golang: net/http: handle server errors after sending GOAWAY

A flaw was found in the golang package. In net/http in Go, attackers can cause a denial of service because an HTTP/2 connection can hang during closing if a fatal error preempts the shutdown...

PT-2023-13792 · Laravel · Laravel

Name of the Vulnerable Software and Affected Versions: Laravel versions 8.x through 9.x before 9.32.0 Description: The authentication method was discovered to be vulnerable to user enumeration via timeless timing attacks with HTTP/2 multiplexing. This issue is caused by the early return inside th...

PT-2023-4872

Name of the Vulnerable Software and Affected Versions gRPC affected versions not specified Description The issue is related to a base64 encoding error for -bin suffixed headers, which can cause a disconnection by the gRPC server, but is typically allowed by HTTP2 proxies. This can be exploited by...

AZL-34823 CVE-2023-26964 affecting package kata-containers for versions less than 3.2.0.azl0-2

An issue was discovered in hyper v0.13.7. h2-0.2.4 Stream stacking occurs when the H2 component processes HTTP2 RSTSTREAM frames. As a result, the memory and CPU usage are high which can lead to a Denial of Service DoS...

AZL-26291 CVE-2023-26964 affecting package rpm-ostree for versions less than 2022.1-7

An issue was discovered in hyper v0.13.7. h2-0.2.4 Stream stacking occurs when the H2 component processes HTTP2 RSTSTREAM frames. As a result, the memory and CPU usage are high which can lead to a Denial of Service DoS...

AZL-61174 CVE-2023-26964 affecting package rust for versions less than h2-0.3.26

An issue was discovered in hyper v0.13.7. h2-0.2.4 Stream stacking occurs when the H2 component processes HTTP2 RSTSTREAM frames. As a result, the memory and CPU usage are high which can lead to a Denial of Service DoS...

PT-2023-3149 · Hyper +2 · Hyper +2

Name of the Vulnerable Software and Affected Versions: hyper version 0.13.7 h2 version 0.2.4 Description: An issue in the H2 component of hyper occurs when processing HTTP2 RST STREAM frames, leading to stream stacking and high memory and CPU usage, which can result in a Denial of Service DoS. Th...

Important: golang

Issue Overview: A vulnerability was found in archive/zip of the Go standard library. Applications written in Go can panic or potentially exhaust system memory when parsing malformed ZIP files. CVE-2021-33196 A validation flaw was found in golang. When invoking functions from WASM modules built...

Important: aws-nitro-enclaves-cli

Issue Overview: Hyperium Hyper before 0.14.19 does not allow for customization of the maxheaderlistsize method in the H2 third-party software, allowing attackers to perform HTTP2 attacks. CVE-2022-31394 Affected Packages: aws-nitro-enclaves-cli Note: This advisory is applicable to Amazon Linux 2 ...

golang: net/http: excessive memory growth in a Go server accepting HTTP/2 requests

A flaw was found in the net/http library of the golang package. This flaw allows an attacker to cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache...

AZL-26732 CVE-2022-41723 affecting package kubevirt for versions less than 0.59.0-15

A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests...

AZL-25939 CVE-2022-41723 affecting package skopeo for versions less than 1.12.0-3

A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests...

AZL-34908 CVE-2022-41723 affecting package kubevirt for versions less than 1.2.0-1

A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests...

AZL-37377 CVE-2022-41723 affecting package golang for versions less than 1.21.6-1

A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests...

UBUNTU-CVE-2022-4492

The undertow client is not checking the server identity presented by the server certificate in https connections. This is a compulsory step at least it should be performed by default in https and in http/2. I would add it to any TLS client protocol...

DEBIAN-CVE-2022-31394

Hyperium Hyper before 0.14.19 does not allow for customization of the maxheaderlistsize method in the H2 third-party software, allowing attackers to perform HTTP2 attacks...

Allocation of Resources Without Limits or Throttling

Overview std/net/http is a Go standard library package std/net/http Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling. Go Vulnerability Report: A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder,...

SUSE CVE-2022-41723

A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests...

SUSE CVE-2014-1582

The Public Key Pinning PKP implementation in Mozilla Firefox before 33.0 does not properly consider the connection-coalescing behavior of SPDY and HTTP/2 in the case of a shared IP address, which allows man-in-the-middle attackers to bypass an intended pinning configuration and spoof a web site b...

SUSE CVE-2015-0799

The HTTP Alternative Services feature in Mozilla Firefox before 37.0.1 allows man-in-the-middle attackers to bypass an intended X.509 certificate-verification step for an SSL server by specifying that server in the uri-host field of an Alt-Svc HTTP/2 response header...