rpm package
suse/nghttp2&distro=SUSE Linux Enterprise Server 12 SP5
pkg:rpm/suse/nghttp2&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5
Vulnerabilities (8)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2024-28182 | — | < 1.39.2-3.18.1 | 1.39.2-3.18.1 | Apr 4, 2024 | nghttp2 is an implementation of the Hypertext Transfer Protocol version 2 in C. The nghttp2 library prior to version 1.61.0 keeps reading the unbounded number of HTTP/2 CONTINUATION frames even after a stream is reset to keep HPACK context in sync. This causes excessive CPU usag | ||
| CVE-2023-44487 | Hig | 7.5 | KEV | < 1.39.2-3.13.1 | 1.39.2-3.13.1 | Oct 10, 2023 | The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023. |
| CVE-2023-35945 | — | < 1.39.2-3.10.1 | 1.39.2-3.10.1 | Jul 13, 2023 | Envoy is a cloud-native high-performance edge/middle/service proxy. Envoy’s HTTP/2 codec may leak a header map and bookkeeping structures upon receiving `RST_STREAM` immediately followed by the `GOAWAY` frames from an upstream server. In nghttp2, cleanup of pending requests due t | ||
| CVE-2020-11080 | — | < 1.39.2-3.5.1 | 1.39.2-3.5.1 | Jun 3, 2020 | In nghttp2 before version 1.41.0, the overly large HTTP/2 SETTINGS frame payload causes denial of service. The proof of concept attack involves a malicious client constructing a SETTINGS frame with a length of 14,400 bytes (2400 individual settings entries) over and over again. T | ||
| CVE-2016-1544 | — | < 1.39.2-3.5.1 | 1.39.2-3.5.1 | Feb 6, 2020 | nghttp2 before 1.7.1 allows remote attackers to cause a denial of service (memory exhaustion). | ||
| CVE-2019-9513 | — | < 1.39.2-3.5.1 | 1.39.2-3.5.1 | Aug 13, 2019 | Some HTTP/2 implementations are vulnerable to resource loops, potentially leading to a denial of service. The attacker creates multiple request streams and continually shuffles the priority of the streams in a way that causes substantial churn to the priority tree. This can consu | ||
| CVE-2019-9511 | — | < 1.39.2-3.5.1 | 1.39.2-3.5.1 | Aug 13, 2019 | Some HTTP/2 implementations are vulnerable to window size manipulation and stream prioritization manipulation, potentially leading to a denial of service. The attacker requests a large amount of data from a specified resource over multiple streams. They manipulate window size and | ||
| CVE-2018-1000168 | — | < 1.39.2-3.5.1 | 1.39.2-3.5.1 | May 8, 2018 | nghttp2 version >= 1.10.0 and nghttp2 <= v1.31.0 contains an Improper Input Validation CWE-20 vulnerability in ALTSVC frame handling that can result in segmentation fault leading to denial of service. This attack appears to be exploitable via network client. This vulnerability ap |
- CVE-2024-28182Apr 4, 2024affected < 1.39.2-3.18.1fixed 1.39.2-3.18.1
nghttp2 is an implementation of the Hypertext Transfer Protocol version 2 in C. The nghttp2 library prior to version 1.61.0 keeps reading the unbounded number of HTTP/2 CONTINUATION frames even after a stream is reset to keep HPACK context in sync. This causes excessive CPU usag
- affected < 1.39.2-3.13.1fixed 1.39.2-3.13.1
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
- CVE-2023-35945Jul 13, 2023affected < 1.39.2-3.10.1fixed 1.39.2-3.10.1
Envoy is a cloud-native high-performance edge/middle/service proxy. Envoy’s HTTP/2 codec may leak a header map and bookkeeping structures upon receiving `RST_STREAM` immediately followed by the `GOAWAY` frames from an upstream server. In nghttp2, cleanup of pending requests due t
- CVE-2020-11080Jun 3, 2020affected < 1.39.2-3.5.1fixed 1.39.2-3.5.1
In nghttp2 before version 1.41.0, the overly large HTTP/2 SETTINGS frame payload causes denial of service. The proof of concept attack involves a malicious client constructing a SETTINGS frame with a length of 14,400 bytes (2400 individual settings entries) over and over again. T
- CVE-2016-1544Feb 6, 2020affected < 1.39.2-3.5.1fixed 1.39.2-3.5.1
nghttp2 before 1.7.1 allows remote attackers to cause a denial of service (memory exhaustion).
- CVE-2019-9513Aug 13, 2019affected < 1.39.2-3.5.1fixed 1.39.2-3.5.1
Some HTTP/2 implementations are vulnerable to resource loops, potentially leading to a denial of service. The attacker creates multiple request streams and continually shuffles the priority of the streams in a way that causes substantial churn to the priority tree. This can consu
- CVE-2019-9511Aug 13, 2019affected < 1.39.2-3.5.1fixed 1.39.2-3.5.1
Some HTTP/2 implementations are vulnerable to window size manipulation and stream prioritization manipulation, potentially leading to a denial of service. The attacker requests a large amount of data from a specified resource over multiple streams. They manipulate window size and
- CVE-2018-1000168May 8, 2018affected < 1.39.2-3.5.1fixed 1.39.2-3.5.1
nghttp2 version >= 1.10.0 and nghttp2 <= v1.31.0 contains an Improper Input Validation CWE-20 vulnerability in ALTSVC frame handling that can result in segmentation fault leading to denial of service. This attack appears to be exploitable via network client. This vulnerability ap