CVE-2019-0197

A vulnerability was found in Apache HTTP Server 2.4.34 to 2.4.38. When HTTP/2 was enabled for a http: host or H2Upgrade was enabled for h2 on a https: host, an Upgrade request from http/1.1 to http/2 that was not the first request on a connection could lead to a misconfiguration and crash. Server that never enabled the h2 protocol or that only enabled it for https: and did not set "H2Upgrade on" are unaffected by this issue.

Published: Jun 12, 2019
Updated: Apr 13, 2023
CVE: CVE-2019-0197
Severity: Low
Exploit:

CVSS v3:

Severity: Low
Score: 4.2
AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:L

CVSS v2:

Severity: Low
Score: 4.9
AV:N/AC:M/Au:S/C:N/I:P/A:P

CWEs:

CWE-444

Affected Software
References

Software	From	Fixed in
apache / http_server	2.4.34	2.4.38.x
canonical / ubuntu_linux	18.04	18.04.x
canonical / ubuntu_linux	19.04	19.04.x
canonical / ubuntu_linux	16.04	16.04.x
fedoraproject / fedora	30	30.x
opensuse / leap	42.3	42.3.x
opensuse / leap	15.0	15.0.x
redhat / jboss_core_services	1.0	1.0.x
oracle / retail_xstore_point_of_service	7.1	7.1.x
oracle / retail_xstore_point_of_service	7.0	7.0.x
oracle / http_server	12.2.1.3.0	12.2.1.3.0.x
oracle / enterprise_manager_ops_center	12.3.3	12.3.3.x
oracle / instantis_enterprisetrack	17.1	17.1.x
oracle / instantis_enterprisetrack	17.2	17.2.x
oracle / instantis_enterprisetrack	17.3	17.3.x
oracle / enterprise_manager_ops_center	12.4.0	12.4.0.x
oracle / communications_session_report_manager	8.1.1	8.1.1.x
oracle / communications_session_report_manager	8.2.0	8.2.0.x
oracle / communications_session_route_manager	8.1.1	8.1.1.x
oracle / communications_session_route_manager	8.2.0	8.2.0.x
oracle / communications_session_route_manager	8.0.0	8.0.0.x
oracle / communications_session_route_manager	8.1.0	8.1.0.x
oracle / communications_session_report_manager	8.0.0	8.0.0.x
oracle / communications_session_report_manager	8.1.0	8.1.0.x

Vulnerability Database

289,599

CVE-2019-0197