CVE-2017-5650: Improper Resource Shutdown or Release

April 17, 2017 (updated October 3, 2019)

The handling of an HTTP/2 GOAWAY frame for a connection did not close streams associated with that connection that were currently waiting for a WINDOW_UPDATE before allowing the application to write more data. These waiting streams each consumed a thread. A malicious client could therefore construct a series of HTTP/2 requests that would consume all available processing threads.

References

www.securityfocus.com/bid/97531
nvd.nist.gov/vuln/detail/CVE-2017-5650

Code Behaviors & Features

Detect and mitigate CVE-2017-5650 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →