CVE-2019-10079
Advisory lineage Upstream: 0 Downstream: 3
Modified
Published: 22 Oct 2019, 15:42
Last modified:04 Aug 2024, 22:10
Vulnerability Summary
Overall Risk (default)
medium
31/100 CVSS Score
7.5 HIGH
v3.1 (nvd)
EPSS Score
5.1% LOW
5% probability 0.00%
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected
Timeline
22 Oct 2019, 15:42
Published
Vulnerability first disclosed
04 Aug 2024, 22:10
Last Modified
Vulnerability information updated
Description
Apache Traffic Server is vulnerable to HTTP/2 setting flood attacks. Earlier versions of Apache Traffic Server didn't limit the number of setting frames sent from the client using the HTTP/2 protocol. Users should upgrade to Apache Traffic Server 7.1.7, 8.0.4, or later versions.
CVSS Metrics
- v3.1•HIGH•Score: 7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
- v2.0•MEDIUM•Score: 5AV:N/AC:L/Au:N/C:N/I:N/A:P
EPSS Trends
Current EPSS score: 5.10%• Percentile: 90%
Techniques & Countermeasures
- CWE-770•Allocation of Resources Without Limits or Throttling
The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.
Affected Systems
- apache•traffic_server
< 7.1.7 | ≥ 8.0.0, < 8.0.4
References (3)
- https://lists.apache.org/thread.html/bde52309316ae798186d783a5e29f4ad1527f61c9219a289d0eee0a7%40%3Cdev.trafficserver.apache.org%3E
- https://lists.apache.org/thread.html/392108390cef48af647a2e47b7fd5380e050e35ae8d1aa2030254c04%40%3Cusers.trafficserver.apache.org%3E
- https://lists.apache.org/thread.html/ad3d01e767199c1aed8033bb6b3f5bf98c011c7c536f07a5d34b3c19%40%3Cannounce.trafficserver.apache.org%3E