CVSS: 3.7EPSS: 0%CPEs: 1EXPL: 0CVE-2024-45403 – H2O assertion failure when HTTP/3 requests are cancelled
https://notcve.org/view.php?id=CVE-2024-45403
h2o is an HTTP server with support for HTTP/1.x, HTTP/2 and HTTP/3. When h2o is configured as a reverse proxy and HTTP/3 requests are cancelled by the client, h2o might crash due to an assertion failure. The crash can be exploited by an attacker to mount a Denial-of-Service attack. By default, the h2o standalone server automatically restarts, minimizing the impact. However, HTTP requests that were served concurrently will still be disrupted. • https://github.com/h2o/h2o/commit/16b13eee8ad7895b4fe3fcbcabee53bd52782562 https://github.com/h2o/h2o/commit/1ed32b23f999acf0c5029f09c8525f93eb1d354c https://github.com/h2o/h2o/security/advisories/GHSA-4xp5-3jhc-3m92 https://h2o.examp1e.net/configure/http3_directives.html • CWE-617: Reachable Assertion •
CVSS: 5.9EPSS: 0%CPEs: 1EXPL: 0CVE-2024-45397 – H2O alllows bypassing address-based access control with 0-RTT
https://notcve.org/view.php?id=CVE-2024-45397
h2o is an HTTP server with support for HTTP/1.x, HTTP/2 and HTTP/3. When an HTTP request using TLS/1.3 early data on top of TCP Fast Open or QUIC 0-RTT packets is received and the IP-address-based access control is used, the access control does not detect and prohibit HTTP requests conveyed by packets with a spoofed source address. This behavior allows attackers on the network to execute HTTP requests from addresses that are otherwise rejected by the address-based access control. The vulnerability has been addressed in commit 15ed15a. Users may disable the use of TCP FastOpen and QUIC to mitigate the issue. • https://github.com/h2o/h2o/commit/15ed15a2efb83a77bb4baaa5a119e639c2f6898a https://github.com/h2o/h2o/security/advisories/GHSA-jf2c-xjcp-wg4c https://h2o.examp1e.net/configure/http3_directives.html • CWE-284: Improper Access Control •
CVSS: 3.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-25622 – H2O ignores headers configuration directives
https://notcve.org/view.php?id=CVE-2024-25622
h2o is an HTTP server with support for HTTP/1.x, HTTP/2 and HTTP/3. The configuration directives provided by the headers handler allows users to modify the response headers being sent by h2o. The configuration file of h2o has scopes, and the inner scopes (e.g., path level) are expected to inherit the configuration defined in outer scopes (e.g., global level). However, if a header directive is used in the inner scope, all the definition in outer scopes are ignored. This can lead to headers not being modified as expected. • https://github.com/h2o/h2o/commit/123f5e2b65dcdba8f7ef659a00d24bd1249141be https://github.com/h2o/h2o/issues/3332 https://github.com/h2o/h2o/security/advisories/GHSA-5m7v-cj65-h6pj • CWE-670: Always-Incorrect Control Flow Implementation •
CVSS: 7.5EPSS: 0%CPEs: 3EXPL: 0CVE-2023-50247 – h2o QUIC state exhaustion DoS
https://notcve.org/view.php?id=CVE-2023-50247
h2o is an HTTP server with support for HTTP/1.x, HTTP/2 and HTTP/3. The QUIC stack (quicly), as used by H2O up to commit 43f86e5 (in version 2.3.0-beta and prior), is susceptible to a state exhaustion attack. When H2O is serving HTTP/3, a remote attacker can exploit this vulnerability to progressively increase the memory retained by the QUIC stack. This can eventually cause H2O to abort due to memory exhaustion. The vulnerability has been resolved in commit d67e81d03be12a9d53dc8271af6530f40164cd35. • https://github.com/h2o/h2o/commit/d67e81d03be12a9d53dc8271af6530f40164cd35 https://github.com/h2o/h2o/security/advisories/GHSA-2ch5-p59c-7mv6 • CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 6.7EPSS: 0%CPEs: 3EXPL: 0CVE-2023-41337 – h2o vulnerable to TLS session resumption misdirection
https://notcve.org/view.php?id=CVE-2023-41337
h2o is an HTTP server with support for HTTP/1.x, HTTP/2 and HTTP/3. In version 2.3.0-beta2 and prior, when h2o is configured to listen to multiple addresses or ports with each of them using different backend servers managed by multiple entities, a malicious backend entity that also has the opportunity to observe or inject packets exchanged between the client and h2o may misdirect HTTPS requests going to other backends and observe the contents of that HTTPS request being sent. The attack involves a victim client trying to resume a TLS connection and an attacker redirecting the packets to a different address or port than that intended by the client. The attacker must already have been configured by the administrator of h2o to act as a backend to one of the addresses or ports that the h2o instance listens to. Session IDs and tickets generated by h2o are not bound to information specific to the server address, port, or the X.509 certificate, and therefore it is possible for an attacker to force the victim connection to wrongfully resume against a different server address or port on which the same h2o instance is listening. Once a TLS session is misdirected to resume to a server address / port that is configured to use an attacker-controlled server as the backend, depending on the configuration, HTTPS requests from the victim client may be forwarded to the attacker's server. An H2O instance is vulnerable to this attack only if the instance is configured to listen to different addresses or ports using the listen directive at the host level and the instance is configured to connect to backend servers managed by multiple entities. A patch is available at commit 35760540337a47e5150da0f4a66a609fad2ef0ab. As a workaround, one may stop using using host-level listen directives in favor of global-level ones. h2o es un servidor HTTP compatible con HTTP/1.x, HTTP/2 y HTTP/3. • https://github.com/h2o/h2o/commit/35760540337a47e5150da0f4a66a609fad2ef0ab https://github.com/h2o/h2o/security/advisories/GHSA-5v5r-rghf-rm6q • CWE-347: Improper Verification of Cryptographic Signature •