Vulnerability in Apache Software Foundation Http Server
CVE-2018-11763
In Apache HTTP Server 2.4.17 to 2.4.34, by sending continuous, large SETTINGS frames a client can occupy a connection, server thread and CPU time without any connection timeout coming to effect. This affects only HTTP/2 connections. A poss…
EPSS: 0.510 (98.8th percentile) — read the EPSS interpretation.
Affected products
- Apache Software Foundation Http Server — versions 2.4.17 to 2.4.34
Public proof-of-concept exploits
- NeoOniX/5ATTACK
- PawanKumarPandit/Shodan-nrich
- RoseSecurity-Research/Red-Teaming-TTPs
- RoseSecurity/Red-Teaming-TTPs
- Xorlent/Red-Teaming-TTPs
- austin-lai/External-Penetration-Testing-Holo-Corporate-Network-TryHackMe-Holo-Network
- bartholomex-x/nrich
- bioly230/THM_
- retr0-13/nrich
- vshaliii/Basic-Pentesting-2-Vulnhub-Walkthrough
References
- www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html (x_refsource_CONFIRM)
- RHSA-2018:3558 (x_refsource_REDHAT, vendor-advisory)
- 105414 (vdb-entry, x_refsource_BID)
- support.hpe.com/hpsc/doc/public/display (x_refsource_CONFIRM)
- security.netapp.com/advisory/ntap-20190204-0004/ (x_refsource_CONFIRM)
- RHSA-2019:0367 (x_refsource_REDHAT, vendor-advisory)
- USN-3783-1 (x_refsource_UBUNTU, vendor-advisory)
- httpd.apache.org/security/vulnerabilities_24.html (x_refsource_CONFIRM)
- 1041713 (vdb-entry, x_refsource_SECTRACK)
- RHSA-2019:0366 (x_refsource_REDHAT, vendor-advisory)
Frequently asked questions
- What is CVE-2018-11763?
- CVE-2018-11763 is a vulnerability in Apache Software Foundation Http Server. Published 2018-09-25.
- Is CVE-2018-11763 known to be exploited?
- 13 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.