Search CVE reports
1 – 10 of 11 results
CVE-2024-28182
Medium prioritynghttp2 is an implementation of the Hypertext Transfer Protocol version 2 in C. The nghttp2 library prior to version 1.61.0 keeps reading the unbounded number of HTTP/2 CONTINUATION frames even after a stream is reset to keep...
1 affected packages
nghttp2
| Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
|---|---|---|---|---|---|
| nghttp2 | Fixed | Fixed | Fixed | Fixed | Fixed |
CVE-2023-44487
High prioritySome fixes available 24 of 78
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
26 affected packages
dotnet6, dotnet7, dotnet8, golang, golang-1.10...
| Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
|---|---|---|---|---|---|
| dotnet6 | Not in release | Fixed | Not in release | Not in release | Not in release |
| dotnet7 | Not in release | Fixed | Not in release | Not in release | Not in release |
| dotnet8 | Fixed | Not affected | Not in release | Not in release | Not in release |
| golang | Not in release | Not in release | Not in release | Not in release | Not in release |
| golang-1.10 | Not in release | Not in release | Not in release | Needs evaluation | Needs evaluation |
| golang-1.13 | Not in release | Needs evaluation | Needs evaluation | Needs evaluation | Needs evaluation |
| golang-1.14 | Not in release | Not in release | Needs evaluation | Not in release | Not in release |
| golang-1.16 | Not in release | Not in release | Needs evaluation | Needs evaluation | Not in release |
| golang-1.17 | Not in release | Needs evaluation | Not in release | Not in release | Not in release |
| golang-1.18 | Not in release | Needs evaluation | Needs evaluation | Needs evaluation | Needs evaluation |
| golang-1.19 | Not in release | Not in release | Not in release | Not in release | Not in release |
| golang-1.20 | Not in release | Fixed | Fixed | Not in release | Not in release |
| golang-1.21 | Not affected | Fixed | Fixed | Not in release | Not in release |
| golang-1.6 | Not in release | Not in release | Not in release | Not in release | Needs evaluation |
| golang-1.8 | Not in release | Not in release | Not in release | Needs evaluation | Not in release |
| golang-1.9 | Not in release | Not in release | Not in release | Needs evaluation | Not in release |
| h2o | Not affected | Needs evaluation | Needs evaluation | Needs evaluation | Not in release |
| haproxy | Not affected | Not affected | Not affected | Needs evaluation | Not affected |
| netty | Not affected | Fixed | Fixed | Not affected | Not affected |
| nghttp2 | Not affected | Fixed | Fixed | Fixed | Fixed |
| nginx | Not affected | Not affected | Not affected | Not affected | Not affected |
| nodejs | Needs evaluation | Needs evaluation | Needs evaluation | Needs evaluation | Needs evaluation |
| tomcat10 | Needs evaluation | Not in release | Not in release | Ignored | Ignored |
| tomcat8 | Not in release | Not in release | Not in release | Needs evaluation | Needs evaluation |
| tomcat9 | Needs evaluation | Needs evaluation | Needs evaluation | Needs evaluation | Ignored |
| trafficserver | Needs evaluation | Needs evaluation | Needs evaluation | Needs evaluation | Needs evaluation |
CVE-2022-0326
Low priorityNULL Pointer Dereference in Homebrew mruby prior to 3.2.
5 affected packages
cargo, groonga, h2o, mruby, nghttp2
| Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
|---|---|---|---|---|---|
| cargo | Not in release | Not affected | Not affected | Not affected | Not affected |
| groonga | Needs evaluation | Needs evaluation | Needs evaluation | Needs evaluation | Needs evaluation |
| h2o | Needs evaluation | Needs evaluation | Needs evaluation | Needs evaluation | Ignored |
| mruby | Needs evaluation | Needs evaluation | Needs evaluation | Needs evaluation | Needs evaluation |
| nghttp2 | Not affected | Not affected | Not affected | Not affected | Not affected |
CVE-2022-0240
Low prioritymruby is vulnerable to NULL Pointer Dereference
5 affected packages
cargo, groonga, h2o, mruby, nghttp2
| Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
|---|---|---|---|---|---|
| cargo | Not in release | Not affected | Not affected | Not affected | Not affected |
| groonga | Needs evaluation | Needs evaluation | Needs evaluation | Needs evaluation | Needs evaluation |
| h2o | Needs evaluation | Needs evaluation | Needs evaluation | Needs evaluation | Ignored |
| mruby | Needs evaluation | Needs evaluation | Needs evaluation | Needs evaluation | Needs evaluation |
| nghttp2 | Not affected | Not affected | Not affected | Not affected | Not affected |
CVE-2020-11080
Medium prioritySome fixes available 3 of 9
In nghttp2 before version 1.41.0, the overly large HTTP/2 SETTINGS frame payload causes denial of service. The proof of concept attack involves a malicious client constructing a SETTINGS frame with a length of 14,400 bytes (2400...
2 affected packages
nghttp2, nodejs
| Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
|---|---|---|---|---|---|
| nghttp2 | Not affected | Not affected | Fixed | Fixed | Fixed |
| nodejs | Needs evaluation | Not affected | Not affected | Not affected | Not affected |
CVE-2016-1544
Unknown prioritynghttp2 before 1.7.1 allows remote attackers to cause a denial of service (memory exhaustion).
1 affected packages
nghttp2
| Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
|---|---|---|---|---|---|
| nghttp2 | — | — | — | — | Not affected |
CVE-2019-9513
Medium prioritySome fixes available 15 of 25
Some HTTP/2 implementations are vulnerable to resource loops, potentially leading to a denial of service. The attacker creates multiple request streams and continually shuffles the priority of the streams in a way that causes...
3 affected packages
nghttp2, nginx, nodejs
| Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
|---|---|---|---|---|---|
| nghttp2 | Not affected | Not affected | Not affected | Fixed | Fixed |
| nginx | Fixed | Fixed | Fixed | Fixed | Fixed |
| nodejs | Not affected | Not affected | Not affected | Ignored | Ignored |
CVE-2019-9511
Medium prioritySome fixes available 15 of 25
Some HTTP/2 implementations are vulnerable to window size manipulation and stream prioritization manipulation, potentially leading to a denial of service. The attacker requests a large amount of data from a specified resource over...
3 affected packages
nghttp2, nginx, nodejs
| Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
|---|---|---|---|---|---|
| nghttp2 | Not affected | Not affected | Not affected | Fixed | Fixed |
| nginx | Fixed | Fixed | Fixed | Fixed | Fixed |
| nodejs | Not affected | Not affected | Not affected | Ignored | Ignored |
CVE-2018-1000168
Medium prioritySome fixes available 1 of 2
nghttp2 version >= 1.10.0 and nghttp2 <= v1.31.0 contains an Improper Input Validation CWE-20 vulnerability in ALTSVC frame handling that can result in segmentation fault leading to denial of service. This attack appears to...
1 affected packages
nghttp2
| Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
|---|---|---|---|---|---|
| nghttp2 | — | — | — | Fixed | Not affected |
CVE-2017-2428
Medium priorityAn issue was discovered in certain Apple products. iOS before 10.3 is affected. macOS before 10.12.4 is affected. tvOS before 10.2 is affected. watchOS before 3.2 is affected. The issue involves nghttp2 before 1.17.0 in the...
1 affected packages
nghttp2
| Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
|---|---|---|---|---|---|
| nghttp2 | — | — | — | — | Not affected |