Vulnerability Details : CVE-2016-8740
The mod_http2 module in the Apache HTTP Server 2.4.17 through 2.4.23, when the Protocols configuration includes h2 or h2c, does not restrict request-header length, which allows remote attackers to cause a denial of service (memory consumption) via crafted CONTINUATION frames in an HTTP/2 request.
Vulnerability category: Input validationDenial of service
Threat overview for CVE-2016-8740
Top countries where our scanners detected CVE-2016-8740
Top open port discovered on systems with this issue
80
IPs affected by CVE-2016-8740 472,019
Threat actors abusing to this issue?
Yes
Find out if you* are
affected by CVE-2016-8740!
*Directly or indirectly through your vendors, service providers and 3rd parties.
Powered by
attack surface intelligence
from SecurityScorecard.
Exploit prediction scoring system (EPSS) score for CVE-2016-8740
Probability of exploitation activity in the next 30 days: 2.68%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 89 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2016-8740
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
|---|---|---|---|---|---|
|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:N/I:N/A:P |
10.0
|
2.9
|
NIST |
|
7.5
|
HIGH | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
3.9
|
3.6
|
NIST |
CWE ids for CVE-2016-8740
-
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.Assigned by: nvd@nist.gov (Primary)
-
Assigned by: nvd@nist.gov (Primary)
References for CVE-2016-8740
-
https://security.netapp.com/advisory/ntap-20180423-0001/
December 2016 Apache HTTP Server Vulnerabilities in Multiple NetApp Products | NetApp Product Security
-
https://access.redhat.com/errata/RHSA-2017:1414
RHSA-2017:1414 - Security Advisory - Red Hat Customer Portal
-
https://lists.apache.org/thread.html/re3d27b6250aa8548b8845d314bb8a350b3df326cacbbfdfe4d455234@%3Ccvs.httpd.apache.org%3E
Pony Mail!
-
https://lists.apache.org/thread.html/rd18c3c43602e66f9cdcf09f1de233804975b9572b0456cc582390b6f@%3Ccvs.httpd.apache.org%3E
Pony Mail!
-
https://www.exploit-db.com/exploits/40909/
Apache 2.4.23 mod_http2 - Denial of ServiceExploit;Third Party Advisory;VDB Entry
-
https://www.tenable.com/security/tns-2017-04
[R5] SecurityCenter 5.4.3 Fixes Multiple Vulnerabilities - Security Advisory | Tenable®
-
https://lists.apache.org/thread.html/rc998b18880df98bafaade071346690c2bc1444adaa1a1ea464b93f0a@%3Ccvs.httpd.apache.org%3E
svn commit: r1073140 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/cvejsontohtml.py security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html s
-
https://security.gentoo.org/glsa/201701-36
Apache: Multiple vulnerabilities (GLSA 201701-36) — Gentoo security
-
http://rhn.redhat.com/errata/RHSA-2017-1415.html
RHSA-2017:1415 - Security Advisory - Red Hat Customer Portal
-
https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920@%3Ccvs.httpd.apache.org%3E
svn commit: r1073149 [1/13] - in /websites/staging/httpd/trunk/content: ./ security/ security/json/ - Pony Mail
-
https://lists.apache.org/thread.html/r476d175be0aaf4a17680ef98c5153b4d336eaef76fb2224cc94c463a@%3Ccvs.httpd.apache.org%3E
svn commit: r1075467 [2/2] - in /websites/staging/httpd/trunk/content: ./ security/json/CVE-2021-31618.json security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_2
-
https://lists.apache.org/thread.html/rd336919f655b7ff309385e34a143e41c503e133da80414485b3abcc9@%3Ccvs.httpd.apache.org%3E
svn commit: r1075360 [3/3] - in /websites/staging/httpd/trunk/content: ./ security/json/CVE-2021-31618.json security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_2
-
https://access.redhat.com/errata/RHSA-2017:1161
RHSA-2017:1161 - Security Advisory - Red Hat Customer Portal
-
https://lists.apache.org/thread.html/84a3714f0878781f6ed84473d1a503d2cc382277e100450209231830@%3Ccvs.httpd.apache.org%3E
Pony Mail!
-
https://support.apple.com/HT208221
About the security content of macOS High Sierra 10.13.1, Security Update 2017-001 Sierra, and Security Update 2017-004 El Capitan - Apple Support
-
https://lists.apache.org/thread.html/56c2e7cc9deb1c12a843d0dc251ea7fd3e7e80293cde02fcd65286ba@%3Ccvs.httpd.apache.org%3E
svn commit: r1048743 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_
-
https://lists.apache.org/thread.html/re1e3a24664d35bcd0a0e793e0b5fc6ca6c107f99a1b2c545c5d4b467@%3Ccvs.httpd.apache.org%3E
Pony Mail!
-
http://packetstormsecurity.com/files/140023/Apache-HTTPD-Web-Server-2.4.23-Memory-Exhaustion.html
Apache HTTPD Web Server 2.4.23 Memory Exhaustion ≈ Packet StormExploit;Third Party Advisory;VDB Entry
-
https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9@%3Ccvs.httpd.apache.org%3E
Pony Mail!
-
http://www.securitytracker.com/id/1037388
Apache HTTPD HTTP/2 Header Processing Lets Remote Users Consume Excessive Memory Resources - SecurityTrackerThird Party Advisory;VDB Entry
-
https://lists.apache.org/thread.html/rcc44594d4d6579b90deccd4536b5d31f099ef563df39b094be286b9e@%3Ccvs.httpd.apache.org%3E
svn commit: r1073146 [3/3] - in /websites/staging/httpd/trunk/content: ./ security/cvejsontohtml.py security/vulnerabilities-httpd.xml security/vulnerabilities_22.html security/vulnerabilities_24.html
-
https://github.com/apache/httpd/commit/29c63b786ae028d82405421585e91283c8fa0da3
SECURITY: CVE-2016-8740 · apache/httpd@29c63b7 · GitHubIssue Tracking;Patch;Third Party Advisory
-
https://lists.apache.org/thread.html/rb14daf9cc4e28d18cdc15d6a6ca74e565672fabf7ad89541071d008b@%3Ccvs.httpd.apache.org%3E
svn commit: r1073149 [10/13] - in /websites/staging/httpd/trunk/content: ./ security/ security/json/ - Pony Mail
-
https://lists.apache.org/thread.html/r76142b8c5119df2178be7c2dba88fde552eedeec37ea993dfce68d1d@%3Ccvs.httpd.apache.org%3E
svn commit: r1075470 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/json/CVE-2020-13938.json security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_2
-
https://access.redhat.com/errata/RHSA-2017:1413
RHSA-2017:1413 - Security Advisory - Red Hat Customer Portal
-
http://www.securityfocus.com/bid/94650
Apache HTTP Server CVE-2016-8740 Denial of Service VulnerabilityThird Party Advisory;VDB Entry
-
https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbux03725en_us
HPESBUX03725 rev.1 - HPE HP-UX Web Server Suite running Apache, Multiple Vulnerabilities
-
https://lists.apache.org/thread.html/r04e89e873d54116a0635ef2f7061c15acc5ed27ef7500997beb65d6f@%3Ccvs.httpd.apache.org%3E
svn commit: r1073139 [10/13] - in /websites/staging/httpd/trunk/content: ./ security/json/ - Pony Mail
Products affected by CVE-2016-8740
- cpe:2.3:a:apache:http_server:2.4.17:*:*:*:*:*:*:*
- cpe:2.3:a:apache:http_server:2.4.18:*:*:*:*:*:*:*
- cpe:2.3:a:apache:http_server:2.4.20:*:*:*:*:*:*:*
- cpe:2.3:a:apache:http_server:2.4.21:*:*:*:*:*:*:*
- cpe:2.3:a:apache:http_server:2.4.22:*:*:*:*:*:*:*
- cpe:2.3:a:apache:http_server:2.4.23:*:*:*:*:*:*:*
- cpe:2.3:a:apache:http_server:2.4.19:*:*:*:*:*:*:*