{"id":"CVE-2019-10079","details":"Apache Traffic Server is vulnerable to HTTP/2 setting flood attacks. Earlier versions of Apache Traffic Server didn't limit the number of setting frames sent from the client using the HTTP/2 protocol. Users should upgrade to Apache Traffic Server 7.1.7, 8.0.4, or later versions.","modified":"2026-04-10T04:13:39.131951Z","published":"2019-10-22T16:15:10.610Z","references":[{"type":"WEB","url":"https://lists.apache.org/thread.html/bde52309316ae798186d783a5e29f4ad1527f61c9219a289d0eee0a7%40%3Cdev.trafficserver.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/392108390cef48af647a2e47b7fd5380e050e35ae8d1aa2030254c04%40%3Cusers.trafficserver.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/ad3d01e767199c1aed8033bb6b3f5bf98c011c7c536f07a5d34b3c19%40%3Cannounce.trafficserver.apache.org%3E"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/apache/trafficserver","events":[{"introduced":"0"},{"fixed":"16fa86a509c3aeb9744816b1ff2ffb711bd3a2ff"},{"introduced":"b310e3566f58dd04ec2b15b111ec86ea70e20019"},{"fixed":"5dd376fd385f4e2483e70537fe49309f24d35902"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"7.1.7"},{"introduced":"8.0.0"},{"fixed":"8.0.4"}]}}],"versions":["3.1.2","3.3.0","3.3.1","7.1.0","7.1.0-rc0","7.1.0-rc1","7.1.1","7.1.1-rc0","7.1.1-rc1","7.1.2","7.1.2-rc0","7.1.2-rc1","7.1.2-rc2","7.1.2-rc3","7.1.2-rc4","7.1.3","7.1.3-rc0","7.1.4","7.1.4-rc0","7.1.4-rc1","7.1.5","7.1.5-rc0","7.1.5-rc1","7.1.6","7.1.6-rc0","7.1.6-rc1","7.1.7-rc0","8.0.0","8.0.0-rc4","8.0.1","8.0.1-rc0","8.0.2","8.0.2-rc0","8.0.3","8.0.3-rc0","8.0.4-rc0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-10079.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}