Search for vulnerabilities
Vulnerability details: VCID-qvee-un4j-aaae
Vulnerability ID VCID-qvee-un4j-aaae
Aliases CVE-2016-8740
Summary The mod_http2 module in the Apache HTTP Server 2.4.17 through 2.4.23, when the Protocols configuration includes h2 or h2c, does not restrict request-header length, which allows remote attackers to cause a denial of service (memory consumption) via crafted CONTINUATION frames in an HTTP/2 request.
Status Published
Exploitability 2.0
Weighted Severity 8.0
Risk 10.0
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-20 Improper Input Validation
CWE-399 Resource Management Errors
CWE-770 Allocation of Resources Without Limits or Throttling
System Score Found at
rhas Important https://access.redhat.com/errata/RHSA-2017:1413
rhas Important https://access.redhat.com/errata/RHSA-2017:1414
rhas Important https://access.redhat.com/errata/RHSA-2017:1415
cvssv3 5.9 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2016-8740.json
epss 0.03742 https://api.first.org/data/v1/epss?cve=CVE-2016-8740
epss 0.03742 https://api.first.org/data/v1/epss?cve=CVE-2016-8740
epss 0.03742 https://api.first.org/data/v1/epss?cve=CVE-2016-8740
epss 0.03742 https://api.first.org/data/v1/epss?cve=CVE-2016-8740
epss 0.03742 https://api.first.org/data/v1/epss?cve=CVE-2016-8740
epss 0.03742 https://api.first.org/data/v1/epss?cve=CVE-2016-8740
epss 0.04673 https://api.first.org/data/v1/epss?cve=CVE-2016-8740
epss 0.04673 https://api.first.org/data/v1/epss?cve=CVE-2016-8740
epss 0.04673 https://api.first.org/data/v1/epss?cve=CVE-2016-8740
epss 0.04673 https://api.first.org/data/v1/epss?cve=CVE-2016-8740
epss 0.14746 https://api.first.org/data/v1/epss?cve=CVE-2016-8740
epss 0.14746 https://api.first.org/data/v1/epss?cve=CVE-2016-8740
epss 0.14746 https://api.first.org/data/v1/epss?cve=CVE-2016-8740
epss 0.14746 https://api.first.org/data/v1/epss?cve=CVE-2016-8740
epss 0.53449 https://api.first.org/data/v1/epss?cve=CVE-2016-8740
epss 0.66741 https://api.first.org/data/v1/epss?cve=CVE-2016-8740
epss 0.66741 https://api.first.org/data/v1/epss?cve=CVE-2016-8740
epss 0.66741 https://api.first.org/data/v1/epss?cve=CVE-2016-8740
epss 0.71553 https://api.first.org/data/v1/epss?cve=CVE-2016-8740
epss 0.71553 https://api.first.org/data/v1/epss?cve=CVE-2016-8740
epss 0.71553 https://api.first.org/data/v1/epss?cve=CVE-2016-8740
epss 0.71553 https://api.first.org/data/v1/epss?cve=CVE-2016-8740
epss 0.71553 https://api.first.org/data/v1/epss?cve=CVE-2016-8740
epss 0.71553 https://api.first.org/data/v1/epss?cve=CVE-2016-8740
epss 0.71553 https://api.first.org/data/v1/epss?cve=CVE-2016-8740
epss 0.71553 https://api.first.org/data/v1/epss?cve=CVE-2016-8740
epss 0.71553 https://api.first.org/data/v1/epss?cve=CVE-2016-8740
epss 0.71553 https://api.first.org/data/v1/epss?cve=CVE-2016-8740
epss 0.71553 https://api.first.org/data/v1/epss?cve=CVE-2016-8740
epss 0.71553 https://api.first.org/data/v1/epss?cve=CVE-2016-8740
epss 0.71553 https://api.first.org/data/v1/epss?cve=CVE-2016-8740
epss 0.71553 https://api.first.org/data/v1/epss?cve=CVE-2016-8740
epss 0.71553 https://api.first.org/data/v1/epss?cve=CVE-2016-8740
epss 0.71553 https://api.first.org/data/v1/epss?cve=CVE-2016-8740
epss 0.71553 https://api.first.org/data/v1/epss?cve=CVE-2016-8740
epss 0.71553 https://api.first.org/data/v1/epss?cve=CVE-2016-8740
epss 0.71553 https://api.first.org/data/v1/epss?cve=CVE-2016-8740
epss 0.71553 https://api.first.org/data/v1/epss?cve=CVE-2016-8740
epss 0.71553 https://api.first.org/data/v1/epss?cve=CVE-2016-8740
epss 0.71553 https://api.first.org/data/v1/epss?cve=CVE-2016-8740
epss 0.71553 https://api.first.org/data/v1/epss?cve=CVE-2016-8740
epss 0.71553 https://api.first.org/data/v1/epss?cve=CVE-2016-8740
epss 0.71553 https://api.first.org/data/v1/epss?cve=CVE-2016-8740
epss 0.71553 https://api.first.org/data/v1/epss?cve=CVE-2016-8740
epss 0.71553 https://api.first.org/data/v1/epss?cve=CVE-2016-8740
epss 0.71553 https://api.first.org/data/v1/epss?cve=CVE-2016-8740
epss 0.71553 https://api.first.org/data/v1/epss?cve=CVE-2016-8740
epss 0.71553 https://api.first.org/data/v1/epss?cve=CVE-2016-8740
rhbs low https://bugzilla.redhat.com/show_bug.cgi?id=1401528
cvssv2 4.3 https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
apache_httpd low https://httpd.apache.org/security/json/CVE-2016-8740.json
cvssv2 5.0 https://nvd.nist.gov/vuln/detail/CVE-2016-8740
cvssv3 7.5 https://nvd.nist.gov/vuln/detail/CVE-2016-8740
Reference id Reference type URL
http://packetstormsecurity.com/files/140023/Apache-HTTPD-Web-Server-2.4.23-Memory-Exhaustion.html
http://rhn.redhat.com/errata/RHSA-2017-1415.html
https://access.redhat.com/errata/RHSA-2017:1161
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2016-8740.json
https://api.first.org/data/v1/epss?cve=CVE-2016-8740
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8740
https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
https://github.com/apache/httpd/commit/29c63b786ae028d82405421585e91283c8fa0da3
https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbux03725en_us
https://lists.apache.org/thread.html/56c2e7cc9deb1c12a843d0dc251ea7fd3e7e80293cde02fcd65286ba@%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/56c2e7cc9deb1c12a843d0dc251ea7fd3e7e80293cde02fcd65286ba%40%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/84a3714f0878781f6ed84473d1a503d2cc382277e100450209231830@%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/84a3714f0878781f6ed84473d1a503d2cc382277e100450209231830%40%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/r04e89e873d54116a0635ef2f7061c15acc5ed27ef7500997beb65d6f@%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/r04e89e873d54116a0635ef2f7061c15acc5ed27ef7500997beb65d6f%40%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/r476d175be0aaf4a17680ef98c5153b4d336eaef76fb2224cc94c463a@%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/r476d175be0aaf4a17680ef98c5153b4d336eaef76fb2224cc94c463a%40%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/r76142b8c5119df2178be7c2dba88fde552eedeec37ea993dfce68d1d@%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/r76142b8c5119df2178be7c2dba88fde552eedeec37ea993dfce68d1d%40%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920@%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920%40%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/rb14daf9cc4e28d18cdc15d6a6ca74e565672fabf7ad89541071d008b@%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/rb14daf9cc4e28d18cdc15d6a6ca74e565672fabf7ad89541071d008b%40%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/rc998b18880df98bafaade071346690c2bc1444adaa1a1ea464b93f0a@%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/rc998b18880df98bafaade071346690c2bc1444adaa1a1ea464b93f0a%40%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/rcc44594d4d6579b90deccd4536b5d31f099ef563df39b094be286b9e@%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/rcc44594d4d6579b90deccd4536b5d31f099ef563df39b094be286b9e%40%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/rd18c3c43602e66f9cdcf09f1de233804975b9572b0456cc582390b6f@%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/rd18c3c43602e66f9cdcf09f1de233804975b9572b0456cc582390b6f%40%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/rd336919f655b7ff309385e34a143e41c503e133da80414485b3abcc9@%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/rd336919f655b7ff309385e34a143e41c503e133da80414485b3abcc9%40%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/re1e3a24664d35bcd0a0e793e0b5fc6ca6c107f99a1b2c545c5d4b467@%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/re1e3a24664d35bcd0a0e793e0b5fc6ca6c107f99a1b2c545c5d4b467%40%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/re3d27b6250aa8548b8845d314bb8a350b3df326cacbbfdfe4d455234@%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/re3d27b6250aa8548b8845d314bb8a350b3df326cacbbfdfe4d455234%40%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9@%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9%40%3Ccvs.httpd.apache.org%3E
https://security.gentoo.org/glsa/201701-36
https://security.netapp.com/advisory/ntap-20180423-0001/
https://support.apple.com/HT208221
https://www.exploit-db.com/exploits/40909/
https://www.tenable.com/security/tns-2017-04
http://www.securityfocus.com/bid/94650
http://www.securitytracker.com/id/1037388
1401528 https://bugzilla.redhat.com/show_bug.cgi?id=1401528
847124 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=847124
cpe:2.3:a:apache:http_server:2.4.17:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:http_server:2.4.17:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.4.18:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:http_server:2.4.18:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.4.19:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:http_server:2.4.19:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.4.20:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:http_server:2.4.20:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.4.21:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:http_server:2.4.21:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.4.22:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:http_server:2.4.22:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.4.23:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:http_server:2.4.23:*:*:*:*:*:*:*
CVE-2016-8740 Exploit https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/linux/dos/40909.py
CVE-2016-8740 https://httpd.apache.org/security/json/CVE-2016-8740.json
CVE-2016-8740 https://nvd.nist.gov/vuln/detail/CVE-2016-8740
RHSA-2017:1413 https://access.redhat.com/errata/RHSA-2017:1413
RHSA-2017:1414 https://access.redhat.com/errata/RHSA-2017:1414
RHSA-2017:1415 https://access.redhat.com/errata/RHSA-2017:1415
Data source Exploit-DB
Date added Dec. 12, 2016
Description Apache 2.4.23 mod_http2 - Denial of Service
Ransomware campaign use Unknown
Source publication date Dec. 12, 2016
Exploit type dos
Platform linux
Source update date Dec. 14, 2016
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2016-8740.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: AV:N/AC:M/Au:N/C:N/I:N/A:P Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
Exploitability (E) Access Vector (AV) Access Complexity (AC) Authentication (Au) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

high

functional

unproven

proof_of_concept

not_defined

local

adjacent_network

network

high

medium

low

multiple

single

none

none

partial

complete

none

partial

complete

none

partial

complete
Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P Found at https://nvd.nist.gov/vuln/detail/CVE-2016-8740
Exploitability (E) Access Vector (AV) Access Complexity (AC) Authentication (Au) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

high

functional

unproven

proof_of_concept

not_defined

local

adjacent_network

network

high

medium

low

multiple

single

none

none

partial

complete

none

partial

complete

none

partial

complete
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2016-8740
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.92036
EPSS Score 0.03742
Published At Nov. 1, 2024, midnight
Date Actor Action Source VulnerableCode Version
There are no relevant records.