Some HTTP/2 implementations are vulnerable to resource loops, potentially leading to a denial of service. The attacker creates multiple request streams and continually shuffles the priority of the streams in a way that causes substantial churn to the priority tree. This can consume excess CPU.
Fixes

Solution

No solution given by the vendor.


Workaround

No workaround given by the vendor.

References
Link Providers
http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00031.html cve-icon cve-icon
http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00032.html cve-icon cve-icon
http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00035.html cve-icon cve-icon
http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00003.html cve-icon cve-icon
http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00005.html cve-icon cve-icon
http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00014.html cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2019:2692 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2019:2745 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2019:2746 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2019:2775 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2019:2799 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2019:2925 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2019:2939 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2019:2949 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2019:2955 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2019:2966 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2019:3041 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2019:3932 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2019:3933 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2019:3935 cve-icon cve-icon
https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md cve-icon cve-icon cve-icon
https://kb.cert.org/vuls/id/605641/ cve-icon cve-icon
https://kc.mcafee.com/corporate/index?page=content&id=SB10296 cve-icon cve-icon
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4ZQGHE3WTYLYAYJEIDJVF2FIGQTAYPMC/ cve-icon cve-icon
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CMNFX5MNYRWWIMO4BTKYQCGUDMHO3AXP/ cve-icon cve-icon
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JUBYAF6ED3O4XCHQ5C2HYENJLXYXZC4M/ cve-icon cve-icon
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LZLUYPYY3RX4ZJDWZRJIKSULYRJ4PXW7/ cve-icon cve-icon
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/POPAEC4FWL4UU4LDEGPY5NPALU24FFQD/ cve-icon cve-icon
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TAZZEVTCN2B4WT6AIBJ7XGYJMBTORJU5/ cve-icon cve-icon
https://nghttp2.org/blog/2019/08/19/nghttp2-v1-39-2/ cve-icon
https://nodejs.org/en/blog/vulnerability/aug-2019-security-releases/ cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2019-9513 cve-icon
https://seclists.org/bugtraq/2019/Aug/40 cve-icon cve-icon
https://seclists.org/bugtraq/2019/Sep/1 cve-icon cve-icon
https://security.netapp.com/advisory/ntap-20190823-0002/ cve-icon cve-icon
https://security.netapp.com/advisory/ntap-20190823-0005/ cve-icon cve-icon
https://support.f5.com/csp/article/K02591030 cve-icon cve-icon
https://support.f5.com/csp/article/K02591030?utm_source=f5support&amp%3Butm_medium=RSS cve-icon cve-icon
https://usn.ubuntu.com/4099-1/ cve-icon cve-icon
https://www.cve.org/CVERecord?id=CVE-2019-9513 cve-icon
https://www.debian.org/security/2019/dsa-4505 cve-icon cve-icon
https://www.debian.org/security/2019/dsa-4511 cve-icon cve-icon
https://www.debian.org/security/2020/dsa-4669 cve-icon cve-icon
https://www.nginx.com/blog/nginx-updates-mitigate-august-2019-http-2-vulnerabilities/ cve-icon
https://www.oracle.com/security-alerts/cpujan2021.html cve-icon cve-icon
https://www.oracle.com/security-alerts/cpuoct2020.html cve-icon cve-icon
https://www.synology.com/security/advisory/Synology_SA_19_33 cve-icon cve-icon
History

Wed, 16 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.04357}

epss

{'score': 0.04471}


Tue, 14 Jan 2025 19:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:synology:diskstation_manager:6.2:*:*:*:*:*:*:* cpe:2.3:o:synology:diskstation_manager:6.2:*:*:*:*:*:*:*

cve-icon MITRE

Status: PUBLISHED

Assigner: certcc

Published:

Updated: 2024-08-04T21:54:44.842Z

Reserved: 2019-03-01T00:00:00

Link: CVE-2019-9513

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2019-08-13T21:15:12.380

Modified: 2025-01-14T19:29:55.853

Link: CVE-2019-9513

cve-icon Redhat

Severity : Important

Publid Date: 2019-08-13T17:00:00Z

Links: CVE-2019-9513 - Bugzilla

cve-icon OpenCVE Enrichment

No data.