CVSS: 7.5EPSS: 81%CPEs: 444EXPL: 7CVE-2023-44487 – HTTP/2 Rapid Reset Attack Vulnerability
https://notcve.org/view.php?id=CVE-2023-44487
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023. El protocolo HTTP/2 permite una denegación de servicio (consumo de recursos del servidor) porque la cancelación de solicitudes puede restablecer muchas transmisiones rápidamente, como se explotó en la naturaleza entre agosto y octubre de 2023. A flaw was found in handling multiplexed streams in the HTTP/2 protocol. A client can repeatedly make a request for a new multiplex stream and immediately send an RST_STREAM frame to cancel it. This creates extra work for the server setting up and tearing down the streams while not hitting any server-side limit for the maximum number of active streams per connection, resulting in a denial of service due to server resource consumption. • https://github.com/imabee101/CVE-2023-44487 https://github.com/studiogangster/CVE-2023-44487 https://github.com/bcdannyboy/CVE-2023-44487 https://github.com/sigridou/CVE-2023-44487- https://github.com/ByteHackr/CVE-2023-44487 https://github.com/ReToCode/golang-CVE-2023-44487 http://www.openwall.com/lists/oss-security/2023/10/13/4 http://www.openwall.com/lists/oss-security/2023/10/13/9 http://www.openwall.com/lists/oss-security/2023/10/18/4 http://www. • CWE-400: Uncontrolled Resource Consumption •
CVSS: 7.5EPSS: 6%CPEs: 2EXPL: 3CVE-2021-42697 – Akka HTTP 10.1.14 - Denial of Service
https://notcve.org/view.php?id=CVE-2021-42697
Akka HTTP 10.1.x before 10.1.15 and 10.2.x before 10.2.7 can encounter stack exhaustion while parsing HTTP headers, which allows a remote attacker to conduct a Denial of Service attack by sending a User-Agent header with deeply nested comments. Akka HTTP 10.1.x antes de 10.1.15 y 10.2.x antes de 10.2.7 pueden encontrar agotamiento de la pila mientras analizan las cabeceras HTTP, lo que permite a un atacante remoto llevar a cabo un ataque de denegación de servicio mediante el envío de una cabecera User-Agent con comentarios profundamente anidados Akka HTTP version 10.1.14 suffers from a denial of service vulnerability. • https://www.exploit-db.com/exploits/50892 https://github.com/cxosmo/CVE-2021-42697 http://packetstormsecurity.com/files/167018/Akka-HTTP-10.1.14-Denial-Of-Service.html https://akka.io/blog https://akka.io/blog/news/2021/11/02/akka-http-10.2.7-released https://akka.io/blog/news/2021/11/22/akka-http-10.1.15-released https://doc.akka.io/docs/akka-http/current/security/2021-CVE-2021-42697-stack-overflow-parsing-user-agent.html • CWE-674: Uncontrolled Recursion •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2017-1000118
https://notcve.org/view.php?id=CVE-2017-1000118
Akka HTTP versions <= 10.0.5 Illegal Media Range in Accept Header Causes StackOverflowError Leading to Denial of Service Akka HTTP en su versión 10.0.5 y anteriores tiene una vulnerabilidad en Illegal Media Range en Accept Header que causa un error de desbordamiento de pila que desemboca en una denegación de servicio (DoS). • https://doc.akka.io/docs/akka-http/10.0.6/security/2017-05-03-illegal-media-range-in-accept-header-causes-stackoverflowerror.html • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •
CVSS: 9.3EPSS: 4%CPEs: 2EXPL: 0CVE-2017-1000034
https://notcve.org/view.php?id=CVE-2017-1000034
Akka versions <=2.4.16 and 2.5-M1 are vulnerable to a java deserialization attack in its Remoting component resulting in remote code execution in the context of the ActorSystem. En Akka versiones anteriores e incluyendo a 2.4.16 y 2.5-M1, son vulnerables a un ataque de deserialización java en el componente Remoting, resultando en la ejecución de código remota en el contexto del ActorSystem. • http://doc.akka.io/docs/akka/2.4/security/2017-02-10-java-serialization.html • CWE-502: Deserialization of Untrusted Data •