SUSE CVE-2017-9789

When under stress, closing many connections, the HTTP/2 handling code in Apache httpd 2.4.26 would sometimes access memory after it has been freed, resulting in potentially erratic behaviour...

SUSE CVE-2018-1302

When an HTTP/2 stream was destroyed after being handled, the Apache HTTP Server prior to version 2.4.30 could have written a NULL pointer potentially to an already freed memory. The memory pools maintained by the server make this vulnerability hard to trigger in usual configurations, the reporter...

SUSE CVE-2018-7161

All versions of Node.js 8.x, 9.x, and 10.x are vulnerable and the severity is HIGH. An attacker can cause a denial of service DoS by causing a node server providing an http2 server to crash. This can be accomplished by interacting with the http2 server in a manner that triggers a cleanup bug wher...

SUSE CVE-2018-14645

A flaw was discovered in the HPACK decoder of HAProxy, before 1.8.14, that is used for HTTP/2. An out-of-bounds read access in hpackvalididx resulted in a remote crash and denial of service...

SUSE CVE-2020-12604

Envoy version 1.14.2, 1.13.2, 1.12.4 or earlier is susceptible to increased memory usage in the case where an HTTP/2 client requests a large payload but does not send enough window updates to consume the entire stream and does not reset the stream...

SUSE CVE-2020-12603

Envoy version 1.14.2, 1.13.2, 1.12.4 or earlier may consume excessive amounts of memory when proxying HTTP/2 requests or responses with many small i.e. 1 byte data frames...

SUSE CVE-2021-41524

While fuzzing the 2.4.49 httpd, a new null pointer dereference was detected during HTTP/2 request processing, allowing an external source to DoS the server. This requires a specially crafted request. The vulnerability was recently introduced in version 2.4.49. No exploit is known to the project...

SUSE CVE-2021-43826

Envoy is an open source edge and service proxy, designed for cloud-native applications. In affected versions of Envoy a crash occurs when configured for :ref:upstream tunneling and the downstream connection disconnects while the the upstream connection or http/2 stream is still being established...

Command Injection

is-http2 is vulnerable to Command Injection. The vulnerability exists in the Promise function of index.js due to missing input sanitization which allows an attacker to inject and execute arbitrary commands into the system...

Security Bulletin: Vulnerability in http2-common affects IBM Process Mining (Multiple CVEs)

Summary There is a vulnerability in http2-common that could allow an attacker to launch a DOS attack. The code is used by IBM Process Mining. This bulletin identifies the security fixes to apply to address the vulnerability. Vulnerability Details CVEID:CVE-2019-9517 DESCRIPTION: Multiple vendors...

is-http2 vulnerable to Improper Input Validation

All versions of the package is-http2 are vulnerable to Command Injection due to missing input sanitization or other checks, and sandboxes being employed to the isH2 function...

grunt-yellowlabtools (>=0.0.1 <=1.2.1), install-is (>=1.4.0 <=1.4.2) +3 more potentially affected by CVE-2022-25906 via is-http2 (>=1.0.4 <=1.2.0)

is-http2 NPM version =1.0.4, =0.0.1, =1.4.0, =1.0.0, =1.10.0, =1.13.4 Source cves: CVE-2022-25906 Source advisory: OSV:GHSA-2275-RPF5-XV8H...

CVE-2022-25906

All versions of the package is-http2 are vulnerable to Command Injection due to missing input sanitization or other checks, and sandboxes being employed to the isH2 function...

CVE-2022-25906

CVE-2022-25906 affects the JavaScript package is-http2. The vulnerability is a Command Injection in the isH2-related handling due to missing input sanitization in the module’s code (index.js). Several sources describe that all versions are vulnerable and that using the sandboxed isH2 path does no...

CVE-2022-25906

All versions of the package is-http2 are vulnerable to Command Injection due to missing input sanitization or other checks, and sandboxes being employed to the isH2 function...

is-http2 操作系统命令注入漏洞

is-http2 is an application by Stefan Judis personal developer. A simple module for checking whether certain servers support HTTP/2. An operating system command injection vulnerability exists in is-http2, which stems from a lack of input cleanup or other checks and the use of sandboxing by the isH...

SUSE-SU-2023:0153-1 Security update for haproxy

This update for haproxy fixes the following issues: - CVE-2023-0056: Fixed a server crash that could be triggered via a malformed HTTP/2 frame bsc1207181...

HTTP Request Smuggling

golang.org/x/net/http2/h2c is vulnerable to HTTP Request Smuggling. The vulnerability exists in the h2cUpgrade function of h2c.go because it does not properly handle errors when reading the HTTP2 frames from the HTTP/1 request body using MaxBytesHandler, which allows an attacker to send arbitrary...

openSUSE 15 Security Update : netty (SUSE-SU-2022:1315-1)

The remote openSUSE 15 host has packages installed that are affected by a vulnerability as referenced in the SUSE- SU-2022:1315-1 advisory. - Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers &...

CVE-2022-41721

A request smuggling attack is possible when using MaxBytesHandler. When using MaxBytesHandler, the body of an HTTP request is not fully consumed. When the server attempts to read HTTP2 frames from the connection, it will instead read the body of the HTTP request, which could be attacker-manipulat...