Fedora 39 : golang-github-tdewolff-argp / golang-github-tdewolff-minify / etc (2024-c3e32c5635)

The remote Fedora 39 host has packages installed that are affected by a vulnerability as referenced in the FEDORA-2024-c3e32c5635 advisory. Update to latest version Security fix for CVE-2023-39325 Tenable has extracted the preceding description block directly from the Fedora security advisory. No...

Fedora 39 : golang-x-text (2024-b85b97c0e9)

The remote Fedora 39 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2024-b85b97c0e9 advisory. update to v0.14.0, address CVE-2023-39325 Tenable has extracted the preceding description block directly from the Fedora security advisory. Note tha...

Fedora 39 : golang-x-net (2024-5d8e87ec66)

The remote Fedora 39 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2024-5d8e87ec66 advisory. update to v0.20.0 for CVE-2023-39325 Tenable has extracted the preceding description block directly from the Fedora security advisory. Note that...

Fedora 37 : podman-tui (2023-a5a5542890)

The remote Fedora 37 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2023-a5a5542890 advisory. podman-tui v0.12.0 + security fix for CVE-2023-39325 and CVE-2022-41717 and CVE-2022-41723 Tenable has extracted the preceding description block...

Fedora 37 : pack (2023-5029b92850)

The remote Fedora 37 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2023-5029b92850 advisory. fix for CVE-2023-39325 Tenable has extracted the preceding description block directly from the Fedora security advisory. Note that Nessus has not tested for...

Amazon Linux 2023 : ecs-init (ALAS2023-2023-434)

It is, therefore, affected by a vulnerability as referenced in the ALAS2023-2023-434 advisory. Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number. %NASLMINLEVEL 80900 C Tenable, Inc. The descriptive text and package checks ...

Amazon Linux 2023 : cni-plugins (ALAS2023-2023-419)

It is, therefore, affected by a vulnerability as referenced in the ALAS2023-2023-419 advisory. The HTTP/2 protocol allows a denial of service server resource consumption because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023...

Amazon Linux 2023 : oci-add-hooks (ALAS2023-2023-418)

It is, therefore, affected by a vulnerability as referenced in the ALAS2023-2023-418 advisory. The HTTP/2 protocol allows a denial of service server resource consumption because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023...

Amazon Linux 2 : amazon-ecr-credential-helper (ALASNITRO-ENCLAVES-2023-033)

The version of amazon-ecr-credential-helper installed on the remote host is prior to 0.7.1-2. It is, therefore, affected by a vulnerability as referenced in the ALAS2NITRO-ENCLAVES-2023-033 advisory. The HTTP/2 protocol allows a denial of service server resource consumption because request...

Amazon Linux 2023 : runc (ALAS2023-2023-396)

It is, therefore, affected by a vulnerability as referenced in the ALAS2023-2023-396 advisory. The HTTP/2 protocol allows a denial of service server resource consumption because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023...

The vulnerability of the Go programming language-based http2 package, which allows a hacker to trigger a service failure

The vulnerability of the Go programming language’s http2 package is related to an uncontrolled resource consumption by the server due to the incorrect setting of the Server.MaxConcurrentStreams parameter when processing request streams. Exploiting this vulnerability can allow a remote attacker to...

CVE-2023-39325

A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a ne...

CVE-2023-39325

A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a ne...

AZL-34622 CVE-2023-39325 affecting package containerized-data-importer for versions less than 1.57.0-8

A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a ne...

Design/Logic Flaw

A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a ne...

CVE-2023-39325

CVE-2023-39325 describes a DoS in HTTP/2 handling where a malicious client rapidly creates and resets requests, potentially exhausting server resources. The fix tightens per-connection concurrency handling: servers bound the number of executing handler goroutines to the stream-concurrency limit (...