CVE-2019-10079
First published: Tue Oct 22 2019(Updated: )
Apache Traffic Server is vulnerable to HTTP/2 setting flood attacks. Earlier versions of Apache Traffic Server didn't limit the number of setting frames sent from the client using the HTTP/2 protocol. Users should upgrade to Apache Traffic Server 7.1.7, 8.0.4, or later versions.
Credit: security@apache.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Apache Traffic Server | <7.1.7 | |
| Apache Traffic Server | >=8.0.0<8.0.4 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://lists.apache.org/thread.html/392108390cef48af647a2e47b7fd5380e050e35ae8d1aa2030254c04@%3Cusers.trafficserver.apache.org%3E
- https://lists.apache.org/thread.html/ad3d01e767199c1aed8033bb6b3f5bf98c011c7c536f07a5d34b3c19@%3Cannounce.trafficserver.apache.org%3E
- https://lists.apache.org/thread.html/bde52309316ae798186d783a5e29f4ad1527f61c9219a289d0eee0a7@%3Cdev.trafficserver.apache.org%3E
Frequently Asked Questions
What is the vulnerability ID for this Apache Traffic Server vulnerability?
The vulnerability ID for this Apache Traffic Server vulnerability is CVE-2019-10079.
What is the severity rating for CVE-2019-10079?
CVE-2019-10079 has a severity rating of 7.5 (high).
What is the description of CVE-2019-10079?
CVE-2019-10079 is a vulnerability in Apache Traffic Server that allows HTTP/2 setting flood attacks due to an unlimited number of setting frames sent from the client using the HTTP/2 protocol.
Which versions of Apache Traffic Server are affected by CVE-2019-10079?
Apache Traffic Server versions up to 7.1.7 and versions between 8.0.0 and 8.0.4 are affected by CVE-2019-10079.
How can I mitigate CVE-2019-10079?
To mitigate CVE-2019-10079, users should upgrade to Apache Traffic Server 7.1.7, 8.0.4, or later versions.
- collector/nvd-index
- vendor/apache
- canonical/apache traffic server
- version/apache traffic server/8.0.0