CVE-2019-10081 - HTTP/2 (2.4.20 through 2.4.39) very early pushes, for example configured with "H2PushResource", coul

CVE-2019-10081

Summary

HTTP/2 (2.4.20 through 2.4.39) very early pushes, for example configured with "H2PushResource", could lead to an overwrite of memory in the pushing request's pool, leading to crashes. The memory copied is that of the configured push link header values, not data supplied by the client.

References

Vulnerable Configurations

cpe:2.3:a:apache:http_server:2.4.20:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.4.20:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.4.21:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.4.21:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.4.22:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.4.22:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.4.23:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.4.23:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.4.24:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.4.24:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.4.25:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.4.25:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.4.26:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.4.26:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.4.27:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.4.27:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.4.28:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.4.28:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.4.29:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.4.29:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.4.30:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.4.30:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.4.32:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.4.32:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.4.33:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.4.33:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.4.34:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.4.34:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.4.35:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.4.35:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.4.36:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.4.36:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.4.37:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.4.37:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.4.38:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.4.38:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.4.39:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.4.39:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*

CVSS

Base:	5.0 (as of 06-06-2021 - 11:15)
Impact:
Exploitability:

CWE

CWE-787

CAPEC

Access

Vector	Complexity	Authentication
NETWORK	LOW	NONE

Impact

Confidentiality	Integrity	Availability
NONE	NONE	PARTIAL

cvss-vector via4

AV:N/AC:L/Au:N/C:N/I:N/A:P

redhat via4

rpms

jbcs-httpd24-apr-0:1.6.3-86.jbcs.el6
jbcs-httpd24-apr-0:1.6.3-86.jbcs.el7
jbcs-httpd24-apr-debuginfo-0:1.6.3-86.jbcs.el6
jbcs-httpd24-apr-debuginfo-0:1.6.3-86.jbcs.el7
jbcs-httpd24-apr-devel-0:1.6.3-86.jbcs.el6
jbcs-httpd24-apr-devel-0:1.6.3-86.jbcs.el7
jbcs-httpd24-brotli-0:1.0.6-21.jbcs.el6
jbcs-httpd24-brotli-0:1.0.6-21.jbcs.el7
jbcs-httpd24-brotli-debuginfo-0:1.0.6-21.jbcs.el6
jbcs-httpd24-brotli-debuginfo-0:1.0.6-21.jbcs.el7
jbcs-httpd24-brotli-devel-0:1.0.6-21.jbcs.el6
jbcs-httpd24-brotli-devel-0:1.0.6-21.jbcs.el7
jbcs-httpd24-httpd-0:2.4.37-52.jbcs.el6
jbcs-httpd24-httpd-0:2.4.37-52.jbcs.el7
jbcs-httpd24-httpd-debuginfo-0:2.4.37-52.jbcs.el6
jbcs-httpd24-httpd-debuginfo-0:2.4.37-52.jbcs.el7
jbcs-httpd24-httpd-devel-0:2.4.37-52.jbcs.el6
jbcs-httpd24-httpd-devel-0:2.4.37-52.jbcs.el7
jbcs-httpd24-httpd-manual-0:2.4.37-52.jbcs.el6
jbcs-httpd24-httpd-manual-0:2.4.37-52.jbcs.el7
jbcs-httpd24-httpd-selinux-0:2.4.37-52.jbcs.el6
jbcs-httpd24-httpd-selinux-0:2.4.37-52.jbcs.el7
jbcs-httpd24-httpd-tools-0:2.4.37-52.jbcs.el6
jbcs-httpd24-httpd-tools-0:2.4.37-52.jbcs.el7
jbcs-httpd24-mod_cluster-native-0:1.3.12-41.Final_redhat_2.jbcs.el6
jbcs-httpd24-mod_cluster-native-0:1.3.12-41.Final_redhat_2.jbcs.el7
jbcs-httpd24-mod_cluster-native-debuginfo-0:1.3.12-41.Final_redhat_2.jbcs.el6
jbcs-httpd24-mod_cluster-native-debuginfo-0:1.3.12-41.Final_redhat_2.jbcs.el7
jbcs-httpd24-mod_http2-0:1.11.3-22.jbcs.el6
jbcs-httpd24-mod_http2-0:1.11.3-22.jbcs.el7
jbcs-httpd24-mod_http2-debuginfo-0:1.11.3-22.jbcs.el6
jbcs-httpd24-mod_http2-debuginfo-0:1.11.3-22.jbcs.el7
jbcs-httpd24-mod_ldap-0:2.4.37-52.jbcs.el6
jbcs-httpd24-mod_ldap-0:2.4.37-52.jbcs.el7
jbcs-httpd24-mod_proxy_html-1:2.4.37-52.jbcs.el6
jbcs-httpd24-mod_proxy_html-1:2.4.37-52.jbcs.el7
jbcs-httpd24-mod_session-0:2.4.37-52.jbcs.el6
jbcs-httpd24-mod_session-0:2.4.37-52.jbcs.el7
jbcs-httpd24-mod_ssl-1:2.4.37-52.jbcs.el6
jbcs-httpd24-mod_ssl-1:2.4.37-52.jbcs.el7
jbcs-httpd24-openssl-1:1.1.1c-16.jbcs.el6
jbcs-httpd24-openssl-1:1.1.1c-16.jbcs.el7
jbcs-httpd24-openssl-debuginfo-1:1.1.1c-16.jbcs.el6
jbcs-httpd24-openssl-debuginfo-1:1.1.1c-16.jbcs.el7
jbcs-httpd24-openssl-devel-1:1.1.1c-16.jbcs.el6
jbcs-httpd24-openssl-devel-1:1.1.1c-16.jbcs.el7
jbcs-httpd24-openssl-libs-1:1.1.1c-16.jbcs.el6
jbcs-httpd24-openssl-libs-1:1.1.1c-16.jbcs.el7
jbcs-httpd24-openssl-perl-1:1.1.1c-16.jbcs.el6
jbcs-httpd24-openssl-perl-1:1.1.1c-16.jbcs.el7
jbcs-httpd24-openssl-static-1:1.1.1c-16.jbcs.el6
jbcs-httpd24-openssl-static-1:1.1.1c-16.jbcs.el7
httpd-0:2.4.37-30.module+el8.3.0+7001+0766b9e7
httpd-debuginfo-0:2.4.37-30.module+el8.3.0+7001+0766b9e7
httpd-debugsource-0:2.4.37-30.module+el8.3.0+7001+0766b9e7
httpd-devel-0:2.4.37-30.module+el8.3.0+7001+0766b9e7
httpd-filesystem-0:2.4.37-30.module+el8.3.0+7001+0766b9e7
httpd-manual-0:2.4.37-30.module+el8.3.0+7001+0766b9e7
httpd-tools-0:2.4.37-30.module+el8.3.0+7001+0766b9e7
httpd-tools-debuginfo-0:2.4.37-30.module+el8.3.0+7001+0766b9e7
mod_http2-0:1.15.7-2.module+el8.3.0+7670+8bf57d29
mod_http2-debuginfo-0:1.15.7-2.module+el8.3.0+7670+8bf57d29
mod_http2-debugsource-0:1.15.7-2.module+el8.3.0+7670+8bf57d29
mod_ldap-0:2.4.37-30.module+el8.3.0+7001+0766b9e7
mod_ldap-debuginfo-0:2.4.37-30.module+el8.3.0+7001+0766b9e7
mod_md-1:2.0.8-8.module+el8.3.0+6814+67d1e611
mod_md-debuginfo-1:2.0.8-8.module+el8.3.0+6814+67d1e611
mod_md-debugsource-1:2.0.8-8.module+el8.3.0+6814+67d1e611
mod_proxy_html-1:2.4.37-30.module+el8.3.0+7001+0766b9e7
mod_proxy_html-debuginfo-1:2.4.37-30.module+el8.3.0+7001+0766b9e7
mod_session-0:2.4.37-30.module+el8.3.0+7001+0766b9e7
mod_session-debuginfo-0:2.4.37-30.module+el8.3.0+7001+0766b9e7
mod_ssl-1:2.4.37-30.module+el8.3.0+7001+0766b9e7
mod_ssl-debuginfo-1:2.4.37-30.module+el8.3.0+7001+0766b9e7

refmap via4

bugtraq	20190826 [SECURITY] [DSA 4509-1] apache2 security update
confirm	https://security.netapp.com/advisory/ntap-20190905-0003/ https://support.f5.com/csp/article/K84341091?utm_source=f5support&utm_medium=RSS
debian	DSA-4509
gentoo	GLSA-201909-04
misc	https://httpd.apache.org/security/vulnerabilities_24.html https://www.oracle.com/security-alerts/cpuapr2020.html https://www.oracle.com/security-alerts/cpujul2020.html https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
mlist	[httpd-cvs] 20200401 svn commit: r1058586 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html [httpd-cvs] 20200401 svn commit: r1058587 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html
suse	openSUSE-SU-2019:2051
ubuntu	USN-4113-1

Last major update

06-06-2021 - 11:15

Published

15-08-2019 - 22:15

Last modified

06-06-2021 - 11:15