Ecosyste.ms: Advisories

Security Advisories: GSA_kwCzR0hTQS0zMmd2LTZjZjMtd2Ntcc0ymQ

HTTP/2 DoS Attacks: Ping, Reset, and Settings Floods

Impact

Twisted web servers that utilize the optional HTTP/2 support suffer from the following flow-control related vulnerabilities:

Ping flood: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9512
Reset flood: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9514
Settings flood: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9515

A Twisted web server supports HTTP/2 requests if you've installed the http2 optional dependency set.

Workarounds

There are no workarounds.

References

https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md

For more information

If you have any questions or comments about this advisory:

• Open an issue in Twisted's Trac

Permalink: https://github.com/advisories/GHSA-32gv-6cf3-wcmq
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS0zMmd2LTZjZjMtd2Ntcc0ymQ
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: about 2 years ago
Updated: 8 months ago

Identifiers: GHSA-32gv-6cf3-wcmq
References:

• https://github.com/twisted/twisted/security/advisories/GHSA-32gv-6cf3-wcmq
• https://github.com/twisted/twisted/commit/a40ab1ce5210f231abe7a448a54d7e88e48f2d5d
• https://github.com/advisories/GHSA-32gv-6cf3-wcmq

Repository: https://github.com/twisted/twisted
Blast Radius: 0.0

Affected Packages