Apache HTTP Server h2 Connection Shutdown Read-After Free Vulnerability

By GIXnews


A vulnerability in the mod_http2 module of the Apache HTTP Server could allow an unauthenticated, remote attacker to access sensitive information on a targeted system.

The vulnerability exists because the affected software does properly handle HTTP/2 sessions. The affected software could allow memory to be read after being freed during h2 connection shutdown. A successful exploit could allow the attacker to access sensitive memory information, which could be used to conduct further attacks.

Apache has confirmed the vulnerability and released software updates.

Security Impact Rating: Medium

CVE: CVE-2019-10082

Source:: Cisco Multivendor Vulnerability Alerts