VDB
RHSA-2019%3A2950
RHSA-2019%3A2950
PUBLISHED
CVSS 6.5 MEDIUM
A flaw was found in HTTP/2. An attacker, sending a stream of header with a 0-length header name and a 0-length header value, could cause some implementations to allocate memory for these headers and keep the allocations alive until the session dies. The can consume excess memory, potentially leading to a denial of service. The highest threat from this vulnerability is to system availability.
Risk Scores
CVSS 3.0
6.5
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Red Hat | Text-Only JBCS |
Timeline
- Oct 1, 2019 CVE Published
- Apr 30, 2026 Distribution Patch
- Apr 30, 2026 Distribution Patch
- Apr 30, 2026 Security Advisory
- Apr 30, 2026 Security Advisory
- Apr 30, 2026 Security Advisory
- Apr 30, 2026 Security Advisory
- May 14, 2026 CVE Updated
References
- https://access.redhat.com/errata/RHSA-2019:2950 advisory
- https://access.redhat.com/security/updates/classification/#important advisory
- https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=core.service.apachehttp&downloadType=securityPatches&version=2.4.29 advisory
- https://access.redhat.com/documentation/en-us/red_hat_jboss_core_services/2.4.29/html/red_hat_jboss_core_services_apache_http_server_2.4.29_service_pack_3_release_notes/index advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=1741864 issue
- https://bugzilla.redhat.com/show_bug.cgi?id=1741868 issue
- https://issues.redhat.com/browse/JBCS-828 advisory
- https://security.access.redhat.com/data/csaf/v2/advisories/2019/rhsa-2019_2950.json advisory
- https://access.redhat.com/security/cve/CVE-2019-9516 advisory
- https://www.cve.org/CVERecord?id=CVE-2019-9516 advisory
- https://nvd.nist.gov/vuln/detail/CVE-2019-9516 advisory
- https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md advisory
- https://github.com/nghttp2/nghttp2/issues/1382# advisory
- https://kb.cert.org/vuls/id/605641/ advisory
- https://nodejs.org/en/blog/vulnerability/aug-2019-security-releases/ advisory
- https://www.nginx.com/blog/nginx-updates-mitigate-august-2019-http-2-vulnerabilities/ advisory
- https://access.redhat.com/security/cve/CVE-2019-9517 advisory
- https://www.cve.org/CVERecord?id=CVE-2019-9517 advisory
- https://nvd.nist.gov/vuln/detail/CVE-2019-9517 advisory