HTTP/2: flood using empty frames results in excessive resources consumption - CVE-2019-9518ID: oval:org.secpod.oval:def:58207 | Date: (C)2019-10-10 (M)2024-04-17 |
Class: VULNERABILITY | Family: unix |
Some HTTP/2 implementations are vulnerable to a flood of empty frames, potentially leading to a denial of service. The attacker sends a stream of frames with an empty payload and without the end-of-stream flag. These frames can be DATA, HEADERS, CONTINUATION and/or PUSH_PROMISE. The peer spends time processing each frame disproportionate to attack bandwidth. This can consume excess CPU.
Platform: |
Red Hat Enterprise Linux 8 |