CVSS: 9.8EPSS: 94%CPEs: 444EXPL: 19CVE-2023-44487 – HTTP/2 Rapid Reset Attack Vulnerability
https://notcve.org/view.php?id=CVE-2023-44487
10 Oct 2023 — The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023. El protocolo HTTP/2 permite una denegación de servicio (consumo de recursos del servidor) porque la cancelación de solicitudes puede restablecer muchas transmisiones rápidamente, como se explotó en la naturaleza entre agosto y octubre de 2023. A flaw was found in handling multiplexed streams in the HTTP/2 protocol. ... • https://github.com/imabee101/CVE-2023-44487 • CWE-400: Uncontrolled Resource Consumption •
CVSS: 7.8EPSS: 0%CPEs: 3EXPL: 0CVE-2022-3215
https://notcve.org/view.php?id=CVE-2022-3215
28 Sep 2022 — NIOHTTP1 and projects using it for generating HTTP responses can be subject to a HTTP Response Injection attack. This occurs when a HTTP/1.1 server accepts user generated input from an incoming request and reflects it into a HTTP/1.1 response header in some form. A malicious user can add newlines to their input (usually in encoded form) and "inject" those newlines into the returned HTTP response. This capability allows users to work around security headers and HTTP/1.1 framing headers by injecting entirely ... • https://github.com/apple/swift-nio/security/advisories/GHSA-7fj7-39wj-c64f • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting') •
CVSS: 7.8EPSS: 1%CPEs: 1EXPL: 0CVE-2022-0618
https://notcve.org/view.php?id=CVE-2022-0618
09 Mar 2022 — A program using swift-nio-http2 is vulnerable to a denial of service attack, caused by a network peer sending a specially crafted HTTP/2 frame. This vulnerability is caused by a logical error when parsing a HTTP/2 HEADERS or HTTP/2 PUSH_PROMISE frame where the frame contains padding information without any other data. This logical error caused confusion about the size of the frame, leading to a parsing error. This parsing error immediately crashes the entire process. Sending a HEADERS frame or PUSH_PROMISE ... • https://github.com/apple/swift-nio-http2/security/advisories/GHSA-q36x-r5x4-h4q6 • CWE-130: Improper Handling of Length Parameter Inconsistency •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2022-24668
https://notcve.org/view.php?id=CVE-2022-24668
09 Feb 2022 — A program using swift-nio-http2 is vulnerable to a denial of service attack caused by a network peer sending ALTSVC or ORIGIN frames. This attack affects all swift-nio-http2 versions from 1.0.0 to 1.19.1. This vulnerability is caused by a logical error after frame parsing but before frame handling. ORIGIN and ALTSVC frames are not currently supported by swift-nio-http2, and should be ignored. However, one code path that encounters them has a deliberate trap instead. • https://github.com/apple/swift-nio-http2/security/advisories/GHSA-pgfx-g6rc-8cjv • CWE-241: Improper Handling of Unexpected Data Type •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2022-24667
https://notcve.org/view.php?id=CVE-2022-24667
09 Feb 2022 — A program using swift-nio-http2 is vulnerable to a denial of service attack, caused by a network peer sending a specially crafted HPACK-encoded header block. This attack affects all swift-nio-http2 versions from 1.0.0 to 1.19.1. There are a number of implementation errors in the parsing of HPACK-encoded header blocks that allow maliciously crafted HPACK header blocks to cause crashes in processes using swift-nio-http2. Each of these crashes is triggered instead of an integer overflow. A malicious HPACK head... • https://github.com/apple/swift-nio-http2/security/advisories/GHSA-w3f6-pc54-gfw7 • CWE-190: Integer Overflow or Wraparound •
CVSS: 7.5EPSS: 2%CPEs: 1EXPL: 0CVE-2022-24666
https://notcve.org/view.php?id=CVE-2022-24666
09 Feb 2022 — A program using swift-nio-http2 is vulnerable to a denial of service attack, caused by a network peer sending a specially crafted HTTP/2 frame. This attack affects all swift-nio-http2 versions from 1.0.0 to 1.19.1. This vulnerability is caused by a logical error when parsing a HTTP/2 HEADERS frame where the frame contains priority information without any other data. This logical error caused confusion about the size of the frame, leading to a parsing error. This parsing error immediately crashes the entire ... • https://github.com/apple/swift-nio-http2/security/advisories/GHSA-ccw9-q5h2-8c2w • CWE-130: Improper Handling of Length Parameter Inconsistency •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2019-8849
https://notcve.org/view.php?id=CVE-2019-8849
18 Dec 2019 — The issue was addressed by signaling that an executable stack is not required. This issue is fixed in SwiftNIO SSL 2.4.1. A SwiftNIO application using TLS may be able to execute arbitrary code. El problema fue abordado señalando que una pila ejecutable no es requerida. Este problema es corregido en SwiftNIO SSL versión 2.4.1. • https://support.apple.com/HT210772 •
CVSS: 7.8EPSS: 3%CPEs: 35EXPL: 0CVE-2019-9518 – Some HTTP/2 implementations are vulnerable to a flood of empty frames, potentially leading to a denial of service
https://notcve.org/view.php?id=CVE-2019-9518
13 Aug 2019 — Some HTTP/2 implementations are vulnerable to a flood of empty frames, potentially leading to a denial of service. The attacker sends a stream of frames with an empty payload and without the end-of-stream flag. These frames can be DATA, HEADERS, CONTINUATION and/or PUSH_PROMISE. The peer spends time processing each frame disproportionate to attack bandwidth. This can consume excess CPU. • http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00031.html • CWE-400: Uncontrolled Resource Consumption CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 7.8EPSS: 4%CPEs: 43EXPL: 0CVE-2019-9517 – Some HTTP/2 implementations are vulnerable to unconstrained interal data buffering, potentially leading to a denial of service
https://notcve.org/view.php?id=CVE-2019-9517
13 Aug 2019 — Some HTTP/2 implementations are vulnerable to unconstrained interal data buffering, potentially leading to a denial of service. The attacker opens the HTTP/2 window so the peer can send without constraint; however, they leave the TCP window closed so the peer cannot actually write (many of) the bytes on the wire. The attacker then sends a stream of requests for a large response object. Depending on how the servers queue the responses, this can consume excess memory, CPU, or both. Algunas implementaciones HT... • http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00004.html • CWE-400: Uncontrolled Resource Consumption CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 7.8EPSS: 2%CPEs: 44EXPL: 0CVE-2019-9515 – Some HTTP/2 implementations are vulnerable to a settings flood, potentially leading to a denial of service
https://notcve.org/view.php?id=CVE-2019-9515
13 Aug 2019 — Some HTTP/2 implementations are vulnerable to a settings flood, potentially leading to a denial of service. The attacker sends a stream of SETTINGS frames to the peer. Since the RFC requires that the peer reply with one acknowledgement per SETTINGS frame, an empty SETTINGS frame is almost equivalent in behavior to a ping. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both. Algunas implementaciones de HTTP / 2 son vulnerables a una inundación de configuraciones, lo... • http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00031.html • CWE-400: Uncontrolled Resource Consumption CWE-770: Allocation of Resources Without Limits or Throttling •