Vulnerability-Lookup

CVE-2019-10079 (GCVE-0-2019-10079)

Vulnerability from cvelistv5 – Published: 2019-10-22 15:42 – Updated: 2024-08-04 22:10

Summary

Apache Traffic Server is vulnerable to HTTP/2 setting flood attacks. Earlier versions of Apache Traffic Server didn't limit the number of setting frames sent from the client using the HTTP/2 protocol. Users should upgrade to Apache Traffic Server 7.1.7, 8.0.4, or later versions.

Severity ?

No CVSS data available.

CWE

DOS Attack

Assigner

apache

References

URL

Tags

	https://lists.apache.org/thread.html/bde52309316a…	mailing-listx_refsource_MLIST
	https://lists.apache.org/thread.html/392108390cef…	mailing-listx_refsource_MLIST
	https://lists.apache.org/thread.html/ad3d01e76719…	mailing-listx_refsource_MLIST

Impacted products

	Vendor	Product	Version
	n/a	Apache Traffic Server	Affected: Apache Traffic Server 6.0.0 to 6.2.3, 7.0.0 to 7.1.6, and 8.0.0 to 8.0.3

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T22:10:09.532Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "[trafficserver-dev] 20190813 Apache Traffic Server is vulnerable to various HTTP/2 attacks",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/bde52309316ae798186d783a5e29f4ad1527f61c9219a289d0eee0a7%40%3Cdev.trafficserver.apache.org%3E"
          },
          {
            "name": "[trafficserver-users] 20190813 Apache Traffic Server is vulnerable to various HTTP/2 attacks",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/392108390cef48af647a2e47b7fd5380e050e35ae8d1aa2030254c04%40%3Cusers.trafficserver.apache.org%3E"
          },
          {
            "name": "[trafficserver-announce] 20190813 Apache Traffic Server is vulnerable to various HTTP/2 attacks",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/ad3d01e767199c1aed8033bb6b3f5bf98c011c7c536f07a5d34b3c19%40%3Cannounce.trafficserver.apache.org%3E"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Apache Traffic Server",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "Apache Traffic Server 6.0.0 to 6.2.3, 7.0.0 to 7.1.6, and 8.0.0 to 8.0.3"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Apache Traffic Server is vulnerable to HTTP/2 setting flood attacks. Earlier versions of Apache Traffic Server didn\u0027t limit the number of setting frames sent from the client using the HTTP/2 protocol. Users should upgrade to Apache Traffic Server 7.1.7, 8.0.4, or later versions."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "DOS Attack",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2019-10-28T14:21:24",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "name": "[trafficserver-dev] 20190813 Apache Traffic Server is vulnerable to various HTTP/2 attacks",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/bde52309316ae798186d783a5e29f4ad1527f61c9219a289d0eee0a7%40%3Cdev.trafficserver.apache.org%3E"
        },
        {
          "name": "[trafficserver-users] 20190813 Apache Traffic Server is vulnerable to various HTTP/2 attacks",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/392108390cef48af647a2e47b7fd5380e050e35ae8d1aa2030254c04%40%3Cusers.trafficserver.apache.org%3E"
        },
        {
          "name": "[trafficserver-announce] 20190813 Apache Traffic Server is vulnerable to various HTTP/2 attacks",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/ad3d01e767199c1aed8033bb6b3f5bf98c011c7c536f07a5d34b3c19%40%3Cannounce.trafficserver.apache.org%3E"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security@apache.org",
          "ID": "CVE-2019-10079",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Apache Traffic Server",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "Apache Traffic Server 6.0.0 to 6.2.3, 7.0.0 to 7.1.6, and 8.0.0 to 8.0.3"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Apache Traffic Server is vulnerable to HTTP/2 setting flood attacks. Earlier versions of Apache Traffic Server didn\u0027t limit the number of setting frames sent from the client using the HTTP/2 protocol. Users should upgrade to Apache Traffic Server 7.1.7, 8.0.4, or later versions."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "DOS Attack"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "[trafficserver-dev] 20190813 Apache Traffic Server is vulnerable to various HTTP/2 attacks",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/bde52309316ae798186d783a5e29f4ad1527f61c9219a289d0eee0a7@%3Cdev.trafficserver.apache.org%3E"
            },
            {
              "name": "[trafficserver-users] 20190813 Apache Traffic Server is vulnerable to various HTTP/2 attacks",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/392108390cef48af647a2e47b7fd5380e050e35ae8d1aa2030254c04@%3Cusers.trafficserver.apache.org%3E"
            },
            {
              "name": "[trafficserver-announce] 20190813 Apache Traffic Server is vulnerable to various HTTP/2 attacks",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/ad3d01e767199c1aed8033bb6b3f5bf98c011c7c536f07a5d34b3c19@%3Cannounce.trafficserver.apache.org%3E"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2019-10079",
    "datePublished": "2019-10-22T15:42:35",
    "dateReserved": "2019-03-26T00:00:00",
    "dateUpdated": "2024-08-04T22:10:09.532Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:apache:traffic_server:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"7.1.7\", \"matchCriteriaId\": \"ABD66321-C0B1-45E6-A5C0-3A9F866386BC\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:apache:traffic_server:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"8.0.0\", \"versionEndExcluding\": \"8.0.4\", \"matchCriteriaId\": \"A87A8D4E-7567-4698-8414-D171B7CE05DC\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"Apache Traffic Server is vulnerable to HTTP/2 setting flood attacks. Earlier versions of Apache Traffic Server didn\u0027t limit the number of setting frames sent from the client using the HTTP/2 protocol. Users should upgrade to Apache Traffic Server 7.1.7, 8.0.4, or later versions.\"}, {\"lang\": \"es\", \"value\": \"Apache Traffic Server es vulnerable a los ataques de inundaci\\u00f3n de la configuraci\\u00f3n HTTP/2. Las versiones anteriores de Apache Traffic Server no limitaban el n\\u00famero de tramas de configuraci\\u00f3n enviadas desde el cliente utilizando el protocolo HTTP/2. Los usuarios deben actualizar a Apache Traffic Server versi\\u00f3n 7.1.7, 8.0.4 o versiones posteriores.\"}]",
      "id": "CVE-2019-10079",
      "lastModified": "2024-11-21T04:18:21.293",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\", \"baseScore\": 7.5, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 3.6}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:L/Au:N/C:N/I:N/A:P\", \"baseScore\": 5.0, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"LOW\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"PARTIAL\"}, \"baseSeverity\": \"MEDIUM\", \"exploitabilityScore\": 10.0, \"impactScore\": 2.9, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}",
      "published": "2019-10-22T16:15:10.610",
      "references": "[{\"url\": \"https://lists.apache.org/thread.html/392108390cef48af647a2e47b7fd5380e050e35ae8d1aa2030254c04%40%3Cusers.trafficserver.apache.org%3E\", \"source\": \"security@apache.org\"}, {\"url\": \"https://lists.apache.org/thread.html/ad3d01e767199c1aed8033bb6b3f5bf98c011c7c536f07a5d34b3c19%40%3Cannounce.trafficserver.apache.org%3E\", \"source\": \"security@apache.org\"}, {\"url\": \"https://lists.apache.org/thread.html/bde52309316ae798186d783a5e29f4ad1527f61c9219a289d0eee0a7%40%3Cdev.trafficserver.apache.org%3E\", \"source\": \"security@apache.org\"}, {\"url\": \"https://lists.apache.org/thread.html/392108390cef48af647a2e47b7fd5380e050e35ae8d1aa2030254c04%40%3Cusers.trafficserver.apache.org%3E\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.apache.org/thread.html/ad3d01e767199c1aed8033bb6b3f5bf98c011c7c536f07a5d34b3c19%40%3Cannounce.trafficserver.apache.org%3E\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.apache.org/thread.html/bde52309316ae798186d783a5e29f4ad1527f61c9219a289d0eee0a7%40%3Cdev.trafficserver.apache.org%3E\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}]",
      "sourceIdentifier": "security@apache.org",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-770\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2019-10079\",\"sourceIdentifier\":\"security@apache.org\",\"published\":\"2019-10-22T16:15:10.610\",\"lastModified\":\"2024-11-21T04:18:21.293\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Apache Traffic Server is vulnerable to HTTP/2 setting flood attacks. Earlier versions of Apache Traffic Server didn\u0027t limit the number of setting frames sent from the client using the HTTP/2 protocol. Users should upgrade to Apache Traffic Server 7.1.7, 8.0.4, or later versions.\"},{\"lang\":\"es\",\"value\":\"Apache Traffic Server es vulnerable a los ataques de inundaci\u00f3n de la configuraci\u00f3n HTTP/2. Las versiones anteriores de Apache Traffic Server no limitaban el n\u00famero de tramas de configuraci\u00f3n enviadas desde el cliente utilizando el protocolo HTTP/2. Los usuarios deben actualizar a Apache Traffic Server versi\u00f3n 7.1.7, 8.0.4 o versiones posteriores.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:N/C:N/I:N/A:P\",\"baseScore\":5.0,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":10.0,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-770\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:traffic_server:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"7.1.7\",\"matchCriteriaId\":\"ABD66321-C0B1-45E6-A5C0-3A9F866386BC\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:traffic_server:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"8.0.0\",\"versionEndExcluding\":\"8.0.4\",\"matchCriteriaId\":\"A87A8D4E-7567-4698-8414-D171B7CE05DC\"}]}]}],\"references\":[{\"url\":\"https://lists.apache.org/thread.html/392108390cef48af647a2e47b7fd5380e050e35ae8d1aa2030254c04%40%3Cusers.trafficserver.apache.org%3E\",\"source\":\"security@apache.org\"},{\"url\":\"https://lists.apache.org/thread.html/ad3d01e767199c1aed8033bb6b3f5bf98c011c7c536f07a5d34b3c19%40%3Cannounce.trafficserver.apache.org%3E\",\"source\":\"security@apache.org\"},{\"url\":\"https://lists.apache.org/thread.html/bde52309316ae798186d783a5e29f4ad1527f61c9219a289d0eee0a7%40%3Cdev.trafficserver.apache.org%3E\",\"source\":\"security@apache.org\"},{\"url\":\"https://lists.apache.org/thread.html/392108390cef48af647a2e47b7fd5380e050e35ae8d1aa2030254c04%40%3Cusers.trafficserver.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.apache.org/thread.html/ad3d01e767199c1aed8033bb6b3f5bf98c011c7c536f07a5d34b3c19%40%3Cannounce.trafficserver.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.apache.org/thread.html/bde52309316ae798186d783a5e29f4ad1527f61c9219a289d0eee0a7%40%3Cdev.trafficserver.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}"
  }
}

GSD-2019-10079

Vulnerability from gsd - Updated: 2023-12-13 01:23

Details

Aliases

CVE-2019-10079

Aliases

CVE-2019-10079

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2019-10079",
    "description": "Apache Traffic Server is vulnerable to HTTP/2 setting flood attacks. Earlier versions of Apache Traffic Server didn\u0027t limit the number of setting frames sent from the client using the HTTP/2 protocol. Users should upgrade to Apache Traffic Server 7.1.7, 8.0.4, or later versions.",
    "id": "GSD-2019-10079"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2019-10079"
      ],
      "details": "Apache Traffic Server is vulnerable to HTTP/2 setting flood attacks. Earlier versions of Apache Traffic Server didn\u0027t limit the number of setting frames sent from the client using the HTTP/2 protocol. Users should upgrade to Apache Traffic Server 7.1.7, 8.0.4, or later versions.",
      "id": "GSD-2019-10079",
      "modified": "2023-12-13T01:23:59.141367Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security@apache.org",
        "ID": "CVE-2019-10079",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "Apache Traffic Server",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "Apache Traffic Server 6.0.0 to 6.2.3, 7.0.0 to 7.1.6, and 8.0.0 to 8.0.3"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "n/a"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Apache Traffic Server is vulnerable to HTTP/2 setting flood attacks. Earlier versions of Apache Traffic Server didn\u0027t limit the number of setting frames sent from the client using the HTTP/2 protocol. Users should upgrade to Apache Traffic Server 7.1.7, 8.0.4, or later versions."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "DOS Attack"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "[trafficserver-dev] 20190813 Apache Traffic Server is vulnerable to various HTTP/2 attacks",
            "refsource": "MLIST",
            "url": "https://lists.apache.org/thread.html/bde52309316ae798186d783a5e29f4ad1527f61c9219a289d0eee0a7@%3Cdev.trafficserver.apache.org%3E"
          },
          {
            "name": "[trafficserver-users] 20190813 Apache Traffic Server is vulnerable to various HTTP/2 attacks",
            "refsource": "MLIST",
            "url": "https://lists.apache.org/thread.html/392108390cef48af647a2e47b7fd5380e050e35ae8d1aa2030254c04@%3Cusers.trafficserver.apache.org%3E"
          },
          {
            "name": "[trafficserver-announce] 20190813 Apache Traffic Server is vulnerable to various HTTP/2 attacks",
            "refsource": "MLIST",
            "url": "https://lists.apache.org/thread.html/ad3d01e767199c1aed8033bb6b3f5bf98c011c7c536f07a5d34b3c19@%3Cannounce.trafficserver.apache.org%3E"
          }
        ]
      }
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:apache:traffic_server:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "7.1.7",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:apache:traffic_server:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "8.0.4",
                "versionStartIncluding": "8.0.0",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "security@apache.org",
          "ID": "CVE-2019-10079"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "Apache Traffic Server is vulnerable to HTTP/2 setting flood attacks. Earlier versions of Apache Traffic Server didn\u0027t limit the number of setting frames sent from the client using the HTTP/2 protocol. Users should upgrade to Apache Traffic Server 7.1.7, 8.0.4, or later versions."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-770"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "[trafficserver-announce] 20190813 Apache Traffic Server is vulnerable to various HTTP/2 attacks",
              "refsource": "MLIST",
              "tags": [
                "Mailing List",
                "Patch",
                "Third Party Advisory"
              ],
              "url": "https://lists.apache.org/thread.html/ad3d01e767199c1aed8033bb6b3f5bf98c011c7c536f07a5d34b3c19@%3Cannounce.trafficserver.apache.org%3E"
            },
            {
              "name": "[trafficserver-users] 20190813 Apache Traffic Server is vulnerable to various HTTP/2 attacks",
              "refsource": "MLIST",
              "tags": [
                "Mailing List",
                "Patch",
                "Third Party Advisory"
              ],
              "url": "https://lists.apache.org/thread.html/392108390cef48af647a2e47b7fd5380e050e35ae8d1aa2030254c04@%3Cusers.trafficserver.apache.org%3E"
            },
            {
              "name": "[trafficserver-dev] 20190813 Apache Traffic Server is vulnerable to various HTTP/2 attacks",
              "refsource": "MLIST",
              "tags": [
                "Mailing List",
                "Patch",
                "Third Party Advisory"
              ],
              "url": "https://lists.apache.org/thread.html/bde52309316ae798186d783a5e29f4ad1527f61c9219a289d0eee0a7@%3Cdev.trafficserver.apache.org%3E"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": false,
          "cvssV2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 5.0,
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
            "version": "2.0"
          },
          "exploitabilityScore": 10.0,
          "impactScore": 2.9,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "MEDIUM",
          "userInteractionRequired": false
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "exploitabilityScore": 3.9,
          "impactScore": 3.6
        }
      },
      "lastModifiedDate": "2022-01-01T20:11Z",
      "publishedDate": "2019-10-22T16:15Z"
    }
  }
}

FKIE_CVE-2019-10079

Vulnerability from fkie_nvd - Published: 2019-10-22 16:15 - Updated: 2024-11-21 04:18

Severity ?

7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Summary

References

	URL	Tags
	security@apache.org	https://lists.apache.org/thread.html/392108390cef48af647a2e47b7fd5380e050e35ae8d1aa2030254c04%40%3Cusers.trafficserver.apache.org%3E
	security@apache.org	https://lists.apache.org/thread.html/ad3d01e767199c1aed8033bb6b3f5bf98c011c7c536f07a5d34b3c19%40%3Cannounce.trafficserver.apache.org%3E
	security@apache.org	https://lists.apache.org/thread.html/bde52309316ae798186d783a5e29f4ad1527f61c9219a289d0eee0a7%40%3Cdev.trafficserver.apache.org%3E
	af854a3a-2127-422b-91ae-364da2661108	https://lists.apache.org/thread.html/392108390cef48af647a2e47b7fd5380e050e35ae8d1aa2030254c04%40%3Cusers.trafficserver.apache.org%3E
	af854a3a-2127-422b-91ae-364da2661108	https://lists.apache.org/thread.html/ad3d01e767199c1aed8033bb6b3f5bf98c011c7c536f07a5d34b3c19%40%3Cannounce.trafficserver.apache.org%3E
	af854a3a-2127-422b-91ae-364da2661108	https://lists.apache.org/thread.html/bde52309316ae798186d783a5e29f4ad1527f61c9219a289d0eee0a7%40%3Cdev.trafficserver.apache.org%3E

Impacted products

	Vendor	Product	Version
	apache	traffic_server	*
	apache	traffic_server	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:apache:traffic_server:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "ABD66321-C0B1-45E6-A5C0-3A9F866386BC",
              "versionEndExcluding": "7.1.7",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:traffic_server:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "A87A8D4E-7567-4698-8414-D171B7CE05DC",
              "versionEndExcluding": "8.0.4",
              "versionStartIncluding": "8.0.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Apache Traffic Server is vulnerable to HTTP/2 setting flood attacks. Earlier versions of Apache Traffic Server didn\u0027t limit the number of setting frames sent from the client using the HTTP/2 protocol. Users should upgrade to Apache Traffic Server 7.1.7, 8.0.4, or later versions."
    },
    {
      "lang": "es",
      "value": "Apache Traffic Server es vulnerable a los ataques de inundaci\u00f3n de la configuraci\u00f3n HTTP/2. Las versiones anteriores de Apache Traffic Server no limitaban el n\u00famero de tramas de configuraci\u00f3n enviadas desde el cliente utilizando el protocolo HTTP/2. Los usuarios deben actualizar a Apache Traffic Server versi\u00f3n 7.1.7, 8.0.4 o versiones posteriores."
    }
  ],
  "id": "CVE-2019-10079",
  "lastModified": "2024-11-21T04:18:21.293",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "PARTIAL",
          "baseScore": 5.0,
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
          "version": "2.0"
        },
        "exploitabilityScore": 10.0,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2019-10-22T16:15:10.610",
  "references": [
    {
      "source": "security@apache.org",
      "url": "https://lists.apache.org/thread.html/392108390cef48af647a2e47b7fd5380e050e35ae8d1aa2030254c04%40%3Cusers.trafficserver.apache.org%3E"
    },
    {
      "source": "security@apache.org",
      "url": "https://lists.apache.org/thread.html/ad3d01e767199c1aed8033bb6b3f5bf98c011c7c536f07a5d34b3c19%40%3Cannounce.trafficserver.apache.org%3E"
    },
    {
      "source": "security@apache.org",
      "url": "https://lists.apache.org/thread.html/bde52309316ae798186d783a5e29f4ad1527f61c9219a289d0eee0a7%40%3Cdev.trafficserver.apache.org%3E"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://lists.apache.org/thread.html/392108390cef48af647a2e47b7fd5380e050e35ae8d1aa2030254c04%40%3Cusers.trafficserver.apache.org%3E"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://lists.apache.org/thread.html/ad3d01e767199c1aed8033bb6b3f5bf98c011c7c536f07a5d34b3c19%40%3Cannounce.trafficserver.apache.org%3E"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://lists.apache.org/thread.html/bde52309316ae798186d783a5e29f4ad1527f61c9219a289d0eee0a7%40%3Cdev.trafficserver.apache.org%3E"
    }
  ],
  "sourceIdentifier": "security@apache.org",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-770"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

WID-SEC-W-2026-0426

Vulnerability from csaf_certbund - Published: 2019-08-14 22:00 - Updated: 2026-02-16 23:00

Summary

Apache Traffic Server: Mehrere Schwachstellen ermöglichen Denial of Service

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.

Produktbeschreibung

Apache Traffic Server ist ein skalier- und erweiterbarer, mit HTTP/1.1 kompatibler "caching proxy server".

Angriff

Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Apache Traffic Server ausnutzen, um einen Denial of Service Angriff durchzuführen.

Betroffene Betriebssysteme

- Linux - MacOS X - UNIX

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "mittel"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "Apache Traffic Server ist ein skalier- und erweiterbarer, mit HTTP/1.1 kompatibler \"caching proxy server\".",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Apache Traffic Server ausnutzen, um einen Denial of Service Angriff durchzuf\u00fchren.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- Linux\n- MacOS X\n- UNIX",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2026-0426 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2019/wid-sec-w-2026-0426.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2026-0426 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-0426"
      },
      {
        "category": "external",
        "summary": "Meldung auf der Apache Mailing Liste vom 2019-08-14",
        "url": "https://lists.apache.org/thread.html/ad3d01e767199c1aed8033bb6b3f5bf98c011c7c536f07a5d34b3c19@%3Cannounce.trafficserver.apache.org%3E"
      },
      {
        "category": "external",
        "summary": "Arch Linux Security Advisory ASA-201908-16 vom 2019-08-25",
        "url": "https://security.archlinux.org/ASA-201908-16"
      },
      {
        "category": "external",
        "summary": "Arch Linux Security Advisory ASA-201908-15 vom 2019-08-25",
        "url": "https://security.archlinux.org/ASA-201908-15"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2019:2214-1 vom 2019-08-24",
        "url": "https://www.suse.com/support/update/announcement/2019/suse-su-20192214-1.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2019:2213-1 vom 2019-08-24",
        "url": "https://www.suse.com/support/update/announcement/2019/suse-su-20192213-1.html"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2019:2682 vom 2019-09-10",
        "url": "https://access.redhat.com/errata/RHSA-2019:2682"
      },
      {
        "category": "external",
        "summary": "Debian Security Advisory DSA-4520 vom 2019-09-10",
        "url": "http://www.auscert.org.au/bulletins/ESB-2019.3412/"
      },
      {
        "category": "external",
        "summary": "RedHat Security Advisory",
        "url": "https://access.redhat.com/errata/RHSA-2019:2594"
      },
      {
        "category": "external",
        "summary": "RedHat Security Advisory",
        "url": "https://access.redhat.com/errata/RHSA-2019:2661"
      },
      {
        "category": "external",
        "summary": "RedHat Security Advisory",
        "url": "https://access.redhat.com/errata/RHSA-2019:2726"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2019:2690 vom 2019-09-11",
        "url": "https://access.redhat.com/errata/RHSA-2019:2690"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2019:2766 vom 2019-09-13",
        "url": "https://access.redhat.com/errata/RHSA-2019:2766"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2019:2796 vom 2019-09-19",
        "url": "https://access.redhat.com/errata/RHSA-2019:2796"
      },
      {
        "category": "external",
        "summary": "F5 Security Advisory",
        "url": "https://support.f5.com/csp/article/K01988340"
      },
      {
        "category": "external",
        "summary": "F5 Security Advisory",
        "url": "https://support.f5.com/csp/article/K50233772"
      },
      {
        "category": "external",
        "summary": "F5 Security Advisory",
        "url": "https://support.f5.com/csp/article/K98053339"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2019:2861 vom 2019-09-26",
        "url": "https://access.redhat.com/errata/RHSA-2019:2861"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2019:2925 vom 2019-09-30",
        "url": "https://access.redhat.com/errata/RHSA-2019:2925"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2019:2939 vom 2019-10-01",
        "url": "https://access.redhat.com/errata/RHSA-2019:2939"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2019:2966 vom 2019-10-03",
        "url": "https://access.redhat.com/errata/RHSA-2019:2966"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2019:2955 vom 2019-10-02",
        "url": "https://access.redhat.com/errata/RHSA-2019:2955"
      },
      {
        "category": "external",
        "summary": "A10 Security Advisory",
        "url": "https://support.a10networks.com/support/security-advisories/http2-multiple-dos-vulnerabilities"
      },
      {
        "category": "external",
        "summary": "Arista Security Advisory 0043 vom 2019-11-06",
        "url": "https://www.arista.com/en/support/advisories-notices/security-advisories/8762-security-advisory-43"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2019:3892 vom 2019-11-14",
        "url": "https://access.redhat.com/errata/RHSA-2019:3892"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2019:4019 vom 2019-11-26",
        "url": "https://access.redhat.com/errata/RHSA-2019:4019"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2019:4021 vom 2019-11-26",
        "url": "https://access.redhat.com/errata/RHSA-2019:4021"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2019:4018 vom 2019-11-26",
        "url": "https://access.redhat.com/errata/RHSA-2019:4018"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2019:4020 vom 2019-11-28",
        "url": "https://access.redhat.com/errata/RHSA-2019:4020"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2019:4041 vom 2019-12-02",
        "url": "https://access.redhat.com/errata/RHSA-2019:4041"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2019:4040 vom 2019-12-02",
        "url": "https://access.redhat.com/errata/RHSA-2019:4040"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2019:4042 vom 2019-12-02",
        "url": "https://access.redhat.com/errata/RHSA-2019:4042"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2019:4045 vom 2019-12-02",
        "url": "https://access.redhat.com/errata/RHSA-2019:4045"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2019:4273 vom 2019-12-17",
        "url": "https://access.redhat.com/errata/RHSA-2019:4273"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2019:4269 vom 2019-12-17",
        "url": "https://access.redhat.com/errata/RHSA-2019:4269"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2019:4352 vom 2019-12-19",
        "url": "https://access.redhat.com/errata/RHSA-2019:4352"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2020:0727 vom 2020-03-05",
        "url": "https://access.redhat.com/errata/RHSA-2020:0727"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2020:0922 vom 2020-03-23",
        "url": "https://access.redhat.com/errata/RHSA-2020:0922"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2020:0983 vom 2020-03-26",
        "url": "https://access.redhat.com/errata/RHSA-2020:0983"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2020:1445 vom 2020-04-14",
        "url": "https://access.redhat.com/errata/RHSA-2020:1445"
      },
      {
        "category": "external",
        "summary": "Oracle Linux Security Advisory ELSA-2020-1926 vom 2020-05-14",
        "url": "https://oss.oracle.com/pipermail/el-errata/2020-May/009920.html"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2020:2067 vom 2020-05-18",
        "url": "https://access.redhat.com/errata/RHSA-2020:2067"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2020:2565 vom 2020-06-15",
        "url": "https://access.redhat.com/errata/RHSA-2020:2565"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2020:3196 vom 2020-07-29",
        "url": "https://access.redhat.com/errata/RHSA-2020:3196"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2020:3197 vom 2020-07-29",
        "url": "https://access.redhat.com/errata/RHSA-2020:3197"
      },
      {
        "category": "external",
        "summary": "Debian Security Advisory DLA-2485 vom 2020-12-08",
        "url": "https://lists.debian.org/debian-lts-announce/2020/12/msg00011.html"
      },
      {
        "category": "external",
        "summary": "Oracle Linux Security Advisory ELSA-2021-0705 vom 2021-03-05",
        "url": "https://linux.oracle.com/errata/ELSA-2021-0705.html"
      },
      {
        "category": "external",
        "summary": "Juniper Security Advisory JSA11167 vom 2021-04-16",
        "url": "https://kb.juniper.net/InfoCenter/index?page=content\u0026id=JSA11167"
      },
      {
        "category": "external",
        "summary": "Oracle Linux Security Advisory ELSA-2019-2726 vom 2026-02-16",
        "url": "https://linux.oracle.com/errata/ELSA-2019-2726.html"
      }
    ],
    "source_lang": "en-US",
    "title": "Apache Traffic Server: Mehrere Schwachstellen erm\u00f6glichen Denial of Service",
    "tracking": {
      "current_release_date": "2026-02-16T23:00:00.000+00:00",
      "generator": {
        "date": "2026-02-17T09:25:26.012+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.5.0"
        }
      },
      "id": "WID-SEC-W-2026-0426",
      "initial_release_date": "2019-08-14T22:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2019-08-14T22:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        },
        {
          "date": "2019-08-18T22:00:00.000+00:00",
          "number": "2",
          "summary": "Referenz(en) aufgenommen: FEDORA-2019-5A6A7BC12C, FEDORA-2019-6A2980DE56"
        },
        {
          "date": "2019-08-25T22:00:00.000+00:00",
          "number": "3",
          "summary": "Neue Updates von Arch Linux und SUSE aufgenommen"
        },
        {
          "date": "2019-08-29T22:00:00.000+00:00",
          "number": "4",
          "summary": "Referenz(en) aufgenommen: FEDORA-2019-65DB7AD6C7, FEDORA-2019-55D101A740"
        },
        {
          "date": "2019-09-09T22:00:00.000+00:00",
          "number": "5",
          "summary": "Neue Updates von Red Hat und Debian aufgenommen"
        },
        {
          "date": "2019-09-10T22:00:00.000+00:00",
          "number": "6",
          "summary": "Neue Updates von Red Hat aufgenommen"
        },
        {
          "date": "2019-09-11T22:00:00.000+00:00",
          "number": "7",
          "summary": "Neue Updates von Red Hat aufgenommen"
        },
        {
          "date": "2019-09-12T22:00:00.000+00:00",
          "number": "8",
          "summary": "Neue Updates von Red Hat aufgenommen"
        },
        {
          "date": "2019-09-18T22:00:00.000+00:00",
          "number": "9",
          "summary": "Neue Updates von Red Hat aufgenommen"
        },
        {
          "date": "2019-09-24T22:00:00.000+00:00",
          "number": "10",
          "summary": "Neue Updates von F5 aufgenommen"
        },
        {
          "date": "2019-09-26T22:00:00.000+00:00",
          "number": "11",
          "summary": "Neue Updates von Red Hat aufgenommen"
        },
        {
          "date": "2019-09-29T22:00:00.000+00:00",
          "number": "12",
          "summary": "Neue Updates von Red Hat aufgenommen"
        },
        {
          "date": "2019-09-30T22:00:00.000+00:00",
          "number": "13",
          "summary": "Neue Updates von Red Hat aufgenommen"
        },
        {
          "date": "2019-10-03T22:00:00.000+00:00",
          "number": "14",
          "summary": "Neue Updates von Red Hat aufgenommen"
        },
        {
          "date": "2019-10-21T22:00:00.000+00:00",
          "number": "15",
          "summary": "Neue Updates aufgenommen"
        },
        {
          "date": "2019-11-06T23:00:00.000+00:00",
          "number": "16",
          "summary": "Neue Updates von Arista"
        },
        {
          "date": "2019-11-14T23:00:00.000+00:00",
          "number": "17",
          "summary": "Neue Updates von Red Hat aufgenommen"
        },
        {
          "date": "2019-11-26T23:00:00.000+00:00",
          "number": "18",
          "summary": "Neue Updates von Red Hat aufgenommen"
        },
        {
          "date": "2019-11-27T23:00:00.000+00:00",
          "number": "19",
          "summary": "Neue Updates von Red Hat aufgenommen"
        },
        {
          "date": "2019-12-02T23:00:00.000+00:00",
          "number": "20",
          "summary": "Neue Updates von Red Hat aufgenommen"
        },
        {
          "date": "2019-12-16T23:00:00.000+00:00",
          "number": "21",
          "summary": "Neue Updates von Red Hat aufgenommen"
        },
        {
          "date": "2019-12-19T23:00:00.000+00:00",
          "number": "22",
          "summary": "Neue Updates von Red Hat aufgenommen"
        },
        {
          "date": "2020-03-05T23:00:00.000+00:00",
          "number": "23",
          "summary": "Neue Updates von Red Hat aufgenommen"
        },
        {
          "date": "2020-03-22T23:00:00.000+00:00",
          "number": "24",
          "summary": "Neue Updates von Red Hat aufgenommen"
        },
        {
          "date": "2020-03-26T23:00:00.000+00:00",
          "number": "25",
          "summary": "Neue Updates von Red Hat aufgenommen"
        },
        {
          "date": "2020-04-14T22:00:00.000+00:00",
          "number": "26",
          "summary": "Neue Updates von Red Hat aufgenommen"
        },
        {
          "date": "2020-05-14T22:00:00.000+00:00",
          "number": "27",
          "summary": "Neue Updates von Oracle Linux aufgenommen"
        },
        {
          "date": "2020-05-17T22:00:00.000+00:00",
          "number": "28",
          "summary": "Neue Updates von Red Hat aufgenommen"
        },
        {
          "date": "2020-06-15T22:00:00.000+00:00",
          "number": "29",
          "summary": "Neue Updates von Red Hat aufgenommen"
        },
        {
          "date": "2020-07-28T22:00:00.000+00:00",
          "number": "30",
          "summary": "Neue Updates von Red Hat aufgenommen"
        },
        {
          "date": "2020-12-08T23:00:00.000+00:00",
          "number": "31",
          "summary": "Neue Updates von Debian aufgenommen"
        },
        {
          "date": "2021-03-07T23:00:00.000+00:00",
          "number": "32",
          "summary": "Neue Updates von Oracle Linux aufgenommen"
        },
        {
          "date": "2021-04-15T22:00:00.000+00:00",
          "number": "33",
          "summary": "Neue Updates von Juniper aufgenommen"
        },
        {
          "date": "2026-02-16T23:00:00.000+00:00",
          "number": "34",
          "summary": "Neue Updates von Oracle Linux aufgenommen"
        }
      ],
      "status": "final",
      "version": "34"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c5.0.0-P1",
                "product": {
                  "name": "A10 Networks ACOS \u003c5.0.0-P1",
                  "product_id": "T015231"
                }
              },
              {
                "category": "product_version",
                "name": "5.0.0-P1",
                "product": {
                  "name": "A10 Networks ACOS 5.0.0-P1",
                  "product_id": "T015231-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:a10networks:advanced_core_operating_system:5.0.0-p1"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c4.1.4-GR1-P3",
                "product": {
                  "name": "A10 Networks ACOS \u003c4.1.4-GR1-P3",
                  "product_id": "T015232"
                }
              },
              {
                "category": "product_version",
                "name": "4.1.4-GR1-P3",
                "product": {
                  "name": "A10 Networks ACOS 4.1.4-GR1-P3",
                  "product_id": "T015232-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:a10networks:advanced_core_operating_system:4.1.4-gr1-p3"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "ACOS"
          }
        ],
        "category": "vendor",
        "name": "A10 Networks"
      },
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c8.0.4",
                "product": {
                  "name": "Apache Traffic Server \u003c8.0.4",
                  "product_id": "T014849"
                }
              },
              {
                "category": "product_version",
                "name": "8.0.4",
                "product": {
                  "name": "Apache Traffic Server 8.0.4",
                  "product_id": "T014849-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:apache:traffic_server:8.0.4"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c7.1.7",
                "product": {
                  "name": "Apache Traffic Server \u003c7.1.7",
                  "product_id": "T014850"
                }
              },
              {
                "category": "product_version",
                "name": "7.1.7",
                "product": {
                  "name": "Apache Traffic Server 7.1.7",
                  "product_id": "T014850-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:apache:traffic_server:7.1.7"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Traffic Server"
          }
        ],
        "category": "vendor",
        "name": "Apache"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Arista EOS",
            "product": {
              "name": "Arista EOS",
              "product_id": "T007065",
              "product_identification_helper": {
                "cpe": "cpe:/o:arista:arista_eos:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Arista"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Debian Linux",
            "product": {
              "name": "Debian Linux",
              "product_id": "2951",
              "product_identification_helper": {
                "cpe": "cpe:/o:debian:debian_linux:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Debian"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Juniper JUNOS",
            "product": {
              "name": "Juniper JUNOS",
              "product_id": "5930",
              "product_identification_helper": {
                "cpe": "cpe:/o:juniper:junos:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Juniper"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Open Source Arch Linux",
            "product": {
              "name": "Open Source Arch Linux",
              "product_id": "T013312",
              "product_identification_helper": {
                "cpe": "cpe:/o:archlinux:archlinux:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Open Source"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Oracle Linux",
            "product": {
              "name": "Oracle Linux",
              "product_id": "T004914",
              "product_identification_helper": {
                "cpe": "cpe:/o:oracle:linux:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Oracle"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Red Hat Enterprise Linux",
            "product": {
              "name": "Red Hat Enterprise Linux",
              "product_id": "67646",
              "product_identification_helper": {
                "cpe": "cpe:/o:redhat:enterprise_linux:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "SUSE Linux",
            "product": {
              "name": "SUSE Linux",
              "product_id": "T002207",
              "product_identification_helper": {
                "cpe": "cpe:/o:suse:suse_linux:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2019-10079",
      "product_status": {
        "known_affected": [
          "T014849",
          "2951",
          "T002207",
          "67646",
          "T013312",
          "5930",
          "T014850",
          "T004914",
          "T007065",
          "T015232",
          "T015231"
        ]
      },
      "release_date": "2019-08-14T22:00:00.000+00:00",
      "title": "CVE-2019-10079"
    },
    {
      "cve": "CVE-2019-9512",
      "product_status": {
        "known_affected": [
          "T014849",
          "2951",
          "T002207",
          "67646",
          "T013312",
          "5930",
          "T014850",
          "T004914",
          "T007065",
          "T015232",
          "T015231"
        ]
      },
      "release_date": "2019-08-14T22:00:00.000+00:00",
      "title": "CVE-2019-9512"
    },
    {
      "cve": "CVE-2019-9514",
      "product_status": {
        "known_affected": [
          "T014849",
          "2951",
          "T002207",
          "67646",
          "T013312",
          "5930",
          "T014850",
          "T004914",
          "T007065",
          "T015232",
          "T015231"
        ]
      },
      "release_date": "2019-08-14T22:00:00.000+00:00",
      "title": "CVE-2019-9514"
    },
    {
      "cve": "CVE-2019-9515",
      "product_status": {
        "known_affected": [
          "T014849",
          "2951",
          "T002207",
          "67646",
          "T013312",
          "5930",
          "T014850",
          "T004914",
          "T007065",
          "T015232",
          "T015231"
        ]
      },
      "release_date": "2019-08-14T22:00:00.000+00:00",
      "title": "CVE-2019-9515"
    }
  ]
}

GHSA-GF9C-JVMP-J8CG

Vulnerability from github – Published: 2022-05-24 16:59 – Updated: 2024-04-04 02:32

Details

Severity ?

7.5 (High)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2019-10079"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-20",
      "CWE-770"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-10-22T16:15:00Z",
    "severity": "HIGH"
  },
  "details": "Apache Traffic Server is vulnerable to HTTP/2 setting flood attacks. Earlier versions of Apache Traffic Server didn\u0027t limit the number of setting frames sent from the client using the HTTP/2 protocol. Users should upgrade to Apache Traffic Server 7.1.7, 8.0.4, or later versions.",
  "id": "GHSA-gf9c-jvmp-j8cg",
  "modified": "2024-04-04T02:32:24Z",
  "published": "2022-05-24T16:59:34Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10079"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/392108390cef48af647a2e47b7fd5380e050e35ae8d1aa2030254c04%40%3Cusers.trafficserver.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/392108390cef48af647a2e47b7fd5380e050e35ae8d1aa2030254c04@%3Cusers.trafficserver.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/ad3d01e767199c1aed8033bb6b3f5bf98c011c7c536f07a5d34b3c19%40%3Cannounce.trafficserver.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/ad3d01e767199c1aed8033bb6b3f5bf98c011c7c536f07a5d34b3c19@%3Cannounce.trafficserver.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/bde52309316ae798186d783a5e29f4ad1527f61c9219a289d0eee0a7%40%3Cdev.trafficserver.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/bde52309316ae798186d783a5e29f4ad1527f61c9219a289d0eee0a7@%3Cdev.trafficserver.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/d0e00f2e147a9e9b13a6829133092f349b2882bf6860397368a52600@%3Cannounce.tomcat.apache.org%3E"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

CNVD-2019-41286

Vulnerability from cnvd - Published: 2019-11-19

Title

Apache Traffic Server HTTP/2输入验证错误漏洞

Description

Apache Traffic Server（ATS）是美国阿帕奇（Apache）软件基金会的一套可扩展的HTTP代理和缓存服务器。 Apache Traffic Server 7.1.7和8.0.4之前版本存在安全漏洞。该漏洞源于Apache Traffic Server不限制使用HTTP/2协议从客户端发送的设置帧的数量。攻击者可利用该漏洞导致拒绝服务。

Severity

中

Patch Name

Apache Traffic Server HTTP/2输入验证错误漏洞的补丁

Patch Description

Formal description

厂商已发布了漏洞修复程序，请及时关注更新： http://trafficserver.apache.org/downloads

Reference

https://nvd.nist.gov/vuln/detail/CVE-2019-10079

Impacted products

Name
['Apache Traffic Server <7.1.7', 'Apache Traffic Server <8.0.4']

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2019-10079",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2019-10079"
    }
  },
  "description": "Apache Traffic Server\uff08ATS\uff09\u662f\u7f8e\u56fd\u963f\u5e15\u5947\uff08Apache\uff09\u8f6f\u4ef6\u57fa\u91d1\u4f1a\u7684\u4e00\u5957\u53ef\u6269\u5c55\u7684HTTP\u4ee3\u7406\u548c\u7f13\u5b58\u670d\u52a1\u5668\u3002\n\nApache Traffic Server 7.1.7\u548c8.0.4\u4e4b\u524d\u7248\u672c\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\u3002\u8be5\u6f0f\u6d1e\u6e90\u4e8eApache Traffic Server\u4e0d\u9650\u5236\u4f7f\u7528HTTP/2\u534f\u8bae\u4ece\u5ba2\u6237\u7aef\u53d1\u9001\u7684\u8bbe\u7f6e\u5e27\u7684\u6570\u91cf\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u5bfc\u81f4\u62d2\u7edd\u670d\u52a1\u3002",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttp://trafficserver.apache.org/downloads",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2019-41286",
  "openTime": "2019-11-19",
  "patchDescription": "Apache Traffic Server\uff08ATS\uff09\u662f\u7f8e\u56fd\u963f\u5e15\u5947\uff08Apache\uff09\u8f6f\u4ef6\u57fa\u91d1\u4f1a\u7684\u4e00\u5957\u53ef\u6269\u5c55\u7684HTTP\u4ee3\u7406\u548c\u7f13\u5b58\u670d\u52a1\u5668\u3002\r\n\r\nApache Traffic Server 7.1.7\u548c8.0.4\u4e4b\u524d\u7248\u672c\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\u3002\u8be5\u6f0f\u6d1e\u6e90\u4e8eApache Traffic Server\u4e0d\u9650\u5236\u4f7f\u7528HTTP/2\u534f\u8bae\u4ece\u5ba2\u6237\u7aef\u53d1\u9001\u7684\u8bbe\u7f6e\u5e27\u7684\u6570\u91cf\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u5bfc\u81f4\u62d2\u7edd\u670d\u52a1\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Apache Traffic Server HTTP/2\u8f93\u5165\u9a8c\u8bc1\u9519\u8bef\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": [
      "Apache Traffic Server \u003c7.1.7",
      "Apache Traffic Server \u003c8.0.4"
    ]
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2019-10079",
  "serverity": "\u4e2d",
  "submitTime": "2019-10-23",
  "title": "Apache Traffic Server HTTP/2\u8f93\u5165\u9a8c\u8bc1\u9519\u8bef\u6f0f\u6d1e"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2019-10079 (GCVE-0-2019-10079)

GSD-2019-10079

FKIE_CVE-2019-10079

WID-SEC-W-2026-0426

GHSA-GF9C-JVMP-J8CG

CNVD-2019-41286

Tags

Sightings

Nomenclature