181 matches found
SUSE CVE-2021-33193
A crafted method sent through HTTP/2 will bypass validation and be forwarded by modproxy, which can lead to request splitting or cache poisoning. This issue affects Apache HTTP Server 2.4.17 to 2.4.48...
golang: net/http: handle server errors after sending GOAWAY
A flaw was found in the golang package. In net/http in Go, attackers can cause a denial of service because an HTTP/2 connection can hang during closing if a fatal error preempts the shutdown...
golang: net/http: handle server errors after sending GOAWAY
A flaw was found in the golang package. In net/http in Go, attackers can cause a denial of service because an HTTP/2 connection can hang during closing if a fatal error preempts the shutdown...
OESA-2023-1021 jetty security update
Jetty is a 100% Java HTTP Server and Servlet Container. This means that you do not need to configure and run a separate web server like Apache in order to use Java, servlets and JSPs to generate dynamic content. Jetty is a fully featured web server for static and dynamic content. Unlike separate...
golang: net/http: handle server errors after sending GOAWAY
A flaw was found in the golang package. In net/http in Go, attackers can cause a denial of service because an HTTP/2 connection can hang during closing if a fatal error preempts the shutdown...
DEBIAN-CVE-2022-27664
In net/http in Go before 1.18.6 and 1.19.x before 1.19.1, attackers can cause a denial of service because an HTTP/2 connection can hang during closing if shutdown were preempted by a fatal error...
CVE-2022-27664
In net/http in Go before 1.18.6 and 1.19.x before 1.19.1, attackers can cause a denial of service because an HTTP/2 connection can hang during closing if shutdown were preempted by a fatal error...
UBUNTU-CVE-2021-3859
A flaw was found in Undertow that tripped the client-side invocation timeout with certain calls made over HTTP2. This flaw allows an attacker to carry out denial of service attacks...
Allocation of Resources Without Limits or Throttling
Overview std/net/http is a Go standard library package std/net/http Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling. Go Vulnerability Report: An attacker can cause unbounded memory growth in servers accepting HTTP/2 requests. Remediation...
Eclipse Jetty 安全漏洞
Eclipse Jetty is an open source, Java-based Web server and Java Servlet container from the Eclipse Foundation. A security vulnerability exists in Eclipse Jetty that originates from an invalid HTTP/2 request that could result in a denial of service and affects the following products and versions:...
PT-2022-10500 · Undertow · Undertow
Name of the Vulnerable Software and Affected Versions: Undertow versions prior to 2.0.40.Final Undertow versions prior to 2.2.11.Final Description: A flaw was found in Undertow, related to a potential security issue in flow control handling by the browser over HTTP/2, which may cause overhead or ...
USN-5313-2 openjdk-lts regression
USN-5313-1 fixed vulnerabilities and added features in OpenJDK. Unfortunately, that update introduced a regression in OpenJDK 11 that could impact interoperability with some popular HTTP/2 servers making it unable to connect to said servers. This update fixes the problem. We apologize for the...
Vmware VMware Spring Cloud Gateway 信任管理问题漏洞
Vmware VMware Spring Cloud Gateway is a gateway component from Vmware, Inc. A trust management issue vulnerability exists in VMware Spring Cloud Gateway that stems from a security bypass issue when using the HTTP2 insecure TrustManager. A local user can send a specially crafted request and connec...
AZL-33571 CVE-2021-44716 affecting package cf-cli for versions less than 8.4.0-16
net/http in Go before 1.16.12 and 1.17.x before 1.17.5 allows uncontrolled memory consumption in the header canonicalization cache via HTTP/2 requests...
AZL-33607 CVE-2021-44716 affecting package libcontainers-common for versions less than 20210626-3
net/http in Go before 1.16.12 and 1.17.x before 1.17.5 allows uncontrolled memory consumption in the header canonicalization cache via HTTP/2 requests...
golang: net/http: limit growth of header canonicalization cache
There's an uncontrolled resource consumption flaw in golang's net/http library in the canonicalHeader function. An attacker who submits specially crafted requests to applications linked with net/http's http2 functionality could cause excessive resource consumption that could lead to a denial of...
Mozilla: Opportunistic Encryption in HTTP2 could be used to bypass the Same-Origin-Policy on services hosted on other ports
The Mozilla Foundation Security Advisory describes this flaw as: The Opportunistic Encryption feature of HTTP2 RFC 8164 allows a connection to be transparently upgraded to TLS while retaining the visual properties of an HTTP connection, including being same-origin with unencrypted connections on...
nodejs: Use-after-free on close http2 on stream canceling
A flaw was found in Node.js, where it is vulnerable to a use-after-free attack. This flaw allows an attacker to exploit the memory corruption, which causes a change in the process behavior. The highest threat from this vulnerability is to confidentiality and integrity...
USN-5042-1 haproxy vulnerabilities
It was discovered that HAProxy incorrectly handled the HTTP/2 protocol. A remote attacker could possibly use this issue to bypass restrictions...
tomcat: specially crafted sequence of HTTP/2 requests can lead to DoS
A specially crafted sequence of HTTP/2 requests sent to Apache Tomcat 10.0.0-M1 to 10.0.0-M5, 9.0.0.M1 to 9.0.35 and 8.5.0 to 8.5.55 could trigger high CPU usage for several seconds. If a sufficient number of such requests were made on concurrent HTTP/2 connections, the server could become...