CVE-2023-39325

CVE-2023-39325 describes a DoS in HTTP/2 handling where a malicious client rapidly creates and resets requests, potentially exhausting server resources. The fix tightens per-connection concurrency handling: servers bound the number of executing handler goroutines to the stream-concurrency limit (...

CVE-2023-39325

A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a ne...

HTTP/2 rapid reset can cause excessive work in net/http

A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a ne...

GO-2023-2102 HTTP/2 rapid reset can cause excessive work in net/http

A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a ne...

CVE-2023-36478

A flaw was found in Jetty http2-hpack and http3-qpack. If header values exceed the size limit and Huffman is the trueMetaDataBuilder.checkSize, the multiplication will overflow, and the length will become negative, causing a large buffer allocation on the server, leading to a Denial of Service Do...

com.ericsson.research.trap.transports:wshttp-server-netty (=1.4.2), com.github.kristofa:brave-grpc (>=3.6.0 <=3.7.0) +95 more potentially affected by CVE-2023-44487 via io.netty:netty-codec-http2 (>=4.1.0.Beta4 <=4.1.0.Final)

io.netty:netty-codec-http2 MAVEN version =4.1.0.Beta4, =3.6.0, =0.0.0, =0.0.0, =0.0.0, =0.0.0, =0.0.1, =0.2.0, =1.0.0, =1.0.0, =1.3.0, =1.9.1 and more Source cves: CVE-2023-44487 Source advisory: OSV:GHSA-XPW8-RCWV-8F8P...

io.netty:netty-codec-http2 vulnerable to HTTP/2 Rapid Reset Attack

A client might overload the server by issue frequent RST frames. This can cause a massive amount of load on the remote system and so cause a DDOS attack. Impact This is a DDOS attack, any http2 server is affected and so you should update as soon as possible. Patches This is patched in version...

com.atlan:package-toolkit-testing (>=5.3.1 <=6.1.2), com.buschmais.jqassistant.cli:jqassistant-commandline-neo4jv5 (>=2.6.0 <=2.8.0) +826 more potentially affected by CVE-2023-44487 via org.eclipse.jetty.http2:jetty-http2-common (>=12.0.0 <=12.0.19)

org.eclipse.jetty.http2:jetty-http2-common MAVEN version =12.0.0, =5.3.1, =2.6.0, =0.217, =0.217, =0.217, =0.217, =0.217, =0.217, =0.217, =0.217, =0.217, =0.217, =0.217, =0.217, =0.217, =0.223 and more Source cves: CVE-2023-44487 Source advisory: OSV:GHSA-QPPJ-FM5R-HXR3...

HTTP/2 Stream Cancellation Attack

HTTP/2 Rapid reset attack The HTTP/2 protocol allows clients to indicate to the server that a previous stream should be canceled by sending a RSTSTREAM frame. The protocol does not require the client and server to coordinate the cancellation in any way, the client may do it unilaterally. The clie...

Denial of Service (DoS)

Overview apple/swift-nio-http2 is a HTTP/2 support for SwiftNIO. Affected versions of this package are vulnerable to Denial of Service DoS in the implementation of the HTTP/2 protocol. An attacker can cause a denial of service including via DDoS by rapidly resetting many streams through request...

AZL-35297 CVE-2023-44487 affecting package telegraf for versions less than 1.27.3-3

The HTTP/2 protocol allows a denial of service server resource consumption because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023...

AZL-34771 CVE-2023-44487 affecting package grpc for versions less than 1.42.0-7

The HTTP/2 protocol allows a denial of service server resource consumption because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023...

AZL-31323 CVE-2023-44487 affecting package libcontainers-common for versions less than 20210626-2

The HTTP/2 protocol allows a denial of service server resource consumption because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023...

AZL-31343 CVE-2023-44487 affecting package rook for versions less than 1.6.2-14

The HTTP/2 protocol allows a denial of service server resource consumption because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023...

HTTP/2 Stream Cancellation Attack

HTTP/2 Rapid reset attack The HTTP/2 protocol allows clients to indicate to the server that a previous stream should be canceled by sending a RSTSTREAM frame. The protocol does not require the client and server to coordinate the cancellation in any way, the client may do it unilaterally. The clie...

PT-2023-6302 · Unknown +10 · Go Http2 Package +10

Name of the Vulnerable Software and Affected Versions: Go http2 package affected versions not specified Description: A malicious HTTP/2 client can cause excessive server resource consumption by rapidly creating requests and immediately resetting them. This allows the attacker to create a new...

Electrolink FM/DAB/TV Transmitter Pre-Auth MPFS Image Remote Code Execution Vulnerability

Electrolink FM/DAB/TV Transmitter allows access to an unprotected endpoint that allows an MPFS File System binary image upload without authentication. The MPFS2 file system module provides a light-weight read-only file system that can be stored in external EEPROM, external serial Flash, or intern...

Safari browser loading Web page failure when accessing HTTP2 LB Virtual Server

If ADM Web Insight Client Side Management CSM is enabled, only the Safari browser is unable to open Web page via HTTP2 enabled LB Virtual Server. If ADM Web Insight Client Side Management CSM is disabled, issue does not occur. While other browsers i.e. Firefox, Chrome work fine regardless of the...

SUSE SLED15 / SLES15 / openSUSE 15 Security Update : sccache (SUSE-SU-2023:3526-1)

The remote SUSE Linux SLED15 / SLEDSAP15 / SLES15 / SLESSAP15 / openSUSE 15 host has a package installed that is affected by multiple vulnerabilities as referenced in the SUSE-SU-2023:3526-1 advisory. - An issue was discovered in the tokio crate before 1.8.4, and 1.9.x through 1.13.x before 1.13....

Important: amazon-ecr-credential-helper

Issue Overview: http2/hpack: avoid quadratic complexity in hpack decoding CVE-2022-41723 Affected Packages: amazon-ecr-credential-helper Note: This advisory is applicable to Amazon Linux 2 - Nitro-enclaves Extra. Visit this page to learn more about Amazon Linux 2 AL2 Extras and this FAQ section f...