CVE-2019-9517 -- apache2ID: oval:org.secpod.oval:def:58065 | Date: (C)2019-10-11 (M)2023-12-07 |
Class: VULNERABILITY | Family: unix |
This opens the HTTP/2 window so the server can send without constraint; however, it leaves the TCP window closed so the server cannot actually write (many of) the bytes on the wire. The client could then send a stream of requests for a large response object. Depending on how the servers queue the responses, this can consume excess memory, CPU, or both, potentially leading to a Denial-of-Service. Also known as "HTTP2 Internal Data Buffering / Queue Filler".