180 matches found
HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack)
A flaw was found in handling multiplexed streams in the HTTP/2 protocol. A client can repeatedly make a request for a new multiplex stream and immediately send an RSTSTREAM frame to cancel it. This creates extra work for the server setting up and tearing down the streams while not hitting any...
golang: net/http, x/net/http2: rapid stream resets can cause excessive work (CVE-2023-44487)
A flaw was found in handling multiplexed streams in the HTTP/2 protocol. A client can repeatedly make a request for a new multiplex stream and immediately send an RSTSTREAM frame to cancel it. This creates extra work for the server setting up and tearing down the streams while not hitting any...
AZL-39637 CVE-2023-39325 affecting package kata-containers-cc for versions less than 3.2.0.azl4-1
A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a ne...
AZL-43741 CVE-2023-39325 affecting package nmi 1.8.17-6
A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a ne...
AZL-35096 CVE-2023-39325 affecting package packer for versions less than 1.9.5-1
A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a ne...
Allocation of Resources Without Limits or Throttling
Overview std/net/http is a Go standard library package std/net/http Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling. Go Vulnerability Report: A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause...
AZL-31314 CVE-2023-44487 affecting package kata-containers for versions less than 3.1.0-8
The HTTP/2 protocol allows a denial of service server resource consumption because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023...
AZL-44124 CVE-2023-44487 affecting package podman for versions less than 5.6.1-2
The HTTP/2 protocol allows a denial of service server resource consumption because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023...
AZL-31332 CVE-2023-44487 affecting package nghttp2 for versions less than 1.57.0-1
The HTTP/2 protocol allows a denial of service server resource consumption because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023...
AZL-33343 CVE-2023-44487 affecting package helm for versions less than 3.14.0-1
The HTTP/2 protocol allows a denial of service server resource consumption because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023...
AZL-35117 CVE-2023-44487 affecting package prometheus-adapter for versions less than 0.10.0-2
The HTTP/2 protocol allows a denial of service server resource consumption because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023...
AZL-31346 CVE-2023-44487 affecting package sriov-network-device-plugin for versions less than 3.5.1-2
The HTTP/2 protocol allows a denial of service server resource consumption because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023...
gRPC 安全漏洞
gRPC is a modern, open source, high-performance Remote Procedure Call RPC framework from gRPC Open Source. A security vulnerability exists in gRPC that stems from the fact that when the gRPC HTTP2 stack throws a header size exceeded error, it skips parsing the rest of the HPACK frame. This causes...
golang: net/http: handle server errors after sending GOAWAY
A flaw was found in the golang package. In net/http in Go, attackers can cause a denial of service because an HTTP/2 connection can hang during closing if a fatal error preempts the shutdown...
golang: net/http: excessive memory growth in a Go server accepting HTTP/2 requests
A flaw was found in the net/http library of the golang package. This flaw allows an attacker to cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache...
AZL-25350 CVE-2022-41723 affecting package golang for versions less than 1.19.6-1
A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests...
SUSE CVE-2019-0199
The HTTP/2 implementation in Apache Tomcat 9.0.0.M1 to 9.0.14 and 8.5.0 to 8.5.37 accepted streams with excessive numbers of SETTINGS frames and also permitted clients to keep streams open without reading/writing request/response data. By keeping streams open for requests that utilised the Servle...
SUSE CVE-2020-9494
Apache Traffic Server 6.0.0 to 6.2.3, 7.0.0 to 7.1.10, and 8.0.0 to 8.0.7 is vulnerable to certain types of HTTP/2 HEADERS frames that can cause the server to allocate a large amount of memory and spin the thread...
SUSE CVE-2020-11653
An issue was discovered in Varnish Cache before 6.0.6 LTS, 6.1.x and 6.2.x before 6.2.3, and 6.3.x before 6.3.2. It occurs when communication with a TLS termination proxy uses PROXY version 2. There can be an assertion failure and daemon restart, which causes a performance loss...
SUSE CVE-2021-33193
A crafted method sent through HTTP/2 will bypass validation and be forwarded by modproxy, which can lead to request splitting or cache poisoning. This issue affects Apache HTTP Server 2.4.17 to 2.4.48...