Early Access — Mondoo Vulnerability Intelligence is currently in preview.

UBUNTU-CVE-2019-9513

HIGH7.5

Published Aug 13, 2019

Modified 7 months ago

Fix available

Details

Some HTTP/2 implementations are vulnerable to resource loops, potentially leading to a denial of service. The attacker creates multiple request streams and continually shuffles the priority of the streams in a way that causes substantial churn to the priority tree. This can consume excess CPU.

Affected Packages

Ubuntu:Pro:16.04:LTSnghttp2

Affected versions:

0.6.7-11.3.4-21.4.0-11.4.0-21.5.0-21.6.0-11.7.0-11.7.1-11.7.1-1ubuntu0.1~esm1

Fixed in:

1.7.1-1ubuntu0.1~esm2

Ubuntu:Pro:18.04:LTSnghttp2

Affected versions:

1.25.0-11.27.0-11.28.0-11.29.0-11.29.0-1build11.30.0-11.30.0-1ubuntu11.30.0-1ubuntu1+esm1

Fixed in:

1.30.0-1ubuntu1+esm2

Ubuntu:20.04:LTSnghttp2

Fixed in:

1.39.2-1

Ubuntu:16.04:LTSnginx

Affected versions:

1.10.0-0ubuntu0.16.04.11.10.0-0ubuntu0.16.04.21.10.0-0ubuntu0.16.04.31.10.0-0ubuntu0.16.04.41.10.3-0ubuntu0.16.04.11.10.3-0ubuntu0.16.04.21.10.3-0ubuntu0.16.04.31.9.10-0ubuntu11.9.10-1ubuntu11.9.11-0ubuntu1+10 more

Fixed in:

1.10.3-0ubuntu0.16.04.4

Ubuntu:18.04:LTSnginx

Affected versions:

1.12.1-0ubuntu21.13.10-1ubuntu11.13.12-0ubuntu11.13.6-2ubuntu11.13.6-2ubuntu21.14.0-0ubuntu11.14.0-0ubuntu1.11.14.0-0ubuntu1.21.14.0-0ubuntu1.3

Fixed in:

1.14.0-0ubuntu1.4

Ubuntu:Pro:14.04:LTSnodejs

Affected versions:

0.10.15~dfsg1-40.10.21~dfsg1-10.10.22~dfsg1-20.10.23~dfsg1-10.10.23~dfsg1-20.10.23~dfsg1-30.10.24~dfsg1-10.10.25~dfsg2-20.10.25~dfsg2-2ubuntu10.10.25~dfsg2-2ubuntu1.2+2 more

Ubuntu:Pro:16.04:LTSnodejs

Affected versions:

0.10.25~dfsg2-2ubuntu14.2.2~dfsg-14.2.3~dfsg-14.2.4~dfsg-1ubuntu14.2.4~dfsg-24.2.6~dfsg-1ubuntu14.2.6~dfsg-1ubuntu44.2.6~dfsg-1ubuntu4.14.2.6~dfsg-1ubuntu4.24.2.6~dfsg-1ubuntu4.2+esm1+2 more

Ubuntu:Pro:18.04:LTSnodejs

Affected versions:

6.11.4~dfsg-1ubuntu16.11.4~dfsg-1ubuntu26.12.0~dfsg-1ubuntu16.12.0~dfsg-2ubuntu16.12.0~dfsg-2ubuntu28.10.0~dfsg-28.10.0~dfsg-2ubuntu0.28.10.0~dfsg-2ubuntu0.38.10.0~dfsg-2ubuntu0.48.10.0~dfsg-2ubuntu0.4+esm1+5 more

Ubuntu:20.04:LTSnodejs

Affected versions:

10.15.2~dfsg-2ubuntu110.17.0~dfsg-2ubuntu410.17.0~dfsg-2ubuntu6

Fixed in:

10.19.0~dfsg-3ubuntu1

Ubuntu:22.04:LTSnodejs

Affected versions:

12.22.5~dfsg-5ubuntu112.22.7~dfsg-2ubuntu112.22.7~dfsg-2ubuntu312.22.9~dfsg-1ubuntu2

Fixed in:

12.22.9~dfsg-1ubuntu3

Ubuntu:24.04:LTSnodejs

Fixed in:

18.13.0+dfsg1-1ubuntu2

Ubuntu:14.04:LTSnodejs

Affected versions:

0.10.15~dfsg1-40.10.21~dfsg1-10.10.22~dfsg1-20.10.23~dfsg1-10.10.23~dfsg1-20.10.23~dfsg1-30.10.24~dfsg1-10.10.25~dfsg2-20.10.25~dfsg2-2ubuntu10.10.25~dfsg2-2ubuntu1.2+2 more

References

REPORThttps://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md REPORThttps://github.com/nodejs/node/pull/29133 REPORThttps://github.com/nodejs/node/pull/29148 REPORThttps://github.com/nodejs/node/pull/29152 REPORThttps://ubuntu.com/security/CVE-2019-9513 REPORThttps://ubuntu.com/security/notices/USN-4099-1 REPORThttps://ubuntu.com/security/notices/USN-6754-1 REPORThttps://www.cve.org/CVERecord?id=CVE-2019-9513

CVSS Analysis

CVSS v3.0

7.5

Exploitability

Attack Vector

NetworkAV:N

Attack Complexity

LowAC:L

Privileges Required

NonePR:N

User Interaction

NoneUI:N

Scope

UnchangedS:U

Impact

Confidentiality

NoneC:N

Integrity

NoneI:N

Availability

HighA:H

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVE-2019-9513 USN-4099-1 USN-6754-1

Ecosystems

Ubuntu Pro 16.04 LTS Ubuntu Pro 18.04 LTS Ubuntu 20.04 LTS Ubuntu 16.04 LTS Ubuntu 18.04 LTS Ubuntu Pro 14.04 LTS Ubuntu 22.04 LTS Ubuntu 24.04 LTS Ubuntu 14.04 LTS

Timeline

PublishedAug 13, 2019

ModifiedJun 2, 2025

UBUNTU-CVE-2019-9513 | Mondoo Vulnerability Intelligence

UBUNTU-CVE-2019-9513

Details

Affected Packages

References

CVSS Analysis

Related

Ecosystems

Timeline