CVE-2018-11763

In Apache HTTP Server 2.4.17 to 2.4.34, by sending continuous, large SETTINGS frames a client can occupy a connection, server thread and CPU time without any connection timeout coming to effect. This affects only HTTP/2 connections. A possible mitigation is to not enable the h2 protocol.

Published : 2018-09-25 21:29 Updated : 2019-06-11 22:29

4.3
CVSS Score More info
Score 4.3 / 10
4.3
Vendor Product Version URI
Apache Http Server 2.4.17 cpe:/a:apache:http_server:2.4.17
Apache Http Server 2.4.18 cpe:/a:apache:http_server:2.4.18
Apache Http Server 2.4.19 cpe:/a:apache:http_server:2.4.19
Apache Http Server 2.4.20 cpe:/a:apache:http_server:2.4.20
Apache Http Server 2.4.21 cpe:/a:apache:http_server:2.4.21
Apache Http Server 2.4.22 cpe:/a:apache:http_server:2.4.22
Apache Http Server 2.4.23 cpe:/a:apache:http_server:2.4.23
Apache Http Server 2.4.24 cpe:/a:apache:http_server:2.4.24
Apache Http Server 2.4.25 cpe:/a:apache:http_server:2.4.25
Apache Http Server 2.4.26 cpe:/a:apache:http_server:2.4.26
Apache Http Server 2.4.27 cpe:/a:apache:http_server:2.4.27
Apache Http Server 2.4.28 cpe:/a:apache:http_server:2.4.28
Apache Http Server 2.4.29 cpe:/a:apache:http_server:2.4.29
Apache Http Server 2.4.32 cpe:/a:apache:http_server:2.4.32
Apache Http Server 2.4.33 cpe:/a:apache:http_server:2.4.33
Apache Http Server 2.4.34 cpe:/a:apache:http_server:2.4.34
Oracle Secure Global Desktop 5.4 cpe:/a:oracle:secure_global_desktop:5.4
Canonical Ubuntu Linux 18.04 cpe:/o:canonical:ubuntu_linux:18.04::~~lts~~~
Redhat Enterprise Linux 7.0 cpe:/o:redhat:enterprise_linux:7.0
Redhat Enterprise Linux 7.4 cpe:/o:redhat:enterprise_linux:7.4
Redhat Enterprise Linux 7.5 cpe:/o:redhat:enterprise_linux:7.5
Redhat Enterprise Linux 7.6 cpe:/o:redhat:enterprise_linux:7.6
Apache Http Server 2.4.30 cpe:/a:apache:http_server:2.4.30
Netapp Storage Automation Store - cpe:/a:netapp:storage_automation_store:-
Redhat Enterprise Linux 6.0 cpe:/o:redhat:enterprise_linux:6.0
Oracle Enterprise Manager Ops Center 12.3.3 cpe:/a:oracle:enterprise_manager_ops_center:12.3.3
Oracle Hospitality Guest Access 4.2.0 cpe:/a:oracle:hospitality_guest_access:4.2.0
Oracle Hospitality Guest Access 4.2.1 cpe:/a:oracle:hospitality_guest_access:4.2.1
Oracle Instantis Enterprisetrack 17.1 cpe:/a:oracle:instantis_enterprisetrack:17.1
Oracle Instantis Enterprisetrack 17.2 cpe:/a:oracle:instantis_enterprisetrack:17.2
Oracle Instantis Enterprisetrack 17.3 cpe:/a:oracle:instantis_enterprisetrack:17.3
Oracle Retail Xstore Point Of Service 7.0 cpe:/a:oracle:retail_xstore_point_of_service:7.0
Oracle Retail Xstore Point Of Service 7.1 cpe:/a:oracle:retail_xstore_point_of_service:7.1
  1. Oracle (5) Search CVE
    1. Enterprise Manager Ops Center (1) Search CVE
      1. 12.3.3
    2. Retail Xstore Point Of Service (2) Search CVE
      1. 7.0
      2. 7.1
    3. Hospitality Guest Access (2) Search CVE
      1. 4.2.0
      2. 4.2.1
    4. Instantis Enterprisetrack (3) Search CVE
      1. 17.1
      2. 17.2
      3. 17.3
    5. Secure Global Desktop (1) Search CVE
      1. 5.4
  2. Canonical (1) Search CVE
    1. Ubuntu Linux (1) Search CVE
      1. 18.04
  3. Netapp (1) Search CVE
    1. Storage Automation Store (1) Search CVE
      1. -
  4. Redhat (1) Search CVE
    1. Enterprise Linux (5) Search CVE
      1. 7.0
      2. 7.4
      3. 7.5
      4. 7.6
      5. 6.0
  5. Apache (1) Search CVE
    1. Http Server (17) Search CVE
      1. 2.4.17
      2. 2.4.18
      3. 2.4.19
      4. 2.4.20
      5. 2.4.21
      6. 2.4.22
      7. 2.4.23
      8. 2.4.24
      9. 2.4.25
      10. 2.4.26
      11. 2.4.27
      12. 2.4.28
      13. 2.4.29
      14. 2.4.32
      15. 2.4.33
      16. 2.4.34
      17. 2.4.30

CWE

ID Name Description Links
CWE-20 Improper Input Validation The product does not validate or incorrectly validates input that can affect the control flow or data flow of a program. CVE

History of changes

Date Event
2019-06-11 22:29
2019-04-26 16:36
2019-04-23 19:31
2019-04-22 17:48
2019-04-18 16:07
2019-02-19 11:29
2019-02-07 11:29
2019-02-05 11:29
2019-01-22 18:04
2019-01-16 19:29
2018-11-13 11:29
2018-10-04 10:29
2018-09-29 10:29
2018-09-26 10:29
2018-09-25 21:29

New CVE