logo

Database

Asymmetric denial of service In twisted

Description

HTTP/2 DoS Attacks: Ping, Reset, and Settings Floods

Impact

Twisted web servers that utilize the optional HTTP/2 support suffer from the following flow-control related vulnerabilities:

Ping flood: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9512 Reset flood: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9514 Settings flood: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9515

A Twisted web server supports HTTP/2 requests if you've installed the http2 optional dependency set.

Workarounds

There are no workarounds.

References

https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md

For more information

If you have any questions or comments about this advisory:

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. GHSA-32gv-6cf3-wcmq2. GCVE-GHSA-32gv-6cf3-wcmq

References

1. https://github.com/twisted/twisted/security/advisories/GHSA-32gv-6cf3-wcmq2. https://github.com/twisted/twisted/commit/a40ab1ce5210f231abe7a448a54d7e88e48f2d5d

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.