FreeBSD : traefik -- Resource exhaustion by malicious HTTP/2 client (7a1b2624-6a89-11ee-af06-5404a68ad561)

The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by multiple vulnerabilities as referenced in the 7a1b2624-6a89-11ee-af06-5404a68ad561 advisory. - A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cau...

Denial Of Service (DoS)

Golang.org/x/net is vulnerable to Denial of Service DoS. This vulnerability exists due to a flaw which allows a user to send a request, and quickly cancel it. The http2.Server.MaxConcurrentStreams limits the amount of allowed inflight requests, but does not handle the situation of resetting the...

AZL-34996 CVE-2023-39325 affecting package moby-containerd-cc for versions less than 1.7.1-5

A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a ne...

AZL-34622 CVE-2023-39325 affecting package containerized-data-importer for versions less than 1.57.0-8

A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a ne...

AZL-35302 CVE-2023-39325 affecting package telegraf for versions less than 1.27.3-3

A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a ne...

AZL-50339 CVE-2023-39325 affecting package prometheus for versions less than 2.37.9-2

A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a ne...

AZL-35121 CVE-2023-39325 affecting package prometheus-adapter for versions less than 0.12.0-1

A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a ne...

CVE-2023-39325

A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a ne...

CVE-2023-39325

A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a ne...

CVE-2023-39325

CVE-2023-39325 describes a DoS in HTTP/2 handling where a malicious client rapidly creates and resets requests, potentially exhausting server resources. The fix tightens per-connection concurrency handling: servers bound the number of executing handler goroutines to the stream-concurrency limit (...

HTTP/2 rapid reset can cause excessive work in net/http

A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a ne...

GO-2023-2102 HTTP/2 rapid reset can cause excessive work in net/http

A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a ne...

CVE-2023-36478

A flaw was found in Jetty http2-hpack and http3-qpack. If header values exceed the size limit and Huffman is the trueMetaDataBuilder.checkSize, the multiplication will overflow, and the length will become negative, causing a large buffer allocation on the server, leading to a Denial of Service Do...

com.ericsson.research.trap.transports:wshttp-server-netty (=1.4.2), com.github.kristofa:brave-grpc (>=3.6.0 <=3.7.0) +95 more potentially affected by CVE-2023-44487 via io.netty:netty-codec-http2 (>=4.1.0.Beta4 <=4.1.0.Final)

io.netty:netty-codec-http2 MAVEN version =4.1.0.Beta4, =3.6.0, =0.0.0, =0.0.0, =0.0.0, =0.0.0, =0.0.1, =0.2.0, =1.0.0, =1.0.0, =1.3.0, =1.9.1 and more Source cves: CVE-2023-44487 Source advisory: OSV:GHSA-XPW8-RCWV-8F8P...

io.netty:netty-codec-http2 vulnerable to HTTP/2 Rapid Reset Attack

A client might overload the server by issue frequent RST frames. This can cause a massive amount of load on the remote system and so cause a DDOS attack. Impact This is a DDOS attack, any http2 server is affected and so you should update as soon as possible. Patches This is patched in version...

com.atlan:package-toolkit-testing (>=5.3.1 <=6.1.2), com.buschmais.jqassistant.cli:jqassistant-commandline-neo4jv5 (>=2.6.0 <=2.8.0) +826 more potentially affected by CVE-2023-44487 via org.eclipse.jetty.http2:jetty-http2-common (>=12.0.0 <=12.0.19)

org.eclipse.jetty.http2:jetty-http2-common MAVEN version =12.0.0, =5.3.1, =2.6.0, =0.217, =0.217, =0.217, =0.217, =0.217, =0.217, =0.217, =0.217, =0.217, =0.217, =0.217, =0.217, =0.217, =0.223 and more Source cves: CVE-2023-44487 Source advisory: OSV:GHSA-QPPJ-FM5R-HXR3...

HTTP/2 Stream Cancellation Attack

HTTP/2 Rapid reset attack The HTTP/2 protocol allows clients to indicate to the server that a previous stream should be canceled by sending a RSTSTREAM frame. The protocol does not require the client and server to coordinate the cancellation in any way, the client may do it unilaterally. The clie...

Denial of Service (DoS)

Overview apple/swift-nio-http2 is a HTTP/2 support for SwiftNIO. Affected versions of this package are vulnerable to Denial of Service DoS in the implementation of the HTTP/2 protocol. An attacker can cause a denial of service including via DDoS by rapidly resetting many streams through request...

AZL-31323 CVE-2023-44487 affecting package libcontainers-common for versions less than 20210626-2

The HTTP/2 protocol allows a denial of service server resource consumption because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023...

AZL-31343 CVE-2023-44487 affecting package rook for versions less than 1.6.2-14

The HTTP/2 protocol allows a denial of service server resource consumption because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023...