CVE-2019-9511

Some HTTP/2 implementations are vulnerable to window size manipulation and stream prioritization manipulation, potentially leading to a denial of service. The attacker requests a large amount of data from a specified resource over multiple streams. They manipulate window size and stream priority to force the server to queue the data in 1-byte chunks. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both.

References

Affected packages

Git / github.com/nginx/nginx

Affected ranges

Type: GIT
Repo: https://github.com/nginx/nginx
Events: Introduced

658813c43b9c930c8fad2cd04600d1aba2ef031b

Fixed

9334b482677844dc7f0bdfc82b717dc70912e62c

Type: GIT
Repo: https://github.com/nodejs/node
Events: Introduced

f6fc46e03674ab1896792b7363ecac0665b5e0c5

Fixed

eb66efd6052801e2f10360c51787569da0185808

Affected versions

release-1.*

release-1.11.0

release-1.11.1

release-1.11.10

release-1.11.11

release-1.11.12

release-1.11.13

release-1.11.2

release-1.11.3

release-1.11.4

release-1.11.5

release-1.11.6

release-1.11.7

release-1.11.8

release-1.11.9

release-1.13.0

release-1.13.1

release-1.13.10

release-1.13.11

release-1.13.12

release-1.13.2

release-1.13.3

release-1.13.4

release-1.13.5

release-1.13.6

release-1.13.7

release-1.13.8

release-1.13.9

release-1.15.0

release-1.15.1

release-1.15.10

release-1.15.11

release-1.15.12

release-1.15.2

release-1.15.3

release-1.15.4

release-1.15.5

release-1.15.6

release-1.15.7

release-1.15.8

release-1.15.9

release-1.16.0

release-1.9.10

release-1.9.11

release-1.9.12

release-1.9.13

release-1.9.14

release-1.9.15

release-1.9.5

release-1.9.6

release-1.9.7

release-1.9.8

release-1.9.9

v8.*

v8.1.0

v8.1.1

v8.1.2

v8.1.3

v8.1.4