Some HTTP/2 implementations are vulnerable to window size manipulation and stream prioritization manipulation, potentially leading to a denial of service. The attacker requests a large amount of data from a specified resource over multiple streams. They manipulate window size and stream priority to force the server to queue the data in 1-byte chunks. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both.
Fixes

Solution

No solution given by the vendor.


Workaround

No workaround given by the vendor.

References
Link Providers
http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00031.html cve-icon cve-icon
http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00032.html cve-icon cve-icon
http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00035.html cve-icon cve-icon
http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00003.html cve-icon cve-icon
http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00005.html cve-icon cve-icon
http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00014.html cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2019:2692 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2019:2745 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2019:2746 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2019:2775 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2019:2799 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2019:2925 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2019:2939 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2019:2949 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2019:2955 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2019:2966 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2019:3041 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2019:3932 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2019:3933 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2019:3935 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2019:4018 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2019:4019 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2019:4020 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2019:4021 cve-icon cve-icon
https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md cve-icon cve-icon cve-icon
https://kb.cert.org/vuls/id/605641/ cve-icon cve-icon cve-icon
https://kc.mcafee.com/corporate/index?page=content&id=SB10296 cve-icon cve-icon
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BP556LEG3WENHZI5TAQ6ZEBFTJB4E2IS/ cve-icon cve-icon
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JUBYAF6ED3O4XCHQ5C2HYENJLXYXZC4M/ cve-icon cve-icon
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LZLUYPYY3RX4ZJDWZRJIKSULYRJ4PXW7/ cve-icon cve-icon
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/POPAEC4FWL4UU4LDEGPY5NPALU24FFQD/ cve-icon cve-icon
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TAZZEVTCN2B4WT6AIBJ7XGYJMBTORJU5/ cve-icon cve-icon
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XHTKU7YQ5EEP2XNSAV4M4VJ7QCBOJMOD/ cve-icon cve-icon
https://nodejs.org/en/blog/vulnerability/aug-2019-security-releases/ cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2019-9511 cve-icon
https://seclists.org/bugtraq/2019/Aug/40 cve-icon cve-icon
https://seclists.org/bugtraq/2019/Sep/1 cve-icon cve-icon
https://security.netapp.com/advisory/ntap-20190823-0002/ cve-icon cve-icon
https://security.netapp.com/advisory/ntap-20190823-0005/ cve-icon cve-icon
https://support.f5.com/csp/article/K02591030 cve-icon cve-icon
https://support.f5.com/csp/article/K02591030?utm_source=f5support&amp%3Butm_medium=RSS cve-icon cve-icon
https://usn.ubuntu.com/4099-1/ cve-icon cve-icon
https://www.cve.org/CVERecord?id=CVE-2019-9511 cve-icon
https://www.debian.org/security/2019/dsa-4505 cve-icon cve-icon
https://www.debian.org/security/2019/dsa-4511 cve-icon cve-icon
https://www.debian.org/security/2020/dsa-4669 cve-icon cve-icon
https://www.nginx.com/blog/nginx-updates-mitigate-august-2019-http-2-vulnerabilities/ cve-icon
https://www.oracle.com/security-alerts/cpujan2021.html cve-icon cve-icon
https://www.oracle.com/security-alerts/cpuoct2020.html cve-icon cve-icon
https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html cve-icon cve-icon
https://www.synology.com/security/advisory/Synology_SA_19_33 cve-icon cve-icon
History

Wed, 16 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.13948}

epss

{'score': 0.14268}


Tue, 14 Jan 2025 19:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:synology:diskstation_manager:6.2:*:*:*:*:*:*:* cpe:2.3:o:synology:diskstation_manager:6.2:*:*:*:*:*:*:*

Mon, 26 Aug 2024 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Redhat jboss Enterprise Application Platform Eus
CPEs cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7
Vendors & Products Redhat jboss Enterprise Application Platform Eus

cve-icon MITRE

Status: PUBLISHED

Assigner: certcc

Published:

Updated: 2024-08-04T21:54:44.157Z

Reserved: 2019-03-01T00:00:00

Link: CVE-2019-9511

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2019-08-13T21:15:12.223

Modified: 2025-01-14T19:29:55.853

Link: CVE-2019-9511

cve-icon Redhat

Severity : Important

Publid Date: 2019-08-13T00:00:00Z

Links: CVE-2019-9511 - Bugzilla

cve-icon OpenCVE Enrichment

No data.