CVE-2016-8740

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2016-8740
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2016-8740.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2016-8740
Downstream
Related
Published
2016-12-05T19:59:00.250Z
Modified
2026-04-11T17:12:48.508586Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
[none]
Details

The mod_http2 module in the Apache HTTP Server 2.4.17 through 2.4.23, when the Protocols configuration includes h2 or h2c, does not restrict request-header length, which allows remote attackers to cause a denial of service (memory consumption) via crafted CONTINUATION frames in an HTTP/2 request.

References

Affected packages

Git / github.com/apache/httpd

Affected ranges

Type
GIT
Repo
https://github.com/apache/httpd
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
47a9d8e8abf5697b4580c3ee2ade302b5c058fa6
Last affected
b7ef32c4957883ab17105fa82e6331bf48bed78a
Last affected
fd7b5c2c8b7549905ada63869757eac5c74d1c73
Last affected
6e65a7f3dadcade4274ae53f734d4c35188e3786
Last affected
a20d31be7d66d2f9bfeadfc23e54763b36abba08
Last affected
eabf29a378c3252811e0e88a77717e67b63c1c8b
Last affected
ef07cb031c6f8f7ac483c26fc858aad68c365fd9
Database specific 
{
    "source": "CPE_FIELD",
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "2.4.17"
        },
        {
            "last_affected": "2.4.18"
        },
        {
            "last_affected": "2.4.19"
        },
        {
            "last_affected": "2.4.20"
        },
        {
            "last_affected": "2.4.21"
        },
        {
            "last_affected": "2.4.22"
        },
        {
            "last_affected": "2.4.23"
        }
    ],
    "cpe": [
        "cpe:2.3:a:apache:http_server:2.4.17:*:*:*:*:*:*:*",
        "cpe:2.3:a:apache:http_server:2.4.18:*:*:*:*:*:*:*",
        "cpe:2.3:a:apache:http_server:2.4.19:*:*:*:*:*:*:*",
        "cpe:2.3:a:apache:http_server:2.4.20:*:*:*:*:*:*:*",
        "cpe:2.3:a:apache:http_server:2.4.21:*:*:*:*:*:*:*",
        "cpe:2.3:a:apache:http_server:2.4.22:*:*:*:*:*:*:*",
        "cpe:2.3:a:apache:http_server:2.4.23:*:*:*:*:*:*:*"
    ]
}

Affected versions

2.*
2.4.17
2.4.18
2.4.19
2.4.20
2.4.21
2.4.22
2.4.23

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2016-8740.json"