UBUNTU-CVE-2024-22201

Jetty is a Java based web server and servlet engine. An HTTP/2 SSL connection that is established and TCP congested will be leaked when it times out. An attacker can cause many connections to end up in this state, and the server may run out of file descriptors, eventually causing the server to st...

Suricata security breach

Suricata is a suite of network Intrusion Detection Systems IDS, Intrusion Prevention Systems IPS, and network security monitoring engines developed by the Open Information Security Foundation OISF and its supporting vendors, which supports multi-threading, built-in IPv6, and the ability to load...

Eclipse Jetty Security Vulnerability

Eclipse Jetty is an open source, Java-based web server and Java Servlet container from the Eclipse Foundation. A security vulnerability exists in Eclipse Jetty versions prior to 9.4.54, prior to 10.0.20, prior to 11.0.20, and prior to 12.0.6, which stems from a timeout that causes a leak if TCP i...

OESA-2024-1170 nodejs security update

Node.js is an open-source, cross-platform, JavaScript runtime environment, it executes JavaScript code outside of a browser. Security Fixes: The HTTP/2 protocol allows a denial of service server resource consumption because request cancellation can reset many streams quickly, as exploited in the...

OESA-2024-1172 nodejs security update

Node.js is an open-source, cross-platform, JavaScript runtime environment, it executes JavaScript code outside of a browser. Security Fixes: The HTTP/2 protocol allows a denial of service server resource consumption because request cancellation can reset many streams quickly, as exploited in the...

Important: amazon-ssm-agent

Issue Overview: The HTTP/2 protocol allows a denial of service server resource consumption because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023. CVE-2023-39325 A malicious HTTP sender can use chunk extensions to cause a receiver...

F5 BIG-IP Security Vulnerabilities

F5 BIG-IP is an application delivery platform from F5 USA that integrates network traffic management, application security management, and load balancing. A security vulnerability exists in F5 BIG-IP that stems from an undisclosed response that could cause the Traffic Management Microkernel TMM t...

OESA-2024-1139 containerd security update

containerd is an industry-standard container runtime with an emphasis on simplicity, robustness and portability. It is available as a daemon for Linux and Windows, which can manage the complete container lifecycle of its host system: image transfer and storage, container execution and supervision...

OESA-2024-1105 grafana security update

Grafana is an open source, feature rich metrics dashboard and graph editor for Graphite, InfluxDB & OpenTSDB. Security Fixes: Improper exposure of client IP addresses in net/http before Go 1.17.12 and Go 1.18.4 can be triggered by calling httputil.ReverseProxy.ServeHTTP with a Request.Header map...

An issue was discovered in the HTTP2 implementation in Qt before 5.15.17 6.x before 6.2.11 6.3.x through 6.5.x before 6.5.4 and 6.6.x before 6.6.2. network/access/http2/hpacktable.cpp has an incorrect HPack integer overflow check.

...

Important: grpc

Issue Overview: The HTTP/2 protocol allows a denial of service server resource consumption because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023. CVE-2023-44487 Affected Packages: grpc Issue Correction: Run dnf update grpc --releaseve...

The vulnerability of the HTTP2 protocol implementation (network/access/http2/hpacktable.cpp) in the cross-platform development framework for Qt software allows a perpetrator to cause service failures.

The vulnerability of the HTTP2 protocol implementation network/access/http2/hpacktable.cpp of the cross-platform development framework for Qt is related to a numerical overflow caused by changes to the typical expression order in conditional operators “Yoda conditions”. Exploiting this...

PT-2024-2652 · Envoy +1 · Envoy +1

Name of the Vulnerable Software and Affected Versions: Envoy versions 1.29.0 through 1.29.1 Description: The issue is related to the Envoy HTTP/2 protocol stack, which is vulnerable to a flood of CONTINUATION frames. This occurs because Envoy's HTTP/2 codec does not reset a request when header ma...

CVE-2023-51714

An issue was discovered in the HTTP2 implementation in Qt before 5.15.17, 6.x before 6.2.11, 6.3.x through 6.5.x before 6.5.4, and 6.6.x before 6.6.2. network/access/http2/hpacktable.cpp has an incorrect HPack integer overflow check...

DEBIAN-CVE-2023-51714

An issue was discovered in the HTTP2 implementation in Qt before 5.15.17, 6.x before 6.2.11, 6.3.x through 6.5.x before 6.5.4, and 6.6.x before 6.6.2. network/access/http2/hpacktable.cpp has an incorrect HPack integer overflow check...

AZL-33517 CVE-2023-51714 affecting package qt5-qtbase for versions less than 5.12.11-10

An issue was discovered in the HTTP2 implementation in Qt before 5.15.17, 6.x before 6.2.11, 6.3.x through 6.5.x before 6.5.4, and 6.6.x before 6.6.2. network/access/http2/hpacktable.cpp has an incorrect HPack integer overflow check...

The vulnerability of the HTTP/2 network protocol implementation in BIG-IP’s access control and remote authentication mechanisms allows a attacker to cause service interruptions.

The vulnerability of the HTTP/2 network protocol implementation for BIG-IP access control and remote authentication mechanisms is related to an uncontrolled resource consumption during request processing. Exploiting this vulnerability could allow a malicious actor to cause service failures...

mod_http2: reset requests exhaust memory (incomplete fix of CVE-2023-44487)

A flaw was found in modhttp2. When a HTTP/2 stream is reset RST frame by a client, there is a time window were the request's memory resources were not reclaimed immediately. Instead, de-allocation was deferred to connection close. A client could send new requests and resets, keeping the connectio...

HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack)

A flaw was found in handling multiplexed streams in the HTTP/2 protocol. A client can repeatedly make a request for a new multiplex stream and immediately send an RSTSTREAM frame to cancel it. This creates extra work for the server setting up and tearing down the streams while not hitting any...

golang: net/http, x/net/http2: rapid stream resets can cause excessive work (CVE-2023-44487)

A flaw was found in handling multiplexed streams in the HTTP/2 protocol. A client can repeatedly make a request for a new multiplex stream and immediately send an RSTSTREAM frame to cancel it. This creates extra work for the server setting up and tearing down the streams while not hitting any...