oss-sec mailing list archives
CVE-2024-27316: Apache HTTP Server: HTTP/2 DoS by memory exhaustion on endless continuation frames
From: Eric Covener <covener () apache org>
Date: Thu, 04 Apr 2024 13:56:54 +0000
Severity: moderate Affected versions: - Apache HTTP Server 2.4.17 through 2.4.58 Description: HTTP/2 incoming headers exceeding the limit are temporarily buffered in nghttp2 in order to generate an informative HTTP 413 response. If a client does not stop sending headers, this leads to memory exhaustion. Credit: Bartek Nowotarski (https://nowotarski.info/) (finder) References: https://httpd.apache.org/ https://www.cve.org/CVERecord?id=CVE-2024-27316 Timeline: 2024-02-22: Reported to security team
Current thread:
- CVE-2024-27316: Apache HTTP Server: HTTP/2 DoS by memory exhaustion on endless continuation frames Eric Covener (Apr 04)