CVE-2023-30847

2023-04-2715:15:13

CWE-824

[email protected]

web.nvd.nist.gov

h2o

http server

cve-2023-30847

denial of service

information leak

security vulnerability

8.2 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H

7.9 High

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

58.6%

JSON

H2O is an HTTP server. In versions 2.3.0-beta2 and prior, when the reverse proxy handler tries to processes a certain type of invalid HTTP request, it tries to build an upstream URL by reading from uninitialized pointer. This behavior can lead to crashes or leak of information to back end HTTP servers. Pull request number 3229 fixes the issue. The pull request has been merged to the master branch in commit f010336. Users should upgrade to commit f010336 or later.

Affected configurations

Vulners

NVD

Node

h2oh2oRange≤2.3.0-beta2

VendorProductVersionCPE
h2oh2o*cpe:2.3:a:h2o:h2o:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
h2o	h2o	*	cpe:2.3:a:h2o:h2o::::::::

CNA Affected

[
  {
    "vendor": "h2o",
    "product": "h2o",
    "versions": [
      {
        "version": "<= 2.3.0-beta2",
        "status": "affected"
      }
    ]
  }
]