The remote Ubuntu 16.04 LTS / 18.04 LTS / 20.04 LTS / 22.04 LTS / 23.10 host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-6754-1 advisory.

    It was discovered that nghttp2 incorrectly handled the HTTP/2 implementation. A remote attacker could     possibly use this issue to cause nghttp2 to consume resources, leading to a denial of service. This issue     only affected Ubuntu 16.04 LTS and Ubuntu 18.04 LTS. (CVE-2019-9511, CVE-2019-9513)

    It was discovered that nghttp2 incorrectly handled request cancellation. A remote attacker could possibly     use this issue to cause nghttp2 to consume resources, leading to a denial of service. This issue only     affected Ubuntu 16.04 LTS and Ubuntu 18.04 LTS. (CVE-2023-44487)

    It was discovered that nghttp2 could be made to process an unlimited number of HTTP/2 CONTINUATION frames.
    A remote attacker could possibly use this issue to cause nghttp2 to consume resources, leading to a denial     of service. (CVE-2024-28182)

Tenable has extracted the preceding description block directly from the Ubuntu security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Detections

Analytics

Ubuntu 16.04 LTS / 18.04 LTS / 20.04 LTS / 22.04 LTS / 23.10 : nghttp2 vulnerabilities (USN-6754-1)

critical Nessus Plugin ID 193905

Version 1.3

Version 1.2

Version 1.1

Version 1.0

Version 1.3 Sep 18, 2024, 8:52 AM CVSS metrics ("Cvssv4 threat vector" set to "CVSS:4.0/E:A") Plugin Feed: 202409180852
Version 1.2 Aug 28, 2024, 7:43 PM CVSS metrics ("Cvssv4 score" set to 9.3) CVSS metrics ("Cvssv4 vector" set to "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N") Detection (updated detection logic) Plugin metadata Plugin Feed: 202408281943
Version 1.1 Apr 26, 2024, 10:39 PM CEA reference Plugin Feed: 202404262239
Version 1.0 Apr 26, 2024, 5:14 AM New Plugin Feed: 202404260514