| VuXML ID | Description |
|---|
| bf545001-b96d-42e4-9d2e-60fdee204a43 | h2o -- HTTP/2 Rapid Reset attack vulnerability
Kazuo Okuhu reports:
H2O is vulnerable to the HTTP/2 Rapid Reset attack.
An attacker might be able to consume more than adequate amount of
processing power of h2o and the backend servers by mounting the
attack.
Discovery 2023-10-10
Entry 2023-10-10
h2o
le 2.2.6
h2o-devel
< 2.3.0.d.20231010
CVE-2023-44487
https://github.com/h2o/h2o/security/advisories/GHSA-2m7v-gc89-fjqf
|
| 4da51989-5a8b-4eb9-b442-46d94ec0802d | h2o -- Malformed HTTP/1.1 causes Out-of-Memory Denial of Service
Elijah Glover reports:
Malformed HTTP/1.1 requests can crash worker processes.
occasionally locking up child workers and causing denial of
service, and an outage dropping any open connections.
Discovery 2023-04-27
Entry 2023-04-30
h2o
le 2.2.6
h2o-devel
< 2.3.0.d.20230427
CVE-2023-30847
https://github.com/h2o/h2o/security/advisories/GHSA-p5hj-phwj-hrvx
|
| 1d3677a8-9143-42d8-84a3-0585644dff4b | h2o -- uninitialised memory access in HTTP3
Emil Lerner reports:
When receiving QUIC frames in certain order, HTTP/3 server-side
implementation of h2o can be misguided to treat uninitialized
memory as HTTP/3 frames that have been received. When h2o is
used as a reverse proxy, an attacker can abuse this vulnerability
to send internal state of h2o to backend servers controlled by
the attacker or third party. Also, if there is an HTTP endpoint
that reflects the traffic sent from the client, an attacker can
use that reflector to obtain internal state of h2o.
This internal state includes traffic of other connections in
unencrypted form and TLS session tickets.
This vulnerability exists in h2o server with HTTP/3
support, between commit 93af138 and d1f0f65. None of the
released versions of h2o are affected by this vulnerability.
Discovery 2021-01-31
Entry 2022-02-02
h2o-devel
< 2.3.0.d.20220131
CVE-2021-43848
https://github.com/h2o/h2o/security/advisories/GHSA-f9xw-j925-m4m4
|
| 72a5579e-c765-11e9-8052-0028f8d09152 | h2o -- multiple HTTP/2 vulnerabilities
Jonathon Loomey of Netflix reports:
HTTP/2 implementations do not robustly handle abnormal traffic and resource exhaustion
Recently, a series of DoS attack vulnerabilities have been reported on a broad range of HTTP/2 stacks. Among the vulnerabilities, H2O is exposed to the following:
- CVE-2019-9512 "Ping Flood": The attacker sends continual pings to an HTTP/2 peer, causing the peer to build an internal queue of responses. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both, potentially leading to a denial of service.
- CVE-2019-9514 "Reset Flood": The attacker opens a number of streams and sends an invalid request over each stream that should solicit a stream of RST_STREAM frames from the peer. Depending on how the peer queues the RST_STREAM frames, this can consume excess memory, CPU, or both, potentially leading to a denial of service.
- CVE-2019-9515 "Settings Flood": The attacker sends a stream of SETTINGS frames to the peer. Since the RFC requires that the peer reply with one acknowledgement per SETTINGS frame, an empty SETTINGS frame is almost equivalent in behavior to a ping. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both, potentially leading to a denial of service.
Discovery 2019-08-13
Entry 2019-08-25
h2o-devel
< 2.3.0.b2
https://github.com/h2o/h2o/issues/2090
https://www.kb.cert.org/vuls/id/605641/
CVE-2019-9512
CVE-2019-9514
CVE-2019-9515
|