Severity: moderate
Affected versions: - Apache HTTP Server 2.4.17 through 2.4.58 Description: HTTP/2 incoming headers exceeding the limit are temporarily buffered in nghttp2 in order to generate an informative HTTP 413 response. If a client does not stop sending headers, this leads to memory exhaustion. Credit: Bartek Nowotarski (https://nowotarski.info/) (finder) References: https://httpd.apache.org/ https://www.cve.org/CVERecord?id=CVE-2024-27316 Timeline: 2024-02-22: Reported to security team --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org