7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2019-9514

GHSA ID

GHSA-39qc-96h7-956f

EPSS Score

0.9151%

CWE

CWE-400

Published

5/24/2022

Updated

5/20/2024

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2019-9514

CVE-2019-9514: golang.org/x/net/http vulnerable to a reset flood

Some HTTP/2 implementations are vulnerable to a reset flood, potentially leading to a denial of service. Servers that accept direct connections from untrusted clients could be remotely made to allocate an unlimited amount of memory, until the program crashes. The attacker opens a number of streams and sends an invalid request over each stream that should solicit a stream of RST_STREAM frames from the peer. Depending on how the peer queues the RST_STREAM frames, this can consume excess memory, CPU, or both.

Specific Go Packages Affected

golang.org/x/net/http2

(GitHub Advisory)

7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2019-9514

GHSA ID

GHSA-39qc-96h7-956f

EPSS Score

0.9151%

CWE

CWE-400

Published

5/24/2022

Updated

5/20/2024

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
golang.org/x/net	go	< 0.0.0-20190813141303-74dc4d7220e7	0.0.0-20190813141303-74dc4d7220e7

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The analysis is based on the provided commit and the description of the vulnerability. The functions identified are directly related to the handling of HTTP/2 connections and streams, and the patch modifies these functions to limit the number of control frames in the send queue.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Som* *TTP/* impl*m*nt*tions *r* vuln*r**l* to * r*s*t *loo*, pot*nti*lly l***in* to * **ni*l o* s*rvi**. S*rv*rs t**t ****pt *ir**t *onn**tions *rom untrust** *li*nts *oul* ** r*mot*ly m*** to *llo**t* *n unlimit** *mount o* m*mory, until t** pro*r*m

Reasoning

T** *n*lysis is **s** on t** provi*** *ommit *n* t** **s*ription o* t** vuln*r**ility. T** *un*tions i**nti*i** *r* *ir**tly r*l*t** to t** **n*lin* o* *TTP/* *onn**tions *n* str**ms, *n* t** p*t** mo*i*i*s t**s* *un*tions to limit t** num**r o* *ont

7.5

Basic Information

Concerned about an active attack path?

CVE-2019-9514: golang.org/x/net/http vulnerable to a reset flood

Specific Go Packages Affected

7.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI