CVE-2019-9511
Description
Some HTTP/2 implementations are vulnerable to window size manipulation and stream prioritization manipulation, potentially leading to a denial of service. The attacker requests a large amount of data from a specified resource over multiple streams. They manipulate window size and stream priority to force the server to queue the data in 1-byte chunks. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both.
Risk Information
Base Score
7.5
MODERATE
Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C
EPSS Score
Exploitation Probability
15.129
Associated Vulnerability
| Vulnerability | OS Platform |
|---|---|
| Windows Information Disclosure Vulnerability for Windows 10 Version 1607 for x86-based Systems (KB4512517) | Windows |
| Windows Information Disclosure Vulnerability for Windows 10 Version 1803 for x64-based Systems (KB4512501) | Windows |
| Windows Information Disclosure Vulnerability for Windows Server 2016 (1803) for x64-based Systems (KB4512501) | Windows |
| Windows Information Disclosure Vulnerability for Windows 10 Version 1803 for x86-based Systems (KB4512501) | Windows |
| Windows Information Disclosure Vulnerability for Windows 10 Version 1709 for x64-based Systems (KB4512516) | Windows |
| Windows Information Disclosure Vulnerability for Windows 10 Version 1709 for x86-based Systems (KB4512516) | Windows |
| Windows Information Disclosure Vulnerability for Windows 10 Version 1903 for x64-based Systems (KB4512508) | Windows |
| Windows Information Disclosure Vulnerability for Windows Server, version 1903 for x64-based Systems (KB4512508) | Windows |
| Windows Information Disclosure Vulnerability for Windows 10 Version 1903 for x86-based Systems (KB4512508) | Windows |
| Windows Information Disclosure Vulnerability for Windows 10 Version 1703 for x64-based Systems (KB4512507) | Windows |
| Windows Information Disclosure Vulnerability for Windows 10 Version 1703 for x86-based Systems (KB4512507) | Windows |
| Windows Information Disclosure Vulnerability for Windows 10 Version 1607 for x64-based Systems (KB4512517) | Windows |
| Windows Information Disclosure Vulnerability for Windows Server 2016 for x64-based Systems (KB4512517) | Windows |
| Windows Information Disclosure Vulnerability for Windows Server 2019 for x64-based Systems (KB4511553) | Windows |
| Windows Information Disclosure Vulnerability for Windows 10 Version 1809 for x64-based Systems (KB4511553) | Windows |
| Windows Information Disclosure Vulnerability for Windows 10 Version 1809 for x86-based Systems (KB4511553) | Windows |
| Windows Information Disclosure Vulnerability for Windows 10 Version 1507 for x86-based Systems (KB4512497) | Windows |
| Windows Information Disclosure Vulnerability for Windows 10 Version 1507 for x64-based Systems (KB4512497) | Windows |
| Windows Information Disclosure Vulnerability for Windows 10 Version 1703 for x64-based Systems (KB4512507) | Windows |
| Windows Information Disclosure Vulnerability for Windows 10 Version 1703 for x86-based Systems (KB4512507) | Windows |
| Windows Information Disclosure Vulnerability for Windows 10 Version 1703 for x64-based Systems (KB4512507) | Windows |
| Windows Information Disclosure Vulnerability for Windows 10 Version 1703 for x86-based Systems (KB4512507) | Windows |
| Multiple vulnerabilities are fixed in Node.js 12 (12.22.12) | Windows |
| Multiple vulnerabilities are fixed in Node.js 18 (x64) (18.16.1) | Windows |
| Multiple vulnerabilities are fixed in Node.js 18 (18.16.1) | Windows |
| Multiple vulnerabilities are fixed in Node.js (x64) (10.16.3) | Windows |
| Multiple vulnerabilities are fixed in Node.js (10.16.3) | Windows |
| Multiple vulnerabilities are fixed in Node.js 8 8.16.1 | Windows |
| Multiple vulnerabilities are fixed in Node.js 8 (x64) 8.16.1 | Windows |
| Multiple vulnerabilities are fixed in Node.js 12 12.8.1 | Windows |
| Vulnerabilities CVE-2019-9511,CVE-2019-9513,CVE-2019-9516 are fixed in Nginx 1.17.3 | Windows |
| small, powerful, scalable web/proxy server (USN-4099-1) nginx-core_1.14.0-0ubuntu1.4_i386.deb | Linux |
| small, powerful, scalable web/proxy server (USN-4099-1) nginx-core_1.14.0-0ubuntu1.4_amd64.deb | Linux |
| small, powerful, scalable web/proxy server (USN-4099-1) nginx-core_1.15.9-0ubuntu1.1_i386.deb | Linux |
| small, powerful, scalable web/proxy server (USN-4099-1) nginx-core_1.15.9-0ubuntu1.1_amd64.deb | Linux |
| small, powerful, scalable web/proxy server (USN-4099-1) nginx-core_1.10.3-0ubuntu0.16.04.4_i386.deb | Linux |
| small, powerful, scalable web/proxy server (USN-4099-1) nginx-core_1.10.3-0ubuntu0.16.04.4_amd64.deb | Linux |
| small, powerful, scalable web/proxy server (USN-4099-1) nginx-full_1.14.0-0ubuntu1.4_i386.deb | Linux |
| small, powerful, scalable web/proxy server (USN-4099-1) nginx-full_1.14.0-0ubuntu1.4_amd64.deb | Linux |
| small, powerful, scalable web/proxy server (USN-4099-1) nginx-full_1.15.9-0ubuntu1.1_i386.deb | Linux |
| small, powerful, scalable web/proxy server (USN-4099-1) nginx-full_1.15.9-0ubuntu1.1_amd64.deb | Linux |
| small, powerful, scalable web/proxy server (USN-4099-1) nginx-full_1.10.3-0ubuntu0.16.04.4_i386.deb | Linux |
| small, powerful, scalable web/proxy server (USN-4099-1) nginx-full_1.10.3-0ubuntu0.16.04.4_amd64.deb | Linux |
| small, powerful, scalable web/proxy server (USN-4099-1) nginx-light_1.14.0-0ubuntu1.4_i386.deb | Linux |
| small, powerful, scalable web/proxy server (USN-4099-1) nginx-light_1.14.0-0ubuntu1.4_amd64.deb | Linux |
| small, powerful, scalable web/proxy server (USN-4099-1) nginx-light_1.15.9-0ubuntu1.1_i386.deb | Linux |
| small, powerful, scalable web/proxy server (USN-4099-1) nginx-light_1.15.9-0ubuntu1.1_amd64.deb | Linux |
| small, powerful, scalable web/proxy server (USN-4099-1) nginx-light_1.10.3-0ubuntu0.16.04.4_i386.deb | Linux |
| small, powerful, scalable web/proxy server (USN-4099-1) nginx-light_1.10.3-0ubuntu0.16.04.4_amd64.deb | Linux |
| small, powerful, scalable web/proxy server (USN-4099-1) nginx-common_1.14.0-0ubuntu1.4_all.deb | Linux |
| small, powerful, scalable web/proxy server (USN-4099-1) nginx-common_1.15.9-0ubuntu1.1_all.deb | Linux |
| small, powerful, scalable web/proxy server (USN-4099-1) nginx-common_1.10.3-0ubuntu0.16.04.4_all.deb | Linux |
| small, powerful, scalable web/proxy server (USN-4099-1) nginx-extras_1.14.0-0ubuntu1.4_i386.deb | Linux |
| small, powerful, scalable web/proxy server (USN-4099-1) nginx-extras_1.14.0-0ubuntu1.4_amd64.deb | Linux |
| small, powerful, scalable web/proxy server (USN-4099-1) nginx-extras_1.15.9-0ubuntu1.1_i386.deb | Linux |
| small, powerful, scalable web/proxy server (USN-4099-1) nginx-extras_1.15.9-0ubuntu1.1_amd64.deb | Linux |
| small, powerful, scalable web/proxy server (USN-4099-1) nginx-extras_1.10.3-0ubuntu0.16.04.4_i386.deb | Linux |
| small, powerful, scalable web/proxy server (USN-4099-1) nginx-extras_1.10.3-0ubuntu0.16.04.4_amd64.deb | Linux |
| nginx security update(DSA-4505-1) nginx_1.10.3-1+deb9u3_all.deb | Linux |
| nginx security update(DSA-4505-1) nginx_1.14.2-2+deb10u1_all.deb | Linux |
| nghttp2 security update(DSA-4511-1) nghttp2_1.18.1-1+deb9u1_all.deb | Linux |
| nghttp2 security update(DSA-4511-1) nghttp2_1.36.0-2+deb10u1_all.deb | Linux |
| (RHSA-2019:2692) nghttp2 security update libnghttp2-1.33.0-1.el8_0.1.i686.rpm | Linux |
| (RHSA-2019:2692) nghttp2 security update libnghttp2-1.33.0-1.el8_0.1.x86_64.rpm | Linux |
| (RHSA-2019:2692) nghttp2 security update nghttp2-debugsource-1.33.0-1.el8_0.1.i686.rpm | Linux |
| (RHSA-2019:2692) nghttp2 security update nghttp2-debugsource-1.33.0-1.el8_0.1.x86_64.rpm | Linux |
| (RHSA-2019:2799) nginx:1.14 security update nginx-1.14.1-9.module+el8.0.0+4108+af250afe.x86_64.rpm | Linux |
| (RHSA-2019:2799) nginx:1.14 security update nginx-all-modules-1.14.1-9.module+el8.0.0+4108+af250afe.noarch.rpm | Linux |
| (RHSA-2019:2799) nginx:1.14 security update nginx-debugsource-1.14.1-9.module+el8.0.0+4108+af250afe.x86_64.rpm | Linux |
| (RHSA-2019:2799) nginx:1.14 security update nginx-filesystem-1.14.1-9.module+el8.0.0+4108+af250afe.noarch.rpm | Linux |
| (RHSA-2019:2799) nginx:1.14 security update nginx-mod-http-image-filter-1.14.1-9.module+el8.0.0+4108+af250afe.x86_64.rpm | Linux |
| (RHSA-2019:2799) nginx:1.14 security update nginx-mod-http-perl-1.14.1-9.module+el8.0.0+4108+af250afe.x86_64.rpm | Linux |
| (RHSA-2019:2799) nginx:1.14 security update nginx-mod-http-xslt-filter-1.14.1-9.module+el8.0.0+4108+af250afe.x86_64.rpm | Linux |
| (RHSA-2019:2799) nginx:1.14 security update nginx-mod-mail-1.14.1-9.module+el8.0.0+4108+af250afe.x86_64.rpm | Linux |
| (RHSA-2019:2799) nginx:1.14 security update nginx-mod-stream-1.14.1-9.module+el8.0.0+4108+af250afe.x86_64.rpm | Linux |
| nodejs security update(DSA-4669-1) nodejs_10.19.0~dfsg1-1_i386.deb | Linux |
| nodejs security update(DSA-4669-1) nodejs_10.19.0~dfsg1-1_amd64.deb | Linux |
| Nginx update (ELSA-2019-2799) nginx-1.14.1-9.0.1.module+el8.0.0+5347+9282027e.x86_64.rpm | Linux |
| Nginx-mod-http-image-filter update (ELSA-2019-2799) nginx-mod-http-image-filter-1.14.1-9.0.1.module+el8.0.0+5347+9282027e.x86_64.rpm | Linux |
| Nginx-mod-http-perl update (ELSA-2019-2799) nginx-mod-http-perl-1.14.1-9.0.1.module+el8.0.0+5347+9282027e.x86_64.rpm | Linux |
| Nginx-mod-http-xslt-filter update (ELSA-2019-2799) nginx-mod-http-xslt-filter-1.14.1-9.0.1.module+el8.0.0+5347+9282027e.x86_64.rpm | Linux |
| Nginx-mod-mail update (ELSA-2019-2799) nginx-mod-mail-1.14.1-9.0.1.module+el8.0.0+5347+9282027e.x86_64.rpm | Linux |
| Nginx-mod-stream update (ELSA-2019-2799) nginx-mod-stream-1.14.1-9.0.1.module+el8.0.0+5347+9282027e.x86_64.rpm | Linux |
| Nginx-all-modules update (ELSA-2019-2799) nginx-all-modules-1.14.1-9.0.1.module+el8.0.0+5347+9282027e.noarch.rpm | Linux |
| Nginx-filesystem update (ELSA-2019-2799) nginx-filesystem-1.14.1-9.0.1.module+el8.0.0+5347+9282027e.noarch.rpm | Linux |
| Mod_md update (ELSA-2019-2893) mod_md-2.4.37-12.0.1.module+el8.0.0+5348+de75177e.x86_64.rpm | Linux |
| Libnghttp2 update (ELSA-2020-2755) libnghttp2-1.33.0-3.el8_2.1.x86_64.rpm | Linux |
| Libnghttp2-devel update (ELSA-2020-2755) libnghttp2-devel-1.33.0-3.el8_2.1.x86_64.rpm | Linux |
| Nghttp2 update (ELSA-2020-2755) nghttp2-1.33.0-3.el8_2.1.x86_64.rpm | Linux |
| Libnghttp2 update (ELSA-2020-2755) libnghttp2-1.33.0-3.el8_2.1.i686.rpm | Linux |
| Libnghttp2-devel update (ELSA-2020-2755) libnghttp2-devel-1.33.0-3.el8_2.1.i686.rpm | Linux |
| SUSE-SU-2021:0932-1(SUSE Linux Enterprise Server 12-SP5 ) libnghttp2-14-1.39.2-3.5.1.x86_64.rpm | Linux |
| SUSE-SU-2021:0932-1(SUSE Linux Enterprise Server 12-SP5 ) libnghttp2-14-32bit-1.39.2-3.5.1.x86_64.rpm | Linux |
| SUSE-SU-2021:0932-1(SUSE Linux Enterprise Server 12-SP5 ) libnghttp2-14-debuginfo-1.39.2-3.5.1.x86_64.rpm | Linux |
| SUSE-SU-2021:0932-1(SUSE Linux Enterprise Server 12-SP5 ) libnghttp2-14-debuginfo-32bit-1.39.2-3.5.1.x86_64.rpm | Linux |
| SUSE-SU-2021:0932-1(SUSE Linux Enterprise Server 12-SP5 ) nghttp2-debuginfo-1.39.2-3.5.1.x86_64.rpm | Linux |
| SUSE-SU-2021:0932-1(SUSE Linux Enterprise Server 12-SP5 ) nghttp2-debugsource-1.39.2-3.5.1.x86_64.rpm | Linux |
| (CESA-2019:2692) nghttp2 security update libnghttp2-1.33.0-1.el8_0.1.i686.rpm | Linux |
| (CESA-2019:2692) nghttp2 security update libnghttp2-1.33.0-1.el8_0.1.x86_64.rpm | Linux |
| (RHSA-2019:2799)Important: security update nginx-debuginfo-1.14.1-9.module+el8.0.0+4108+af250afe.x86_64.rpm | Linux |
| (RHSA-2019:2799)Important: security update nginx-mod-http-image-filter-debuginfo-1.14.1-9.module+el8.0.0+4108+af250afe.x86_64.rpm | Linux |
| (RHSA-2019:2799)Important: security update nginx-mod-http-perl-debuginfo-1.14.1-9.module+el8.0.0+4108+af250afe.x86_64.rpm | Linux |
| (RHSA-2019:2799)Important: security update nginx-mod-http-xslt-filter-debuginfo-1.14.1-9.module+el8.0.0+4108+af250afe.x86_64.rpm | Linux |
| (RHSA-2019:2799)Important: security update nginx-mod-mail-debuginfo-1.14.1-9.module+el8.0.0+4108+af250afe.x86_64.rpm | Linux |
| (RHSA-2019:2799)Important: security update nginx-mod-stream-debuginfo-1.14.1-9.module+el8.0.0+4108+af250afe.x86_64.rpm | Linux |
| Httpd update (ELSA-2024-3121) httpd-2.4.37-64.module+el8.10.0+90271+3bc76a16.x86_64.rpm | Linux |
| Httpd-devel update (ELSA-2024-3121) httpd-devel-2.4.37-64.module+el8.10.0+90271+3bc76a16.x86_64.rpm | Linux |
| Httpd-filesystem update (ELSA-2024-3121) httpd-filesystem-2.4.37-64.module+el8.10.0+90271+3bc76a16.noarch.rpm | Linux |
| Httpd-manual update (ELSA-2024-3121) httpd-manual-2.4.37-64.module+el8.10.0+90271+3bc76a16.noarch.rpm | Linux |
| Httpd-tools update (ELSA-2024-3121) httpd-tools-2.4.37-64.module+el8.10.0+90271+3bc76a16.x86_64.rpm | Linux |
| Mod_http2 update (ELSA-2024-3121) mod_http2-1.15.7-10.module+el8.10.0+90327+96b8ea28.x86_64.rpm | Linux |
| Mod_ldap update (ELSA-2024-3121) mod_ldap-2.4.37-64.module+el8.10.0+90271+3bc76a16.x86_64.rpm | Linux |
| Mod_md update (ELSA-2024-3121) mod_md-2.0.8-8.module+el8.9.0+90011+2f9c6a23.x86_64.rpm | Linux |
| Mod_proxy_html update (ELSA-2024-3121) mod_proxy_html-2.4.37-64.module+el8.10.0+90271+3bc76a16.x86_64.rpm | Linux |
| Mod_session update (ELSA-2024-3121) mod_session-2.4.37-64.module+el8.10.0+90271+3bc76a16.x86_64.rpm | Linux |
| Mod_ssl update (ELSA-2024-3121) mod_ssl-2.4.37-64.module+el8.10.0+90271+3bc76a16.x86_64.rpm | Linux |
| Important: nginx:1.14 security update nginx-1.14.1-9.module_el8.3.0+2165+af250afe.alma.x86_64.rpm | Linux |
| Important: nginx:1.14 security update nginx-all-modules-1.14.1-9.module_el8.3.0+2165+af250afe.alma.noarch.rpm | Linux |
| Important: nginx:1.14 security update nginx-filesystem-1.14.1-9.module_el8.3.0+2165+af250afe.alma.noarch.rpm | Linux |
| Important: nginx:1.14 security update nginx-mod-http-image-filter-1.14.1-9.module_el8.3.0+2165+af250afe.alma.x86_64.rpm | Linux |
| Important: nginx:1.14 security update nginx-mod-http-perl-1.14.1-9.module_el8.3.0+2165+af250afe.alma.x86_64.rpm | Linux |
| Important: nginx:1.14 security update nginx-mod-http-xslt-filter-1.14.1-9.module_el8.3.0+2165+af250afe.alma.x86_64.rpm | Linux |
| Important: nginx:1.14 security update nginx-mod-mail-1.14.1-9.module_el8.3.0+2165+af250afe.alma.x86_64.rpm | Linux |
| Important: nginx:1.14 security update nginx-mod-stream-1.14.1-9.module_el8.3.0+2165+af250afe.alma.x86_64.rpm | Linux |
| Uncontrolled Resource Consumption Vulnerability (CVE-2019-9511) | NCM |
Patch Details
Click to see the patches provided by ManageEngine for this CVE
| Patch ID | Patch Description |
|---|---|
| PATCH-27214 | 2019-08 Cumulative Update for Windows 10 Version 1607 for x86-based Systems (KB4512517) |
| PATCH-27223 | 2019-08 Cumulative Update for Windows 10 Version 1803 for x64-based Systems (KB4512501) |
| PATCH-27224 | 2019-08 Cumulative Update for Windows Server 2016 (1803) for x64-based Systems (KB4512501) |
| PATCH-27225 | 2019-08 Cumulative Update for Windows 10 Version 1803 for x86-based Systems (KB4512501) |
| PATCH-27221 | 2019-08 Cumulative Update for Windows 10 Version 1709 for x64-based Systems (KB4512516) |
| PATCH-27222 | 2019-08 Cumulative Update for Windows 10 Version 1709 for x86-based Systems (KB4512516) |
| PATCH-27229 | 2019-08 Cumulative Update for Windows 10 Version 1903 for x64-based Systems (KB4512508) |
| PATCH-27230 | 2019-08 Cumulative Update for Windows Server, version 1903 for x64-based Systems (KB4512508) |
| PATCH-27231 | 2019-08 Cumulative Update for Windows 10 Version 1903 for x86-based Systems (KB4512508) |
| PATCH-27215 | 2019-08 Cumulative Update for Windows 10 Version 1607 for x64-based Systems (KB4512517) |
| PATCH-27216 | 2019-08 Cumulative Update for Windows Server 2016 for x64-based Systems (KB4512517) |
| PATCH-27226 | 2019-08 Cumulative Update for Windows Server 2019 for x64-based Systems (KB4511553) |
| PATCH-27227 | 2019-08 Cumulative Update for Windows 10 Version 1809 for x64-based Systems (KB4511553) |
| PATCH-27228 | 2019-08 Cumulative Update for Windows 10 Version 1809 for x86-based Systems (KB4511553) |
| PATCH-27217 | 2019-08 Cumulative Update for Windows 10 Version 1507 for x86-based Systems (KB4512497) |
| PATCH-27218 | 2019-08 Cumulative Update for Windows 10 Version 1507 for x64-based Systems (KB4512497) |
| PATCH-324370 | Node.js 12 (12.22.12) |
| PATCH-331763 | Node.js 18 (x64) (18.17.0) |
| PATCH-331762 | Node.js 18 (18.17.0) |
| PATCH-319043 | Node.js 10 (x64) (10.24.1) |
| PATCH-319042 | Node.js 10 (10.24.1) |
| PATCH-324370 | Node.js 12 (12.22.12) |
References
https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234