HTTP/2 Implementation Vulnerability in nginx by F5 Networks
CVE-2018-16844

5.3MEDIUM

Key Information:

Vendor

[unknown]

Status
Nginx
Vendor
CVE Published:
7 November 2018

What is CVE-2018-16844?

A vulnerability exists in the HTTP/2 implementation of nginx, which may lead to excessive CPU usage under certain configurations. Specifically, this issue arises when the 'http2' option is enabled in the 'listen' directive, impacting performances for services dependent on this feature. Affected versions include any build of nginx prior to the 1.15.6 and 1.14.1 releases where ngx_http_v2_module is in use. It is critical for users to review their configurations and update to the latest nginx versions to mitigate the risk of potential service disruptions. For further information, consult related advisories and documentation.

Affected Version(s)

nginx 1.15.6

nginx 1.14.1

References

https://www.debian.org/security/2018/dsa-4335
vendor-advisoryx_refsource_DEBIAN
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16844
x_refsource_CONFIRM
https://access.redhat.com/errata/RHSA-2018:3680
vendor-advisoryx_refsource_REDHAT

EPSS Score

10% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
5.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

CVSS V3.0

Score:
5.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.