Lucene search
K

54 matches found

RedHat Linux
RedHat Linux
added 2025/07/01 2:34 p.m.5 views

jetty-http2-common: Jetty HTTP/2 Header List Size Vulnerability

A flaw was found in Eclipse Jetty. This vulnerability allows denial of service attack via an HTTP/2 client specifying a very large value for the SETTINGSMAXHEADERLISTSIZE parameter...

7.5CVSS7AI score0.00625EPSS
Exploits0References6
OSV
OSV
added 2025/03/18 5:31 p.m.6 views

CLSA-2025-1742319076 Fix CVE(s): CVE-2023-44487

SECURITY UPDATE: The HTTP/2 protocol allows a denial of service because request cancellation can reset many streams quickly - debian/patches/CVE-2023-44487.patch: HTTP/2 - per-iteration stream handling limit. - CVE-2023-44487...

7.5CVSS7.1AI score0.99999EPSS
Exploits19References1
RedHat Linux
RedHat Linux
added 2024/05/20 2:14 a.m.4 views

nodejs: CONTINUATION frames DoS

A vulnerability was found in how Node.js implements the HTTP/2 protocol. There are insufficient limitations placed on the amount of CONTINUATION frames that can be sent within a single stream. This issue could allow an unauthenticated, remote attacker to send packets to vulnerable servers, which...

8.2CVSS7.3AI score0.87211EPSS
Exploits1References7
OSV
OSV
added 2024/04/04 9:15 p.m.7 views

AZL-39202 CVE-2023-45288 affecting package packer for versions less than 1.10.1-2

An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed MaxHeaderBytes, no...

7.5CVSS7AI score0.91969EPSS
Exploits1References1
OSV
OSV
added 2024/04/04 7:41 p.m.8 views

CVE-2024-30255 HTTP/2: CPU exhaustion due to CONTINUATION frame flood

Envoy is a cloud-native, open source edge and service proxy. The HTTP/2 protocol stack in Envoy versions prior to 1.29.3, 1.28.2, 1.27.4, and 1.26.8 are vulnerable to CPU exhaustion due to flood of CONTINUATION frames. Envoy's HTTP/2 codec allows the client to send an unlimited number of...

5.3CVSS6.8AI score0.8781EPSS
Exploits1References6
CNNVD
CNNVD
added 2024/04/03 12:0 a.m.7 views

Apache Traffic Server 输入验证错误漏洞

Apache Traffic Server ATS is the United States Apache Apache Foundation's set of scalable HTTP proxy and caching server. Apache Traffic Server suffers from an input validation error vulnerability that stems from continuation frame flooding in the HTTP/2 stack, which can be exploited by an attacke...

7.5CVSS6.7AI score0.94615EPSS
Exploits1References9
BDU FSTEC
BDU FSTEC
added 2023/10/26 12:0 a.m.6 views

The vulnerability of the Apache HTTP Server web server, related to blocking HTTP/2 connection processing, allows a attacker to cause a service failure.

The vulnerability of the Apache HTTP Server is related to the blocking of HTTP/2 connection processing, if the initial window size is set to 0. Exploiting this vulnerability can allow a remote attacker to cause a service failure...

7.8CVSS7.2AI score0.70595EPSS
Exploits0References12Affected Software6
RedHat Linux
RedHat Linux
added 2023/10/19 1:15 p.m.8 views

HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack)

A flaw was found in handling multiplexed streams in the HTTP/2 protocol. A client can repeatedly make a request for a new multiplex stream and immediately send an RSTSTREAM frame to cancel it. This creates extra work for the server setting up and tearing down the streams while not hitting any...

7.5CVSS6.7AI score0.99999EPSS
Exploits19References10
RedHat Linux
RedHat Linux
added 2023/10/18 10:56 p.m.11 views

HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack)

A flaw was found in handling multiplexed streams in the HTTP/2 protocol. A client can repeatedly make a request for a new multiplex stream and immediately send an RSTSTREAM frame to cancel it. This creates extra work for the server setting up and tearing down the streams while not hitting any...

7.5CVSS6.7AI score0.99999EPSS
Exploits19References10
OSV
OSV
added 2023/10/10 2:15 p.m.17 views

AZL-31332 CVE-2023-44487 affecting package nghttp2 for versions less than 1.57.0-1

The HTTP/2 protocol allows a denial of service server resource consumption because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023...

7.5CVSS7.1AI score0.99999EPSS
Exploits19References1
OSV
OSV
added 2023/10/10 2:15 p.m.10 views

AZL-44124 CVE-2023-44487 affecting package podman for versions less than 5.6.1-2

The HTTP/2 protocol allows a denial of service server resource consumption because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023...

7.5CVSS6.7AI score0.99999EPSS
Exploits19References1
RedHat Linux
RedHat Linux
added 2023/05/18 12:39 a.m.6 views

golang: net/http: handle server errors after sending GOAWAY

A flaw was found in the golang package. In net/http in Go, attackers can cause a denial of service because an HTTP/2 connection can hang during closing if a fatal error preempts the shutdown...

7.5CVSS6.6AI score0.02513EPSS
Exploits0References6
OSV
OSV
added 2023/02/28 6:15 p.m.7 views

AZL-25350 CVE-2022-41723 affecting package golang for versions less than 1.19.6-1

A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests...

7.5CVSS6.7AI score0.04561EPSS
Exploits0References1
SUSE CVE
SUSE CVE
added 2023/02/15 4:0 a.m.2 views

SUSE CVE-2020-9494

Apache Traffic Server 6.0.0 to 6.2.3, 7.0.0 to 7.1.10, and 8.0.0 to 8.0.7 is vulnerable to certain types of HTTP/2 HEADERS frames that can cause the server to allocate a large amount of memory and spin the thread...

7.5CVSS7.2AI score0.03909EPSS
Exploits0References3
Snyk
Snyk
added 2022/07/15 11:8 p.m.2 views

Allocation of Resources Without Limits or Throttling

Overview std/net/http is a Go standard library package std/net/http Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling. Go Vulnerability Report: An attacker can cause unbounded memory growth in servers accepting HTTP/2 requests. Remediation...

8.7CVSS6.8AI score0.03958EPSS
Exploits0References3
RedHat Linux
RedHat Linux
added 2021/11/04 5:3 p.m.3 views

Mozilla: Opportunistic Encryption in HTTP2 could be used to bypass the Same-Origin-Policy on services hosted on other ports

The Mozilla Foundation Security Advisory describes this flaw as: The Opportunistic Encryption feature of HTTP2 RFC 8164 allows a connection to be transparently upgraded to TLS while retaining the visual properties of an HTTP connection, including being same-origin with unencrypted connections on...

6.5CVSS7.2AI score0.00805EPSS
Exploits0References4
OSV
OSV
added 2021/08/17 5:1 p.m.4 views

USN-5042-1 haproxy vulnerabilities

It was discovered that HAProxy incorrectly handled the HTTP/2 protocol. A remote attacker could possibly use this issue to bypass restrictions...

5.3CVSS6AI score0.0177EPSS
Exploits0References2
RedHat Linux
RedHat Linux
added 2021/02/11 1:51 p.m.4 views

tomcat: HTTP/2 request header mix-up

While investigating bug 64830 it was discovered that Apache Tomcat 10.0.0-M1 to 10.0.0-M9, 9.0.0-M1 to 9.0.39 and 8.5.0 to 8.5.59 could re-use an HTTP request header value from the previous stream received on an HTTP/2 connection for the request associated with the subsequent stream. While this...

7.5CVSS7.2AI score0.24622EPSS
Exploits0References7
RedHat Linux
RedHat Linux
added 2021/01/07 11:49 a.m.6 views

tomcat: specially crafted sequence of HTTP/2 requests can lead to DoS

A specially crafted sequence of HTTP/2 requests sent to Apache Tomcat 10.0.0-M1 to 10.0.0-M5, 9.0.0.M1 to 9.0.35 and 8.5.0 to 8.5.55 could trigger high CPU usage for several seconds. If a sufficient number of such requests were made on concurrent HTTP/2 connections, the server could become...

7.5CVSS7.2AI score0.26699EPSS
Exploits0References8
CNVD
CNVD
added 2020/09/22 12:0 a.m.4 views

IBM DataPower Gateway Denial of Service Vulnerability (CNVD-2020-54936)

IBM DataPower Gateway is a suite of security and integration platforms from IBM USA designed specifically for mobile, cloud, application programming interfaces APIs, web, service-oriented architecture SOA, B2B and cloud workloads. The platform protects, integrates and optimizes access across...

7.5CVSS6.6AI score0.0224EPSS
Exploits0References1
Rows per page
Query Builder