CVE-2024-31309 — HIGH (7.5)

Q: How severe is CVE-2024-31309?

CVE-2024-31309 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2024-31309?

Check the references section above for vendor advisories and patch information. Affected products include: Apache Traffic Server, Debian Debian Linux, Fedoraproject Fedora.

Vulnerability Description

HTTP/2 CONTINUATION DoS attack can cause Apache Traffic Server to consume more resources on the server. Version from 8.0.0 through 8.1.9, from 9.0.0 through 9.2.3 are affected. Users can set a new setting (proxy.config.http2.max_continuation_frames_per_minute) to limit the number of CONTINUATION frames per minute. ATS does have a fixed amount of memory a request can use and ATS adheres to these limits in previous releases. Users are recommended to upgrade to versions 8.1.10 or 9.2.4 which fixes the issue.

CVSS Score

7.5

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

NONE

Availability

HIGH

Affected Products

Vendor	Product	Versions
Apache	Traffic Server	>= 8.0.0, < 8.1.10
Debian	Debian Linux	10.0
Fedoraproject	Fedora	38

Related Weaknesses (CWE)

CWE-20

References

http://www.openwall.com/lists/oss-security/2024/04/03/16Mailing List
http://www.openwall.com/lists/oss-security/2024/04/10/7Mailing List
https://lists.apache.org/thread/f9qh3g3jvy153wh82pz4onrfj1wh13kcMailing ListVendor Advisory
https://lists.debian.org/debian-lts-announce/2024/04/msg00021.htmlMailing ListThird Party Advisory
https://lists.fedoraproject.org/archives/list/[email protected]Third Party Advisory
https://lists.fedoraproject.org/archives/list/[email protected]Third Party Advisory
https://lists.fedoraproject.org/archives/list/[email protected]Third Party Advisory
http://www.openwall.com/lists/oss-security/2024/04/03/16Mailing List
http://www.openwall.com/lists/oss-security/2024/04/10/7Mailing List
https://lists.apache.org/thread/f9qh3g3jvy153wh82pz4onrfj1wh13kcMailing ListVendor Advisory
https://lists.debian.org/debian-lts-announce/2024/04/msg00021.htmlMailing ListThird Party Advisory
https://lists.fedoraproject.org/archives/list/[email protected]Third Party Advisory
https://lists.fedoraproject.org/archives/list/[email protected]Third Party Advisory
https://lists.fedoraproject.org/archives/list/[email protected]Third Party Advisory
https://www.kb.cert.org/vuls/id/421644

FAQ

What is CVE-2024-31309?

CVE-2024-31309 is a vulnerability with a CVSS score of 7.5 (HIGH). HTTP/2 CONTINUATION DoS attack can cause Apache Traffic Server to consume more resources on the server. Version from 8.0.0 through 8.1.9, from 9.0.0 through 9.2.3 are affected. Users can set a new s...

How severe is CVE-2024-31309?

CVE-2024-31309 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2024-31309?

Check the references section above for vendor advisories and patch information. Affected products include: Apache Traffic Server, Debian Debian Linux, Fedoraproject Fedora.