CVE-2024-31309

Published: Apr 10, 2024Modified: Nov 4, 2025

7.5

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Exploitability: 3.9 / Impact: 3.6

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)

Description

HTTP/2 CONTINUATION DoS attack can cause Apache Traffic Server to consume more resources on the server. Version from 8.0.0 through 8.1.9, from 9.0.0 through 9.2.3 are affected. Users can set a new setting (proxy.config.http2.max_continuation_frames_per_minute) to limit the number of CONTINUATION frames per minute. ATS does have a fixed amount of memory a request can use and ATS adheres to these limits in previous releases. Users are recommended to upgrade to versions 8.1.10 or 9.2.4 which fixes the issue.

Affected (6)

Products: Apache: Traffic Server · Debian: Debian Linux · Fedoraproject: Fedora

1 product

1 product

1 product

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Apache Traffic Server	From 8.0.0 to 8.1.10
Apache Traffic Server	From 9.0.0 to 9.2.4

Configuration B

1 vulnerable

Vulnerable Software	Affected Versions
Debian Debian Linux	Version 10.0

Configuration C

3 vulnerable

Vulnerable Software	Affected Versions
Fedoraproject Fedora	Version 38
Fedoraproject Fedora	Version 39
Fedoraproject Fedora	Version 40

Related CWEs

Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

References (15)

http://www.openwall.com/lists/oss-security/2024/04/03/16

Source: security@apache.org

Mailing List

http://www.openwall.com/lists/oss-security/2024/04/10/7

Source: security@apache.org

Mailing List

https://lists.apache.org/thread/f9qh3g3jvy153wh82pz4onrfj1wh13kc

Source: security@apache.org

Mailing ListVendor Advisory

https://lists.debian.org/debian-lts-announce/2024/04/msg00021.html

Source: security@apache.org

Mailing ListThird Party Advisory

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PBKLPQ6ECG4PGEPRCYI3Y3OITNDEFCCV/

Source: security@apache.org

Third Party Advisory

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QV77HYM7ARSTL3B6U3IFG7PHDU65WL4I/

Source: security@apache.org

Third Party Advisory

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T3XON6RM5ZKCZ6K6NB7BOTAWMJQKXJDO/

Source: security@apache.org

Third Party Advisory

http://www.openwall.com/lists/oss-security/2024/04/03/16

Source: af854a3a-2127-422b-91ae-364da2661108

Mailing List

http://www.openwall.com/lists/oss-security/2024/04/10/7

Source: af854a3a-2127-422b-91ae-364da2661108

Mailing List

https://lists.apache.org/thread/f9qh3g3jvy153wh82pz4onrfj1wh13kc

Source: af854a3a-2127-422b-91ae-364da2661108

Mailing ListVendor Advisory

https://lists.debian.org/debian-lts-announce/2024/04/msg00021.html

Source: af854a3a-2127-422b-91ae-364da2661108

Mailing ListThird Party Advisory

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PBKLPQ6ECG4PGEPRCYI3Y3OITNDEFCCV/

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QV77HYM7ARSTL3B6U3IFG7PHDU65WL4I/

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T3XON6RM5ZKCZ6K6NB7BOTAWMJQKXJDO/

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://www.kb.cert.org/vuls/id/421644

Source: af854a3a-2127-422b-91ae-364da2661108

Timeline

No history available yet.