Description: ATS is vulnerable to a HTTP/2 CONTINUATION frame flooding attack
CVE: CVE-2024-31309 - HTTP/2 CONTINUATION frames can be utilized for DoS attack Reported By: Bartek Nowotarski (CVE-2024-31309) Vendor: The Apache Software Foundation Version Affected: ATS 8.0.0 to 8.1.9 ATS 9.0.0 to 9.2.3 Mitigation: 8.x users should upgrade to 8.1.10 or later versions 9.x users should upgrade to 9.2.4 or later versions Users can set a new setting (proxy.config.http2.max_continuation_frames_per_minute) to limit the number of CONTINUATION frames per minute. ATS does have a fixed amount of memory a request can use and ATS adheres to these limits in previous releases. CVE: https://www.cve.org/CVERecord?id=CVE-2024-31309 -Bryan
