Lucene search
K

100 matches found

AlmaLinux
AlmaLinux
added 2025/09/02 12:0 a.m.7 views

Moderate: mod_http2 security update

The modh2 Apache httpd module implements the HTTP2 protocol h2+h2c on top of libnghttp2 for httpd 2.4 servers. Security Fixes: httpd: modproxyhttp2: untrusted input from a client causes an assertion to fail in the Apache modproxyhttp2 module CVE-2025-49630 For more details about the security...

7.5CVSS6.9AI score0.01149EPSS
Exploits0References4
Tenable Nessus
Tenable Nessus
added 2025/08/31 12:0 a.m.4 views

RHEL 10 : mod_http2 (RHSA-2025:14625)

The remote Redhat Enterprise Linux 10 host has a package installed that is affected by a vulnerability as referenced in the RHSA-2025:14625 advisory. The modh2 Apache httpd module implements the HTTP2 protocol h2+h2c on top of libnghttp2 for httpd 2.4 servers. Security Fixes: httpd: modproxyhttp2...

7.5CVSS7.3AI score0.01149EPSS
Exploits0References5
OSV
OSV
added 2025/08/20 8:15 p.m.3 views

DEBIAN-CVE-2025-5115

In Eclipse Jetty, versions =9.4.57, =10.0.25, =11.0.25, =12.0.21, =12.1.0.alpha2, an HTTP/2 client may trigger the server to send RSTSTREAM frames, for example by sending frames that are malformed or that should not be sent in a particular stream state, therefore forcing the server to consume...

7.5CVSS6.8AI score0.01567EPSS
Exploits0References1
OSV
OSV
added 2025/07/10 9:31 p.m.3 views

GHSA-4J3C-42XV-3F84 Apache Tomcat is vulnerable to resource exhaustion when using the APR/Native connector

Concurrent Execution using Shared Resource with Improper Synchronization 'Race Condition' vulnerability in Apache Tomcat when using the APR/Native connector. This was particularly noticeable with client initiated closes of HTTP/2 connections. This issue affects Apache Tomcat: from 9.0.0.M1 throug...

8.9CVSS7.1AI score0.01819EPSS
Exploits0References6
OSV
OSV
added 2025/05/08 7:28 p.m.3 views

GHSA-889J-63JV-QHR8 Eclipse Jetty HTTP/2 client can force the server to allocate a humongous byte buffer that may lead to OoM and subsequently the JVM to exit

Original Report In Eclipse Jetty versions 12.0.0 to 12.0.16 included, an HTTP/2 client can specify a very large value for the HTTP/2 settings parameter SETTINGSMAXHEADERLISTSIZE. The Jetty HTTP/2 server does not perform validation on this setting, and tries to allocate a ByteBuffer of the specifi...

7.5CVSS5.9AI score0.00625EPSS
Exploits0References6
CNNVD
CNNVD
added 2025/05/08 12:0 a.m.4 views

Eclipse Jetty 安全漏洞

Eclipse Jetty is an open source, Java-based web server and Java Servlet container from the Eclipse Foundation. A security vulnerability exists in Eclipse Jetty versions 12.0.0 through 12.0.16, which originates from an HTTP/2 server that does not validate the SETTINGSMAXHEADERLISTSIZE setting, whi...

7.5CVSS7.5AI score0.00625EPSS
Exploits0References4
Tenable Nessus
Tenable Nessus
added 2025/03/04 12:0 a.m.9 views

Linux Distros Unpatched Vulnerability : CVE-2020-13943

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - If an HTTP/2 client connecting to Apache Tomcat 10.0.0-M1 to 10.0.0-M7, 9.0.0.M1 to 9.0.37 or 8.5.0 to 8.5.57 exceeded the agreed maximum number of concurrent...

4.3CVSS6.7AI score0.57286EPSS
Exploits0References2
SUSE Linux
SUSE Linux
added 2025/01/31 2:4 a.m.3 views

Security update for ignition

This update for ignition fixes the following issues: CVE-2023-45288: Fixed unclosed connections when receiving too many headers in golang.org/x/net/http2 bsc1236518 Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST onlineupdate or "zypper...

6.9CVSS7.3AI score0.91969EPSS
Exploits1References4
RedHat Linux
RedHat Linux
added 2024/12/19 2:36 p.m.5 views

undertow: information leakage via HTTP/2 request header reuse

REJECTED CVE A vulnerability has been identified in the Undertow package where the readHpackString method may incorrectly reuse an HTTP request header value from a previous stream for a new request on the same HTTP/2 connection due to improper handling of the stringBuilder field. While this...

5.7AI score
Exploits0References5
SUSE Linux
SUSE Linux
added 2024/11/09 4:37 p.m.1 views

Security update for apache2

This update for apache2 fixes the following issues: CVE-2023-45802: HTTP/2 stream memory not reclaimed right away on RST bsc1216423. Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST onlineupdate or "zypper patch". Alternatively you can run th...

7.5CVSS7.1AI score0.03024EPSS
Exploits1References4
Amazon
Amazon
added 2024/11/01 12:0 a.m.5 views

Important: qt5-qtquickcontrols

Issue Overview: An issue was discovered in HTTP2 in Qt before 5.15.18, 6.x before 6.2.13, 6.3.x through 6.5.x before 6.5.7, and 6.6.x through 6.7.x before 6.7.3. Code to make security-relevant decisions about an established connection may execute too early, because the encrypted signal has not ye...

8.6CVSS7.3AI score0.00494EPSS
Exploits0
CNNVD
CNNVD
added 2024/09/19 12:0 a.m.6 views

Envoy 安全漏洞

Envoy is an Enphase open source gateway program for connecting smart home devices. A security vulnerability exists in Envoy version 1.31, which stems from a flaw in the HTTP/2 codec around stream management that can cause Envoy to crash...

7.5CVSS7.4AI score0.00495EPSS
Exploits0References4
RedHat Linux
RedHat Linux
added 2024/07/23 2:58 p.m.5 views

nghttp2: CONTINUATION frames DoS

A vulnerability was found in how nghttp2 implements the HTTP/2 protocol. There are insufficient limitations placed on the amount of CONTINUATION frames that can be sent within a single stream. This issue could allow an unauthenticated remote attacker to send packets to vulnerable servers, which...

5.3CVSS6.8AI score0.8496EPSS
Exploits1References7
CNNVD
CNNVD
added 2024/07/04 12:0 a.m.3 views

Qt Security Vulnerabilities

Qt is a cross-platform C++ application development framework from the Norwegian company Qt. It is widely used to develop GUI programs, in which case it is also known as the widget toolkit. It can also be used to develop non-GUI programs, such as console tools and servers. A security vulnerability...

8.6CVSS7.1AI score0.00494EPSS
Exploits0References3
RedHat Linux
RedHat Linux
added 2024/07/02 3:45 p.m.2 views

nghttp2: CONTINUATION frames DoS

A vulnerability was found in how nghttp2 implements the HTTP/2 protocol. There are insufficient limitations placed on the amount of CONTINUATION frames that can be sent within a single stream. This issue could allow an unauthenticated remote attacker to send packets to vulnerable servers, which...

5.3CVSS6.8AI score0.8496EPSS
Exploits1References7
RedHat Linux
RedHat Linux
added 2024/05/20 10:31 a.m.3 views

golang: net/http, x/net/http2: unlimited number of CONTINUATION frames causes DoS

A vulnerability was discovered with the implementation of the HTTP/2 protocol in the Go programming language. There were insufficient limitations on the amount of CONTINUATION frames sent within a single stream. An attacker could potentially exploit this to cause a Denial of Service DoS attack...

7.5CVSS7.2AI score0.91969EPSS
Exploits1References7
BDU FSTEC
BDU FSTEC
added 2024/04/06 12:0 a.m.6 views

The vulnerability of Tempesta web applications’ firewalls, related to unlimited resource distribution, allows attackers to cause service interruptions.

The vulnerability of Tempesta web applications’ firewalls, particularly in terms of implementing HTTP/2 protocols, is related to an uncontrolled resource consumption due to incorrect determination of the end of headers during the processing of CONTINUATION frames. Exploiting this vulnerability...

5.3CVSS7.8AI score0.7275EPSS
Exploits0References3Affected Software1
BDU FSTEC
BDU FSTEC
added 2024/04/06 12:0 a.m.6 views

The vulnerability of the nghttp2 library, related to unlimited resource distribution, allows attackers to cause service failures.

The vulnerability of the nghttp2 library in terms of the implementation of the HTTP/2 protocol is related to an uncontrolled resource consumption due to incorrect determination of the end of headers during the processing of CONTINUATION frames. Exploiting this vulnerability could allow a remote...

5.3CVSS7AI score0.8496EPSS
Exploits1References11Affected Software7
BDU FSTEC
BDU FSTEC
added 2024/04/06 12:0 a.m.12 views

The vulnerability of the net/http and net/http2 libraries in the Go programming language is related to an uncontrolled resource consumption, allowing attackers to cause service failures.

The vulnerability of the net/http and net/http2 libraries in the Go programming language related to the implementation of the HTTP/2 protocol is related to an uncontrolled resource consumption due to incorrect determination of the end of headers during the processing of CONTINUATION frames...

5.3CVSS6.9AI score0.91969EPSS
Exploits1References7Affected Software3
OSV
OSV
added 2024/04/04 9:15 p.m.11 views

AZL-39223 CVE-2023-45288 affecting package moby-containerd for versions less than 1.6.26-5

An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed MaxHeaderBytes, no...

7.5CVSS6.8AI score0.91969EPSS
Exploits1References1
Rows per page
Query Builder