Lucene search
K

664 matches found

The Hacker News
The Hacker News
added 2024/04/04 11:15 a.m.108 views

New HTTP/2 Vulnerability Exposes Web Servers to DoS Attacks

New research has found that the CONTINUATION frame in the HTTP/2 protocol can be exploited to conduct denial-of-service DoS attacks. The technique has been codenamed HTTP/2 CONTINUATION Flood by security researcher Bartek Nowotarski, who reported the issue to the CERT Coordination Center CERT/CC ...

8.2CVSS6.6AI score0.94615EPSS
Exploits5
CNNVD
CNNVD
added 2024/04/04 12:0 a.m.7 views

Envoy 安全漏洞

Envoy is an open source distributed proxy server. A security vulnerability exists in Envoy versions 1.29.0 and 1.29.1, which stems from the Envoy HTTP/2 stack being prone to running out of memory due to a flood of CONTINUATION frames...

7.5CVSS7.9AI score0.86746EPSS
Exploits1References3
CNNVD
CNNVD
added 2024/04/04 12:0 a.m.7 views

Google Go 安全漏洞

Google Go is a static strongly typed, compiled, concatenated, and garbage-collected programming language from Google USA. A security vulnerability exists in Google Go. An attacker exploits the vulnerability to cause an HTTP/2 endpoint to read an arbitrary amount of header data by sending an...

7.5CVSS7.3AI score0.91969EPSS
Exploits1References11
CNNVD
CNNVD
added 2024/04/04 12:0 a.m.5 views

Nghttp2 安全漏洞

Nghttp2 is a C library for HTTP/2 implementation from the Nghttp2 community. A security vulnerability exists in Nghttp2 versions prior to 1.61.0, which stems from reading an unlimited number of HTTP/2 CONTINUATION frames may result in excessive CPU utilization...

5.3CVSS7.1AI score0.8496EPSS
Exploits1References13
FreeBSD
FreeBSD
added 2024/04/04 12:0 a.m.27 views

forgejo -- HTTP/2 CONTINUATION flood in net/http

[email protected] reports: An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's heade...

7.5CVSS6.9AI score0.91969EPSS
Exploits1References1
Snyk
Snyk
added 2024/04/03 9:12 p.m.3 views

Allocation of Resources Without Limits or Throttling

Overview std/net/http is a Go standard library package std/net/http Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling. Go Vulnerability Report: An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an...

8.7CVSS6.7AI score0.91969EPSS
Exploits1References3
OSV
OSV
added 2024/04/03 9:12 p.m.106 views

GO-2024-2687 HTTP/2 CONTINUATION flood in net/http

An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed MaxHeaderBytes, no...

7.5CVSS8.1AI score0.91969EPSS
Exploits1References3
OSV
OSV
added 2024/04/03 6:49 p.m.8 views

GHSA-W8GF-G2VQ-J2F4 amphp/http-client Denial of Service via HTTP/2 CONTINUATION Frames

Early versions of amphp/http-client with HTTP/2 support v4.0.0-rc10 to 4.0.0 will collect HTTP/2 CONTINUATION frames in an unbounded buffer and will not check the header size limit until it has received the ENDHEADERS flag, resulting in an OOM crash. Later versions of amphp/http-client v4.1.0-rc1...

8.2CVSS7.3AI score
Exploits0References3
Github Security Blog
Github Security Blog
added 2024/04/03 6:49 p.m.15 views

amphp/http-client Denial of Service via HTTP/2 CONTINUATION Frames

Early versions of amphp/http-client with HTTP/2 support v4.0.0-rc10 to 4.0.0 will collect HTTP/2 CONTINUATION frames in an unbounded buffer and will not check the header size limit until it has received the ENDHEADERS flag, resulting in an OOM crash. Later versions of amphp/http-client v4.1.0-rc1...

7.3AI score
Exploits0References3Affected Software1
OSV
OSV
added 2024/04/03 6:15 p.m.2 views

CVE-2024-2653

amphp/http will collect CONTINUATION frames in an unbounded buffer and will not check a limit until it has received the set ENDHEADERS flag, resulting in an OOM crash...

8.2CVSS6AI score0.83244EPSS
Exploits1References4
NVD
NVD
added 2024/04/03 6:15 p.m.19 views

CVE-2024-2758

Tempesta FW rate limits are not enabled by default. They are either set too large to capture empty CONTINUATION frames attacks or too small to handle normal HTTP requests appropriately...

6.3CVSS6.5AI score0.7275EPSS
Exploits0References3
OSV
OSV
added 2024/04/03 6:15 p.m.7 views

CVE-2024-2758

Tempesta FW rate limits are not enabled by default. They are either set too large to capture empty CONTINUATION frames attacks or too small to handle normal HTTP requests appropriately...

6.3CVSS5.8AI score0.7275EPSS
Exploits0References3
OSV
OSV
added 2024/04/03 6:6 p.m.26 views

GHSA-QJFW-CVJF-F4FM AMPHP Denial of Service via HTTP/2 CONTINUATION Frames

amphp/http will collect HTTP/2 CONTINUATION frames in an unbounded buffer and will not check the header size limit until it has received the ENDHEADERS flag, resulting in an OOM crash. amphp/http-client and amphp/http-server are indirectly affected if they're used with an unpatched version of...

8.2CVSS7.8AI score0.83244EPSS
Exploits1References10
Github Security Blog
Github Security Blog
added 2024/04/03 6:6 p.m.35 views

AMPHP Denial of Service via HTTP/2 CONTINUATION Frames

amphp/http will collect HTTP/2 CONTINUATION frames in an unbounded buffer and will not check the header size limit until it has received the ENDHEADERS flag, resulting in an OOM crash. amphp/http-client and amphp/http-server are indirectly affected if they're used with an unpatched version of...

8.2CVSS7AI score0.83244EPSS
Exploits1References10Affected Software2
CVE
CVE
added 2024/04/03 5:18 p.m.113 views

CVE-2024-2653

CVE-2024-2653 affects the AMPHP HTTP stack: amphp/http will accumulate HTTP/2 CONTINUATION frames in an unbounded buffer and only enforces a limit when END_HEADERS is seen, causing an out-of-memory crash. The issue also indirectly impacts amphp/http-client and amphp/http-server if used with an un...

8.2CVSS7.8AI score0.83244EPSS
Exploits1References4
Vulnrichment
Vulnrichment
added 2024/04/03 5:17 p.m.12 views

CVE-2024-2758 CVE-2024-2758

Tempesta FW rate limits are not enabled by default. They are either set too large to capture empty CONTINUATION frames attacks or too small to handle normal HTTP requests appropriately...

6.9AI score0.7275EPSS
Exploits0References3
CVE
CVE
added 2024/04/03 5:17 p.m.105 views

CVE-2024-2758

CVE-2024-2758 concerns Tempesta FW. The vulnerability stems from how HTTP/2 CONTINUATION frames are handled when rate limits are not enabled by default, enabling potential denial-of-service via excessive CONTINUATION traffic (OOM/CPU exhaustion depending on implementation). The initial descriptio...

6.3CVSS6.5AI score0.7275EPSS
Exploits0References3
OSV
OSV
added 2024/04/03 12:0 p.m.124 views

RUSTSEC-2024-0332 Degradation of service in h2 servers with CONTINUATION Flood

An attacker can send a flood of CONTINUATION frames, causing h2 to process them indefinitely. This results in an increase in CPU usage. Tokio task budget helps prevent this from a complete denial-of-service, as the server can still respond to legitimate requests, albeit with increased latency. Mo...

7AI score
Exploits0References3
RustSec
RustSec
added 2024/04/03 12:0 p.m.6 views

Degradation of service in h2 servers with CONTINUATION Flood

An attacker can send a flood of CONTINUATION frames, causing h2 to process them indefinitely. This results in an increase in CPU usage. Tokio task budget helps prevent this from a complete denial-of-service, as the server can still respond to legitimate requests, albeit with increased latency. Mo...

7AI score
Exploits0Affected Software1
CNNVD
CNNVD
added 2024/04/03 12:0 a.m.6 views

Apache Traffic Server 输入验证错误漏洞

Apache Traffic Server ATS is the United States Apache Apache Foundation's set of scalable HTTP proxy and caching server. Apache Traffic Server suffers from an input validation error vulnerability that stems from continuation frame flooding in the HTTP/2 stack, which can be exploited by an attacke...

7.5CVSS6.7AI score0.94615EPSS
Exploits1References9
Rows per page
Query Builder