Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

Apache HTTP Server: HTTP/2 DoS by memory exhaustion on endless continuation frames

Medium
I
Internet Bug Bounty
Submitted None

Team Summary

Official summary from Internet Bug Bounty

Apache HTTP Server: HTTP/2 DoS by memory exhaustion on endless continuation frames (CVE-2024-27316) Severity: Moderate HTTP/2 incoming headers exceeding the limit are temporarily buffered in nghttp2 in order to generate an informative HTTP 413 response. If a client does not stop sending headers, this leads to memory exhaustion. Acknowledgements: finder: Bartek Nowotarski (https://nowotarski.info/) Full Security Advisory: https://httpd.apache.org/security/vulnerabilities_24.html

Actions:
View on HackerOne
Reported by bart

Vulnerability Details

Technical details and impact analysis

Uncontrolled Resource Consumption
I'd like to report Apache httpd vulnerability (CVE-2024-27316) that was recently fixed. * Advisory: https://httpd.apache.org/security/vulnerabilities_24.html ## Impact HTTP/2 incoming headers exceeding the limit are temporarily buffered in nghttp2 in order to generate an informative HTTP 413 response. If a client does not stop sending headers, this leads to memory exhaustion.

Related CVEs

Associated Common Vulnerabilities and Exposures

CVE-2024-27316 HIGH

HTTP/2 incoming headers exceeding the limit are temporarily buffered in nghttp2 in order to generate an informative HTTP 413 response. If a client does not stop sending headers, this leads to memory exhaustion.

Report Details

Additional information and metadata

State

Closed

Substate

Resolved

Bounty

$2580.00

Submitted

Weakness

Uncontrolled Resource Consumption