CVE-2018-17189

In Apache HTTP server versions 2.4.37 and prior, by sending request bodies in a slow loris way to plain resources, the h2 stream for that request unnecessarily occupied a server thread cleaning up that incoming data. This affects only HTTP/2 (mod_http2) connections.

Published: Jan 30, 2019
Updated: Apr 13, 2023
CVE: CVE-2018-17189
Severity: Medium
Exploit:

CVSS v3:

Severity: Medium
Score: 5.3
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CVSS v2:

Severity: Medium
Score: 5
AV:N/AC:L/Au:N/C:N/I:N/A:P

CWEs:

CWE-400

Affected Software
References

Software	From	Fixed in
apache / http_server	2.4.20	2.4.20.x
apache / http_server	2.4.23	2.4.23.x
apache / http_server	2.4.25	2.4.25.x
apache / http_server	2.4.26	2.4.26.x
apache / http_server	2.4.18	2.4.18.x
apache / http_server	2.4.17	2.4.17.x
apache / http_server	2.4.27	2.4.27.x
apache / http_server	2.4.29	2.4.29.x
apache / http_server	2.4.28	2.4.28.x
apache / http_server	2.4.33	2.4.33.x
apache / http_server	2.4.37	2.4.37.x
apache / http_server	2.4.30	2.4.30.x
apache / http_server	2.4.34	2.4.34.x
apache / http_server	2.4.35	2.4.35.x
fedoraproject / fedora	28	28.x
fedoraproject / fedora	29	29.x
debian / debian_linux	9.0	9.0.x
oracle / retail_xstore_point_of_service	7.1	7.1.x
oracle / retail_xstore_point_of_service	7.0	7.0.x
oracle / hospitality_guest_access	4.2.0	4.2.0.x
oracle / hospitality_guest_access	4.2.1	4.2.1.x
oracle / enterprise_manager_ops_center	12.3.3	12.3.3.x
oracle / instantis_enterprisetrack	17.1	17.1.x
oracle / instantis_enterprisetrack	17.2	17.2.x
oracle / instantis_enterprisetrack	17.3	17.3.x
oracle / sun_zfs_storage_appliance_kit	8.8.6	8.8.6.x
canonical / ubuntu_linux	18.04	18.04.x
canonical / ubuntu_linux	18.10	18.10.x
canonical / ubuntu_linux	14.04	14.04.x
canonical / ubuntu_linux	16.04	16.04.x
redhat / jboss_core_services	1.0	1.0.x

Vulnerability Database

289,599

CVE-2018-17189