Severity: moderate

Affected versions:

- Apache HTTP Server 2.4.17 through 2.4.58

Description:

HTTP/2 incoming headers exceeding the limit are temporarily buffered in nghttp2 
in order to generate an informative HTTP 413 response. If a client does not 
stop sending headers, this leads to memory exhaustion.

Credit:

Bartek Nowotarski (https://nowotarski.info/)  (finder)

References:

https://httpd.apache.org/
https://www.cve.org/CVERecord?id=CVE-2024-27316

Timeline:

2024-02-22: Reported to security team

Reply via email to