PT-2019-4792 · Apache · Apache Traffic Server

Published

2019-09-09

Updated

2022-01-01

CVE-2019-10079

CVSS v2.0

7.8

High

Vector

AV:N/AC:L/Au:N/C:N/I:N/A:C

Name of the Vulnerable Software and Affected Versions Apache Traffic Server versions prior to 7.1.7 Apache Traffic Server versions prior to 8.0.4

Description The issue arises from incorrect handling of HTTP/2 requests, allowing a remote attacker to impact data confidentiality, integrity, and availability. Earlier versions of Apache Traffic Server did not limit the number of setting frames sent from the client using the HTTP/2 protocol, making them susceptible to HTTP/2 setting flood attacks.

Recommendations For versions prior to 7.1.7, upgrade to Apache Traffic Server 7.1.7 or later. For versions prior to 8.0.4, upgrade to Apache Traffic Server 8.0.4 or later.

Fix

RCE

Allocation of Resources Without Limits

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-20CWE-770

Related Identifiers

BDU:2020-01370

CVE-2019-10079

DSA-4520-1

Affected Products

Apache Traffic Server

PT-2019-4792 · Apache · Apache Traffic Server

CVE-2019-10079

Weakness Enumeration

Related Identifiers

Affected Products

References · 30