CVE-2020-9494

Published: Jun 24, 2020Modified: Nov 21, 2024

7.5

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Exploitability: 3.9 / Impact: 3.6

Source: NVD

Description

Apache Traffic Server 6.0.0 to 6.2.3, 7.0.0 to 7.1.10, and 8.0.0 to 8.0.7 is vulnerable to certain types of HTTP/2 HEADERS frames that can cause the server to allocate a large amount of memory and spin the thread.

Affected (4)

Products: Apache: Traffic Server · Debian: Debian Linux

1 product

1 product

Configuration A

3 vulnerable

Vulnerable Software	Affected Versions
Apache Traffic Server	From 6.0.0 to 6.2.3
Apache Traffic Server	From 7.0.0 to 7.1.10
Apache Traffic Server	From 8.0.0 to 8.0.7

Configuration B

1 vulnerable

Vulnerable Software	Affected Versions
Debian Debian Linux	Version 10.0

Related CWEs

CWE-770

Allocation of Resources Without Limits or Throttling

The product allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor.

References (6)

http://www.openwall.com/lists/oss-security/2021/03/01/2

Source: security@apache.org

Not Applicable

https://lists.apache.org/thread.html/rf7f86917f42fdaf904d99560cba0c016e03baea6244c47efeb60ecbe%40%3Cdev.trafficserver.apache.org%3E

Source: security@apache.org

Mailing ListVendor Advisory

https://www.debian.org/security/2020/dsa-4710

Source: security@apache.org

Third Party Advisory

http://www.openwall.com/lists/oss-security/2021/03/01/2

Source: af854a3a-2127-422b-91ae-364da2661108

Not Applicable

https://lists.apache.org/thread.html/rf7f86917f42fdaf904d99560cba0c016e03baea6244c47efeb60ecbe%40%3Cdev.trafficserver.apache.org%3E

Source: af854a3a-2127-422b-91ae-364da2661108

Mailing ListVendor Advisory

https://www.debian.org/security/2020/dsa-4710

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

Timeline

No history available yet.