VDB
CVE-2019-9515
CVE-2019-9515
PUBLISHED
Some HTTP/2 implementations are vulnerable to a settings flood, potentially leading to a denial of service. The attacker sends a stream of SETTINGS frames to the peer. Since the RFC requires that the peer reply with one acknowledgement per SETTINGS frame, an empty SETTINGS frame is almost equivalent in behavior to a ping. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both.
EPSS 8.89% · 92.7th percentile
Risk Scores
EPSS Score
8.89%
92.7th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Ubuntu:24.04:LTS | grpc | 1.51.1-4, 1.51.1-3build4, 1.51.1-4.1build5 |
| Ubuntu:25.10 | golang-google-grpc | 0, 1.64.0-6, 1.64.0-7 |
| Ubuntu:16.04:LTS | trafficserver | 5.3.0-2ubuntu2, 5.3.0-2ubuntu1, 0 |
| Ubuntu:20.04:LTS | twisted | 18.9.0-6build1, 0, 18.9.0-3ubuntu1 |
| Ubuntu:25.10 | grpc | 0, 1.51.1-6, 1.51.1-6build1 |
| Ubuntu:18.04:LTS | trafficserver | 7.0.0-5, 7.1.2+ds-2build1, * |
| Ubuntu:18.04:LTS | golang-google-grpc | 1.6.0-3ubuntu0.18.04.1, 1.6.0-3, 0 |
| Ubuntu:Pro:18.04:LTS | h2o | 2.2.4+dfsg-1ubuntu0.1~esm2, 2.2.4+dfsg-1, 2.2.3+dfsg-2 |
| Ubuntu:20.04:LTS | golang-google-grpc | 0, 1.22.1-1ubuntu1 |
| Ubuntu:Pro:18.04:LTS | netty | 1:4.1.7-4, 1:4.1.7-4ubuntu0.1, 0 |
| Ubuntu:18.04:LTS | grpc | 1.3.2-1ubuntu1, 0, 1.3.2-1 |
| Ubuntu:20.04:LTS | grpc | 1.16.1-1ubuntu5, 0, 1.16.1-1ubuntu1 |
| Ubuntu:16.04:LTS | golang-google-grpc | 0, 0.0~git20150514.0.f5ebd86-1, 0.0~git20150514.0.f5ebd86-2 |
| Ubuntu:Pro:24.04:LTS | golang-google-grpc | 1.38.0+really1.33.3-1ubuntu0.24.04.1, 1.38.0+really1.33.3-1ubuntu0.24.04.2, 1.38.0+really1.33.3-1ubuntu0.24.04.2+esm1 |
| Ubuntu:16.04:LTS | grpc | 0, 0.10.2-1, 0.11.1-1 |
| Ubuntu:22.04:LTS | golang-google-grpc | 1.29.1-0ubuntu1, 0 |
| Ubuntu:22.04:LTS | grpc | 1.30.2-3, 0, 1.30.2-3build5 |
| Ubuntu:18.04:LTS | twisted | 17.9.0-1, 17.9.0-2, 0 |
Exploit Intelligence
- ET DOS Possible Apache Traffic Server HTTP2 Settings Flood Error Response (CVE-2019-9515) [disabled] (emergingthreats)
- ET DOS Possible Apache Traffic Server HTTP2 Settings Flood Error Response (CVE-2019-9515) [disabled] (emergingthreats)
- ET DOS Possible Apache Traffic Server HTTP2 Settings Flood Denial of Service Inbound (CVE-2019-9515) [disabled] (emergingthreats)
- ET DOS Possible Apache Traffic Server HTTP2 Settings Flood Denial of Service Inbound (CVE-2019-9515) [disabled] (emergingthreats)
- [trafficserver-dev] 20190813 Apache Traffic Server is vulnerable to various HTTP/2 attacks (cve.org)
- [trafficserver-users] 20190813 Apache Traffic Server is vulnerable to various HTTP/2 attacks (cve.org)
- [trafficserver-announce] 20190813 Apache Traffic Server is vulnerable to various HTTP/2 attacks (cve.org)
- cli.rs (github-poc)
- cli.rs (github-poc)
- cli.rs (github-poc)
…and 17 more exploits
Timeline
- Aug 13, 2019 CVE Published
- Apr 14, 2021 EPSS Score
- Aug 24, 2021 EPSS Score
- Oct 4, 2021 PoC Published
- Dec 27, 2021 EPSS Score
- Feb 4, 2022 EPSS Score
- Apr 1, 2022 EPSS Score
- May 1, 2022 EPSS Score
- Sep 4, 2022 EPSS Score
- Jan 8, 2023 EPSS Score
- Mar 11, 2023 EPSS Score
- Jun 17, 2023 EPSS Score
References
- https://ubuntu.com/security/CVE-2019-9515 third-party-advisory
- https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md third-party-advisory
- https://netty.io/news/2019/08/13/4-1-39-Final.html third-party-advisory
- http://blog.kazuhooku.com/2019/08/h2o-version-226-230-beta2-released.html third-party-advisory
- https://github.com/netty/netty/pull/9460 third-party-advisory
- https://labs.twistedmatrix.com/2019/11/twisted-19100-released.html third-party-advisory
- https://ubuntu.com/security/notices/USN-4308-1 vendor-advisory
- https://ubuntu.com/security/notices/USN-4866-1 vendor-advisory
- https://www.cve.org/CVERecord?id=CVE-2019-9515 third-party-advisory