---

CVE-2019-9516 - log back

CVE-2019-9516 created at 25 Sep 2019 19:31:40
Severity	+ Medium
Remote	+ Remote
Type	+ Denial of service
Description	+ An issue has been found in several HTTP/2 implementations, where the attacker sends a stream of headers with a 0-length header name and 0-length header value, optionally Huffman encoded into 1-byte or greater headers. Some implementations allocate memory for these headers and keep the allocation alive until the session dies. This can consume excess memory, potentially leading to a denial of service.
References	+ https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md + https://github.com/nginx/nginx/commit/6dfbc8b1c2116f362bb871efebbf9df576738e89
Notes