nghttp2: Multiple Vulnerabilities (CVE-2019-9511, CVE-2019-9513)
CVE-2019-9511: Data Dribble
The attacker requests a large amount of data from a specified resource over multiple streams. They manipulate window size and stream priority to force the server to queue the data in 1-byte chunks. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both, potentially leading to a denial of service.
Affected versions:
nghttp2 version < 1.39.2
Fixed In Version:
nghttp2 v1.39.2
Reference:
https://nghttp2.org/blog/2019/08/19/nghttp2-v1-39-2/
CVE-2019-9513: Resource Loop
The attacker creates multiple request streams and continually shuffles the priority of the streams in a way that causes substantial churn to the priority tree. This can consume excess CPU, potentially leading to a denial of service.
Affected versions:
nghttp2 version < 1.39.2
Fixed In Version:
nghttp2 v1.39.2
Reference:
https://nghttp2.org/blog/2019/08/19/nghttp2-v1-39-2/