CVE-2019-9516
Description
Some HTTP/2 implementations are vulnerable to a header leak, potentially leading to a denial of service. The attacker sends a stream of headers with a 0-length header name and 0-length header value, optionally Huffman encoded into 1-byte or greater headers. Some implementations allocate memory for these headers and keep the allocation alive until the session dies. This can consume excess memory.
Risk Information
Base Score
6.5
MODERATE
Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
EPSS Score
Exploitation Probability
2.393
Associated Vulnerability
| Vulnerability | OS Platform |
|---|---|
| Multiple vulnerabilities are fixed in Node.js 12 (12.22.12) | Windows |
| Multiple vulnerabilities are fixed in Node.js 18 (x64) (18.16.1) | Windows |
| Multiple vulnerabilities are fixed in Node.js 18 (18.16.1) | Windows |
| Multiple vulnerabilities are fixed in Node.js (x64) (10.16.3) | Windows |
| Multiple vulnerabilities are fixed in Node.js (10.16.3) | Windows |
| Multiple vulnerabilities are fixed in Node.js 8 8.16.1 | Windows |
| Multiple vulnerabilities are fixed in Node.js 8 (x64) 8.16.1 | Windows |
| Multiple vulnerabilities are fixed in Node.js 12 12.8.1 | Windows |
| Vulnerabilities CVE-2019-9511,CVE-2019-9513,CVE-2019-9516 are fixed in Nginx 1.17.3 | Windows |
| small, powerful, scalable web/proxy server (USN-4099-1) nginx-core_1.14.0-0ubuntu1.4_i386.deb | Linux |
| small, powerful, scalable web/proxy server (USN-4099-1) nginx-core_1.14.0-0ubuntu1.4_amd64.deb | Linux |
| small, powerful, scalable web/proxy server (USN-4099-1) nginx-core_1.15.9-0ubuntu1.1_i386.deb | Linux |
| small, powerful, scalable web/proxy server (USN-4099-1) nginx-core_1.15.9-0ubuntu1.1_amd64.deb | Linux |
| small, powerful, scalable web/proxy server (USN-4099-1) nginx-core_1.10.3-0ubuntu0.16.04.4_i386.deb | Linux |
| small, powerful, scalable web/proxy server (USN-4099-1) nginx-core_1.10.3-0ubuntu0.16.04.4_amd64.deb | Linux |
| small, powerful, scalable web/proxy server (USN-4099-1) nginx-full_1.14.0-0ubuntu1.4_i386.deb | Linux |
| small, powerful, scalable web/proxy server (USN-4099-1) nginx-full_1.14.0-0ubuntu1.4_amd64.deb | Linux |
| small, powerful, scalable web/proxy server (USN-4099-1) nginx-full_1.15.9-0ubuntu1.1_i386.deb | Linux |
| small, powerful, scalable web/proxy server (USN-4099-1) nginx-full_1.15.9-0ubuntu1.1_amd64.deb | Linux |
| small, powerful, scalable web/proxy server (USN-4099-1) nginx-full_1.10.3-0ubuntu0.16.04.4_i386.deb | Linux |
| small, powerful, scalable web/proxy server (USN-4099-1) nginx-full_1.10.3-0ubuntu0.16.04.4_amd64.deb | Linux |
| small, powerful, scalable web/proxy server (USN-4099-1) nginx-light_1.14.0-0ubuntu1.4_i386.deb | Linux |
| small, powerful, scalable web/proxy server (USN-4099-1) nginx-light_1.14.0-0ubuntu1.4_amd64.deb | Linux |
| small, powerful, scalable web/proxy server (USN-4099-1) nginx-light_1.15.9-0ubuntu1.1_i386.deb | Linux |
| small, powerful, scalable web/proxy server (USN-4099-1) nginx-light_1.15.9-0ubuntu1.1_amd64.deb | Linux |
| small, powerful, scalable web/proxy server (USN-4099-1) nginx-light_1.10.3-0ubuntu0.16.04.4_i386.deb | Linux |
| small, powerful, scalable web/proxy server (USN-4099-1) nginx-light_1.10.3-0ubuntu0.16.04.4_amd64.deb | Linux |
| small, powerful, scalable web/proxy server (USN-4099-1) nginx-common_1.14.0-0ubuntu1.4_all.deb | Linux |
| small, powerful, scalable web/proxy server (USN-4099-1) nginx-common_1.15.9-0ubuntu1.1_all.deb | Linux |
| small, powerful, scalable web/proxy server (USN-4099-1) nginx-common_1.10.3-0ubuntu0.16.04.4_all.deb | Linux |
| small, powerful, scalable web/proxy server (USN-4099-1) nginx-extras_1.14.0-0ubuntu1.4_i386.deb | Linux |
| small, powerful, scalable web/proxy server (USN-4099-1) nginx-extras_1.14.0-0ubuntu1.4_amd64.deb | Linux |
| small, powerful, scalable web/proxy server (USN-4099-1) nginx-extras_1.15.9-0ubuntu1.1_i386.deb | Linux |
| small, powerful, scalable web/proxy server (USN-4099-1) nginx-extras_1.15.9-0ubuntu1.1_amd64.deb | Linux |
| small, powerful, scalable web/proxy server (USN-4099-1) nginx-extras_1.10.3-0ubuntu0.16.04.4_i386.deb | Linux |
| small, powerful, scalable web/proxy server (USN-4099-1) nginx-extras_1.10.3-0ubuntu0.16.04.4_amd64.deb | Linux |
| nginx security update(DSA-4505-1) nginx_1.10.3-1+deb9u3_all.deb | Linux |
| nginx security update(DSA-4505-1) nginx_1.14.2-2+deb10u1_all.deb | Linux |
| (RHSA-2019:2799) nginx:1.14 security update nginx-1.14.1-9.module+el8.0.0+4108+af250afe.x86_64.rpm | Linux |
| (RHSA-2019:2799) nginx:1.14 security update nginx-all-modules-1.14.1-9.module+el8.0.0+4108+af250afe.noarch.rpm | Linux |
| (RHSA-2019:2799) nginx:1.14 security update nginx-debugsource-1.14.1-9.module+el8.0.0+4108+af250afe.x86_64.rpm | Linux |
| (RHSA-2019:2799) nginx:1.14 security update nginx-filesystem-1.14.1-9.module+el8.0.0+4108+af250afe.noarch.rpm | Linux |
| (RHSA-2019:2799) nginx:1.14 security update nginx-mod-http-image-filter-1.14.1-9.module+el8.0.0+4108+af250afe.x86_64.rpm | Linux |
| (RHSA-2019:2799) nginx:1.14 security update nginx-mod-http-perl-1.14.1-9.module+el8.0.0+4108+af250afe.x86_64.rpm | Linux |
| (RHSA-2019:2799) nginx:1.14 security update nginx-mod-http-xslt-filter-1.14.1-9.module+el8.0.0+4108+af250afe.x86_64.rpm | Linux |
| (RHSA-2019:2799) nginx:1.14 security update nginx-mod-mail-1.14.1-9.module+el8.0.0+4108+af250afe.x86_64.rpm | Linux |
| (RHSA-2019:2799) nginx:1.14 security update nginx-mod-stream-1.14.1-9.module+el8.0.0+4108+af250afe.x86_64.rpm | Linux |
| Nginx update (ELSA-2019-2799) nginx-1.14.1-9.0.1.module+el8.0.0+5347+9282027e.x86_64.rpm | Linux |
| Nginx-mod-http-image-filter update (ELSA-2019-2799) nginx-mod-http-image-filter-1.14.1-9.0.1.module+el8.0.0+5347+9282027e.x86_64.rpm | Linux |
| Nginx-mod-http-perl update (ELSA-2019-2799) nginx-mod-http-perl-1.14.1-9.0.1.module+el8.0.0+5347+9282027e.x86_64.rpm | Linux |
| Nginx-mod-http-xslt-filter update (ELSA-2019-2799) nginx-mod-http-xslt-filter-1.14.1-9.0.1.module+el8.0.0+5347+9282027e.x86_64.rpm | Linux |
| Nginx-mod-mail update (ELSA-2019-2799) nginx-mod-mail-1.14.1-9.0.1.module+el8.0.0+5347+9282027e.x86_64.rpm | Linux |
| Nginx-mod-stream update (ELSA-2019-2799) nginx-mod-stream-1.14.1-9.0.1.module+el8.0.0+5347+9282027e.x86_64.rpm | Linux |
| Nginx-all-modules update (ELSA-2019-2799) nginx-all-modules-1.14.1-9.0.1.module+el8.0.0+5347+9282027e.noarch.rpm | Linux |
| Nginx-filesystem update (ELSA-2019-2799) nginx-filesystem-1.14.1-9.0.1.module+el8.0.0+5347+9282027e.noarch.rpm | Linux |
| Mod_md update (ELSA-2019-2893) mod_md-2.4.37-12.0.1.module+el8.0.0+5348+de75177e.x86_64.rpm | Linux |
| (RHSA-2019:2799)Important: security update nginx-debuginfo-1.14.1-9.module+el8.0.0+4108+af250afe.x86_64.rpm | Linux |
| (RHSA-2019:2799)Important: security update nginx-mod-http-image-filter-debuginfo-1.14.1-9.module+el8.0.0+4108+af250afe.x86_64.rpm | Linux |
| (RHSA-2019:2799)Important: security update nginx-mod-http-perl-debuginfo-1.14.1-9.module+el8.0.0+4108+af250afe.x86_64.rpm | Linux |
| (RHSA-2019:2799)Important: security update nginx-mod-http-xslt-filter-debuginfo-1.14.1-9.module+el8.0.0+4108+af250afe.x86_64.rpm | Linux |
| (RHSA-2019:2799)Important: security update nginx-mod-mail-debuginfo-1.14.1-9.module+el8.0.0+4108+af250afe.x86_64.rpm | Linux |
| (RHSA-2019:2799)Important: security update nginx-mod-stream-debuginfo-1.14.1-9.module+el8.0.0+4108+af250afe.x86_64.rpm | Linux |
| Httpd update (ELSA-2024-3121) httpd-2.4.37-64.module+el8.10.0+90271+3bc76a16.x86_64.rpm | Linux |
| Httpd-devel update (ELSA-2024-3121) httpd-devel-2.4.37-64.module+el8.10.0+90271+3bc76a16.x86_64.rpm | Linux |
| Httpd-filesystem update (ELSA-2024-3121) httpd-filesystem-2.4.37-64.module+el8.10.0+90271+3bc76a16.noarch.rpm | Linux |
| Httpd-manual update (ELSA-2024-3121) httpd-manual-2.4.37-64.module+el8.10.0+90271+3bc76a16.noarch.rpm | Linux |
| Httpd-tools update (ELSA-2024-3121) httpd-tools-2.4.37-64.module+el8.10.0+90271+3bc76a16.x86_64.rpm | Linux |
| Mod_http2 update (ELSA-2024-3121) mod_http2-1.15.7-10.module+el8.10.0+90327+96b8ea28.x86_64.rpm | Linux |
| Mod_ldap update (ELSA-2024-3121) mod_ldap-2.4.37-64.module+el8.10.0+90271+3bc76a16.x86_64.rpm | Linux |
| Mod_md update (ELSA-2024-3121) mod_md-2.0.8-8.module+el8.9.0+90011+2f9c6a23.x86_64.rpm | Linux |
| Mod_proxy_html update (ELSA-2024-3121) mod_proxy_html-2.4.37-64.module+el8.10.0+90271+3bc76a16.x86_64.rpm | Linux |
| Mod_session update (ELSA-2024-3121) mod_session-2.4.37-64.module+el8.10.0+90271+3bc76a16.x86_64.rpm | Linux |
| Mod_ssl update (ELSA-2024-3121) mod_ssl-2.4.37-64.module+el8.10.0+90271+3bc76a16.x86_64.rpm | Linux |
| Important: nginx:1.14 security update nginx-1.14.1-9.module_el8.3.0+2165+af250afe.alma.x86_64.rpm | Linux |
| Important: nginx:1.14 security update nginx-all-modules-1.14.1-9.module_el8.3.0+2165+af250afe.alma.noarch.rpm | Linux |
| Important: nginx:1.14 security update nginx-filesystem-1.14.1-9.module_el8.3.0+2165+af250afe.alma.noarch.rpm | Linux |
| Important: nginx:1.14 security update nginx-mod-http-image-filter-1.14.1-9.module_el8.3.0+2165+af250afe.alma.x86_64.rpm | Linux |
| Important: nginx:1.14 security update nginx-mod-http-perl-1.14.1-9.module_el8.3.0+2165+af250afe.alma.x86_64.rpm | Linux |
| Important: nginx:1.14 security update nginx-mod-http-xslt-filter-1.14.1-9.module_el8.3.0+2165+af250afe.alma.x86_64.rpm | Linux |
| Important: nginx:1.14 security update nginx-mod-mail-1.14.1-9.module_el8.3.0+2165+af250afe.alma.x86_64.rpm | Linux |
| Important: nginx:1.14 security update nginx-mod-stream-1.14.1-9.module_el8.3.0+2165+af250afe.alma.x86_64.rpm | Linux |
| Uncontrolled Resource Consumption Vulnerability (CVE-2019-9516) | NCM |
Patch Details
Click to see the patches provided by ManageEngine for this CVE
| Patch ID | Patch Description |
|---|---|
| PATCH-324370 | Node.js 12 (12.22.12) |
| PATCH-331763 | Node.js 18 (x64) (18.17.0) |
| PATCH-331762 | Node.js 18 (18.17.0) |
| PATCH-319043 | Node.js 10 (x64) (10.24.1) |
| PATCH-319042 | Node.js 10 (10.24.1) |
| PATCH-324370 | Node.js 12 (12.22.12) |
References
https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234