CVE-2021-43848 – Unititialized memory access in h2o
https://notcve.org/view.php?id=CVE-2021-43848
h2o is an open source http server. In code prior to the `8c0eca3` commit h2o may attempt to access uninitialized memory. When receiving QUIC frames in certain order, HTTP/3 server-side implementation of h2o can be misguided to treat uninitialized memory as HTTP/3 frames that have been received. When h2o is used as a reverse proxy, an attacker can abuse this vulnerability to send internal state of h2o to backend servers controlled by the attacker or third party. Also, if there is an HTTP endpoint that reflects the traffic sent from the client, an attacker can use that reflector to obtain internal state of h2o. • https://github.com/h2o/h2o/commit/8c0eca3 https://github.com/h2o/h2o/security/advisories/GHSA-f9xw-j925-m4m4 • CWE-908: Use of Uninitialized Resource •
CVE-2018-0608
https://notcve.org/view.php?id=CVE-2018-0608
Buffer overflow in H2O version 2.2.4 and earlier allows remote attackers to execute arbitrary code or cause a denial of service (DoS) via unspecified vectors. Desbordamiento de búfer en H2O, en versiones 2.2.4 y anteriores, permite que atacantes remotos ejecuten código arbitrario o provoquen una denegación de servicio (DoS) mediante vectores sin especificar. • http://jvn.jp/en/jp/JVN93226941/index.html https://github.com/h2o/h2o/issues/1775 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •
CVE-2017-10868
https://notcve.org/view.php?id=CVE-2017-10868
H2O version 2.2.2 and earlier allows remote attackers to cause a denial of service in the server via specially crafted HTTP/1 header. H2O en sus versiones 2.2.2 y anteriores permite que atacantes remotos provoquen una denegación de servicio (DoS) en el servidor mediante cabeceras HTTP/1 especialmente manipuladas. • https://github.com/h2o/h2o/issues/1459 https://jvn.jp/en/jp/JVN84182676/index.html • CWE-20: Improper Input Validation •
CVE-2017-10872
https://notcve.org/view.php?id=CVE-2017-10872
H2O version 2.2.3 and earlier allows remote attackers to cause a denial of service in the server via unspecified vectors. H2O en sus versiones 2.2.3 y anteriores permite que atacantes remotos provoquen una denegación de servicio (DoS) en el servidor mediante vectores no especificados. • https://github.com/h2o/h2o/issues/1543 https://jvn.jp/en/jp/JVN84182676/index.html • CWE-118: Incorrect Access of Indexable Resource ('Range Error') •
CVE-2017-10908
https://notcve.org/view.php?id=CVE-2017-10908
H2O version 2.2.3 and earlier allows remote attackers to cause a denial of service in the server via specially crafted HTTP/2 header. H2O en sus versiones 2.2.3 y anteriores permite que atacantes remotos provoquen una denegación de servicio (DoS) en el servidor mediante cabeceras HTTP/2 especialmente manipuladas. • https://github.com/h2o/h2o/issues/1544 https://jvn.jp/en/jp/JVN84182676/index.html • CWE-20: Improper Input Validation •