CVE-2018-11763

Summary

In Apache HTTP Server 2.4.17 to 2.4.34, by sending continuous, large SETTINGS frames a client can occupy a connection, server thread and CPU time without any connection timeout coming to effect. This affects only HTTP/2 connections. A possible mitigation is to not enable the h2 protocol.

Affected Software

VendorProductVersion RangeStatus
Apache Software FoundationApache HTTP Server2.4.17 to 2.4.34affected

Weaknesses

  • mod_http2, DoS via continuous SETTINGS frames

ADP Enrichment

CVE Program Container

Additional References

References