rpm package
opensuse/nghttp2&distro=openSUSE Tumbleweed
pkg:rpm/opensuse/nghttp2&distro=openSUSE%20Tumbleweed
Vulnerabilities (9)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-27135 | Hig | 7.5 | < 1.68.1-1.1 | 1.68.1-1.1 | Mar 18, 2026 | nghttp2 is an implementation of the Hypertext Transfer Protocol version 2 in C. Prior to version 1.68.1, the nghttp2 library stops reading the incoming data when user facing public API `nghttp2_session_terminate_session` or `nghttp2_session_terminate_session2` is called by the ap | |
| CVE-2024-28182 | — | < 1.61.0-1.1 | 1.61.0-1.1 | Apr 4, 2024 | nghttp2 is an implementation of the Hypertext Transfer Protocol version 2 in C. The nghttp2 library prior to version 1.61.0 keeps reading the unbounded number of HTTP/2 CONTINUATION frames even after a stream is reset to keep HPACK context in sync. This causes excessive CPU usag | ||
| CVE-2023-44487 | Hig | 7.5 | KEV | < 1.57.0-1.1 | 1.57.0-1.1 | Oct 10, 2023 | The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023. |
| CVE-2023-35945 | — | < 1.55.1-1.1 | 1.55.1-1.1 | Jul 13, 2023 | Envoy is a cloud-native high-performance edge/middle/service proxy. Envoy’s HTTP/2 codec may leak a header map and bookkeeping structures upon receiving `RST_STREAM` immediately followed by the `GOAWAY` frames from an upstream server. In nghttp2, cleanup of pending requests due t | ||
| CVE-2020-11080 | — | < 1.43.0-1.6 | 1.43.0-1.6 | Jun 3, 2020 | In nghttp2 before version 1.41.0, the overly large HTTP/2 SETTINGS frame payload causes denial of service. The proof of concept attack involves a malicious client constructing a SETTINGS frame with a length of 14,400 bytes (2400 individual settings entries) over and over again. T | ||
| CVE-2016-1544 | — | < 1.17.0-1.1 | 1.17.0-1.1 | Feb 6, 2020 | nghttp2 before 1.7.1 allows remote attackers to cause a denial of service (memory exhaustion). | ||
| CVE-2019-18802 | — | < 1.64.0-1.1 | 1.64.0-1.1 | Dec 13, 2019 | An issue was discovered in Envoy 1.12.0. An untrusted remote client may send an HTTP header (such as Host) with whitespace after the header content. Envoy will treat "header-value " as a different string from "header-value" so for example with the Host header "example.com " one c | ||
| CVE-2019-9511 | — | < 1.43.0-1.6 | 1.43.0-1.6 | Aug 13, 2019 | Some HTTP/2 implementations are vulnerable to window size manipulation and stream prioritization manipulation, potentially leading to a denial of service. The attacker requests a large amount of data from a specified resource over multiple streams. They manipulate window size and | ||
| CVE-2018-1000168 | — | < 1.43.0-1.6 | 1.43.0-1.6 | May 8, 2018 | nghttp2 version >= 1.10.0 and nghttp2 <= v1.31.0 contains an Improper Input Validation CWE-20 vulnerability in ALTSVC frame handling that can result in segmentation fault leading to denial of service. This attack appears to be exploitable via network client. This vulnerability ap |
- affected < 1.68.1-1.1fixed 1.68.1-1.1
nghttp2 is an implementation of the Hypertext Transfer Protocol version 2 in C. Prior to version 1.68.1, the nghttp2 library stops reading the incoming data when user facing public API `nghttp2_session_terminate_session` or `nghttp2_session_terminate_session2` is called by the ap
- CVE-2024-28182Apr 4, 2024affected < 1.61.0-1.1fixed 1.61.0-1.1
nghttp2 is an implementation of the Hypertext Transfer Protocol version 2 in C. The nghttp2 library prior to version 1.61.0 keeps reading the unbounded number of HTTP/2 CONTINUATION frames even after a stream is reset to keep HPACK context in sync. This causes excessive CPU usag
- affected < 1.57.0-1.1fixed 1.57.0-1.1
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
- CVE-2023-35945Jul 13, 2023affected < 1.55.1-1.1fixed 1.55.1-1.1
Envoy is a cloud-native high-performance edge/middle/service proxy. Envoy’s HTTP/2 codec may leak a header map and bookkeeping structures upon receiving `RST_STREAM` immediately followed by the `GOAWAY` frames from an upstream server. In nghttp2, cleanup of pending requests due t
- CVE-2020-11080Jun 3, 2020affected < 1.43.0-1.6fixed 1.43.0-1.6
In nghttp2 before version 1.41.0, the overly large HTTP/2 SETTINGS frame payload causes denial of service. The proof of concept attack involves a malicious client constructing a SETTINGS frame with a length of 14,400 bytes (2400 individual settings entries) over and over again. T
- CVE-2016-1544Feb 6, 2020affected < 1.17.0-1.1fixed 1.17.0-1.1
nghttp2 before 1.7.1 allows remote attackers to cause a denial of service (memory exhaustion).
- CVE-2019-18802Dec 13, 2019affected < 1.64.0-1.1fixed 1.64.0-1.1
An issue was discovered in Envoy 1.12.0. An untrusted remote client may send an HTTP header (such as Host) with whitespace after the header content. Envoy will treat "header-value " as a different string from "header-value" so for example with the Host header "example.com " one c
- CVE-2019-9511Aug 13, 2019affected < 1.43.0-1.6fixed 1.43.0-1.6
Some HTTP/2 implementations are vulnerable to window size manipulation and stream prioritization manipulation, potentially leading to a denial of service. The attacker requests a large amount of data from a specified resource over multiple streams. They manipulate window size and
- CVE-2018-1000168May 8, 2018affected < 1.43.0-1.6fixed 1.43.0-1.6
nghttp2 version >= 1.10.0 and nghttp2 <= v1.31.0 contains an Improper Input Validation CWE-20 vulnerability in ALTSVC frame handling that can result in segmentation fault leading to denial of service. This attack appears to be exploitable via network client. This vulnerability ap