
Apache Traffic server 7.1.3 (not an official CPE)
Apache Traffic server 7.1.2 Rc4 (not an official CPE)
Apache Traffic server 7.1.2 Rc3 (not an official CPE)
Apache Traffic server 7.1.2 Rc2 (not an official CPE)
Apache Traffic server 7.1.2 Rc1 (not an official CPE)
Apache Traffic server 7.1.2 Rc0 (not an official CPE)
Apache Traffic server 7.1.2 (not an official CPE)
Apache Traffic server 7.1.1 Rc1 (not an official CPE)
Apache Traffic server 7.1.1 Rc0 (not an official CPE)
Apache Traffic server 7.1.1 (not an official CPE)
Apache Traffic server 7.1.0 Rc1 (not an official CPE)
Apache Traffic server 7.1.0 Rc0 (not an official CPE)
Apache Traffic server 7.1.0 (not an official CPE)
Apache Traffic server 7.0.0 Rc2 (not an official CPE)
Apache Traffic server 7.0.0 Rc1 (not an official CPE)
Apache Traffic server 7.0.0 Rc0 (not an official CPE)
Apache Traffic server 7.0.0 (not an official CPE)
Apache Traffic server 6.2.3 (not an official CPE)
Apache Traffic server 6.2.2 Rc0 (not an official CPE)
Apache Traffic server 6.2.2 (not an official CPE)
Apache Traffic server 6.2.1 Rc0 (not an official CPE)
Apache Traffic server 6.2.1 (not an official CPE)
Apache Traffic server 6.2.0 (not an official CPE)
Apache Traffic server 6.1.1 (not an official CPE)
Apache Traffic server 6.1.0 (not an official CPE)
Apache Traffic server 6.0.3 (not an official CPE)
Apache Traffic server 6.0.0 (not an official CPE)
Apache Traffic server 8.0.0 Rc2 (not an official CPE)
Apache Traffic server 8.0.0 Rc3 (not an official CPE)
Apache Traffic server 8.0.0 Rc4 (not an official CPE)
Apache Traffic server 8.0.1 (not an official CPE)
Apache Traffic server 8.0.2 (not an official CPE)
Apache Traffic server 8.0.3 (not an official CPE)
Apple Swiftnio 1.0.0 (not an official CPE)
Apple Swiftnio 1.0.1 (not an official CPE)
Apple Swiftnio 1.1.0 (not an official CPE)
Apple Swiftnio 1.1.1 (not an official CPE)
Apple Swiftnio 1.2.0 (not an official CPE)
Apple Swiftnio 1.2.1 (not an official CPE)
Apple Swiftnio 1.2.2 (not an official CPE)
Apple Swiftnio 1.3.0 (not an official CPE)
Apple Swiftnio 1.3.1 (not an official CPE)
Apple Swiftnio 1.3.2 (not an official CPE)
Apple Swiftnio 1.4.0 (not an official CPE)