CVE-2019-10081
apache2 - security update
7.5
HIGH
CVSS 3.1
EPSS 36.1%
Description
HTTP/2 (2.4.20 through 2.4.39) very early pushes, for example configured with "H2PushResource", could lead to an overwrite of memory in the pushing request's pool, leading to crashes. The memory copied is that of the configured push link header values, not data supplied by the client.
How to fix CVE-2019-10081
To remediate CVE-2019-10081, upgrade the affected package to a fixed version below.
- —upgrade to 2.4.41-r0 or later
- —upgrade to 2.4.41-1 or later
- —upgrade to 2.4.25-3+deb9u8 or later
Is CVE-2019-10081 being exploited?
Moderate — EPSS is 36.1%. Track this CVE but it's not at the top of the prioritisation list.
Affected packages (3)
- from 0, < 2.4.41-r0
- from 0, < 2.4.41-1
- from 0, < 2.4.25-3+deb9u8
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.5 | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |