VDB
CVE-2019-9518
CVE-2019-9518
PUBLISHED
Some HTTP/2 implementations are vulnerable to a flood of empty frames, potentially leading to a denial of service. The attacker sends a stream of frames with an empty payload and without the end-of-stream flag. These frames can be DATA, HEADERS, CONTINUATION and/or PUSH_PROMISE. The peer spends time processing each frame disproportionate to attack bandwidth. This can consume excess CPU.
EPSS 3.58% · 88.0th percentile
Risk Scores
EPSS Score
3.58%
88.0th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Ubuntu:18.04:LTS | trafficserver | 0, 7.0.0-5, 7.1.2+ds-2 |
| Ubuntu:Pro:18.04:LTS | netty | 0, 1:4.1.7-4, 1:4.1.7-4ubuntu0.1~esm1 |
Exploit Intelligence
- [trafficserver-announce] 20190820 ATS is vulnerable to a HTTP/2 attack with empty frames (cve.org)
- [trafficserver-users] 20190820 ATS is vulnerable to a HTTP/2 attack with empty frames (cve.org)
- [trafficserver-dev] 20190820 ATS is vulnerable to a HTTP/2 attack with empty frames (cve.org)
- cli.rs (github-poc)
- cli.rs (github-poc)
- cli.rs (github-poc)
- cli.rs (github-poc)
- cli.rs (github-poc)
- cli.rs (github-poc)
- cli.rs (github-poc)
…and 23 more exploits
Timeline
- Aug 13, 2019 CVE Published
- Apr 14, 2021 EPSS Score
- Feb 4, 2022 EPSS Score
- Mar 7, 2023 EPSS Score
- Aug 4, 2024 CVE Updated
- Dec 17, 2024 EPSS Score
- Mar 18, 2025 EPSS Score
- Mar 19, 2025 EPSS Score
- Mar 25, 2025 EPSS Score
- Mar 28, 2025 EPSS Score
- Mar 30, 2025 EPSS Score
- Apr 1, 2025 EPSS Score
References
- https://ubuntu.com/security/CVE-2019-9518 third-party-advisory
- https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md third-party-advisory
- https://netty.io/news/2019/08/13/4-1-39-Final.html third-party-advisory
- https://github.com/netty/netty/pull/9461 third-party-advisory
- https://ubuntu.com/security/notices/USN-4866-1 vendor-advisory
- https://www.cve.org/CVERecord?id=CVE-2019-9518 third-party-advisory
- Multiples vulnérabilités dans les produits Juniper advisory