漏洞标题
N/A
漏洞描述信息
在Python优先级库版本1.2.0之前任何版本的HTTP/2实现可能会被恶意 peer 攻击,因为恶意 peer 会给每个可能的HTTP/2流ID分配优先级信息。优先级树会继续为每个流分配无限的内存,因此会消耗极高的CPU资源来维护这个树。尝试实际使用这样的树也会导致极高的CPU使用来维护树。
CVSS信息
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
漏洞类别
N/A
漏洞标题
N/A
漏洞描述信息
A HTTP/2 implementation built using any version of the Python priority library prior to version 1.2.0 could be targeted by a malicious peer by having that peer assign priority information for every possible HTTP/2 stream ID. The priority tree would happily continue to store the priority information for each stream, and would therefore allocate unbounded amounts of memory. Attempting to actually use a tree like this would also cause extremely high CPU usage to maintain the tree.
CVSS信息
N/A
漏洞类别
N/A
漏洞标题
Python priority library 安全漏洞
漏洞描述信息
Python priority library是一个使用Python编写的HTTP/2逻辑优先级的实现。 Python priority library 1.2.0之前的版本中的HTTP/2实现过程中存在安全漏洞。攻击者可利用该漏洞造成拒绝服务。
CVSS信息
N/A
漏洞类别
资源管理错误