CVSS: 7.8EPSS: 94%CPEs: 444EXPL: 17CVE-2023-44487 – HTTP/2 Rapid Reset Attack Vulnerability
https://notcve.org/view.php?id=CVE-2023-44487
10 Oct 2023 — The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023. El protocolo HTTP/2 permite una denegación de servicio (consumo de recursos del servidor) porque la cancelación de solicitudes puede restablecer muchas transmisiones rápidamente, como se explotó en la naturaleza entre agosto y octubre de 2023. A flaw was found in handling multiplexed streams in the HTTP/2 protocol. ... • https://github.com/imabee101/CVE-2023-44487 • CWE-400: Uncontrolled Resource Consumption •
CVSS: 7.8EPSS: 0%CPEs: 3EXPL: 0CVE-2022-3215
https://notcve.org/view.php?id=CVE-2022-3215
28 Sep 2022 — NIOHTTP1 and projects using it for generating HTTP responses can be subject to a HTTP Response Injection attack. This occurs when a HTTP/1.1 server accepts user generated input from an incoming request and reflects it into a HTTP/1.1 response header in some form. A malicious user can add newlines to their input (usually in encoded form) and "inject" those newlines into the returned HTTP response. This capability allows users to work around security headers and HTTP/1.1 framing headers by injecting entirely ... • https://github.com/apple/swift-nio/security/advisories/GHSA-7fj7-39wj-c64f • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting') •
CVSS: 7.8EPSS: 1%CPEs: 1EXPL: 0CVE-2022-0618
https://notcve.org/view.php?id=CVE-2022-0618
09 Mar 2022 — A program using swift-nio-http2 is vulnerable to a denial of service attack, caused by a network peer sending a specially crafted HTTP/2 frame. This vulnerability is caused by a logical error when parsing a HTTP/2 HEADERS or HTTP/2 PUSH_PROMISE frame where the frame contains padding information without any other data. This logical error caused confusion about the size of the frame, leading to a parsing error. This parsing error immediately crashes the entire process. Sending a HEADERS frame or PUSH_PROMISE ... • https://github.com/apple/swift-nio-http2/security/advisories/GHSA-q36x-r5x4-h4q6 • CWE-130: Improper Handling of Length Parameter Inconsistency •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2022-24668
https://notcve.org/view.php?id=CVE-2022-24668
09 Feb 2022 — A program using swift-nio-http2 is vulnerable to a denial of service attack caused by a network peer sending ALTSVC or ORIGIN frames. This attack affects all swift-nio-http2 versions from 1.0.0 to 1.19.1. This vulnerability is caused by a logical error after frame parsing but before frame handling. ORIGIN and ALTSVC frames are not currently supported by swift-nio-http2, and should be ignored. However, one code path that encounters them has a deliberate trap instead. • https://github.com/apple/swift-nio-http2/security/advisories/GHSA-pgfx-g6rc-8cjv • CWE-241: Improper Handling of Unexpected Data Type •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2022-24667
https://notcve.org/view.php?id=CVE-2022-24667
09 Feb 2022 — A program using swift-nio-http2 is vulnerable to a denial of service attack, caused by a network peer sending a specially crafted HPACK-encoded header block. This attack affects all swift-nio-http2 versions from 1.0.0 to 1.19.1. There are a number of implementation errors in the parsing of HPACK-encoded header blocks that allow maliciously crafted HPACK header blocks to cause crashes in processes using swift-nio-http2. Each of these crashes is triggered instead of an integer overflow. A malicious HPACK head... • https://github.com/apple/swift-nio-http2/security/advisories/GHSA-w3f6-pc54-gfw7 • CWE-190: Integer Overflow or Wraparound •
CVSS: 7.5EPSS: 2%CPEs: 1EXPL: 0CVE-2022-24666
https://notcve.org/view.php?id=CVE-2022-24666
09 Feb 2022 — A program using swift-nio-http2 is vulnerable to a denial of service attack, caused by a network peer sending a specially crafted HTTP/2 frame. This attack affects all swift-nio-http2 versions from 1.0.0 to 1.19.1. This vulnerability is caused by a logical error when parsing a HTTP/2 HEADERS frame where the frame contains priority information without any other data. This logical error caused confusion about the size of the frame, leading to a parsing error. This parsing error immediately crashes the entire ... • https://github.com/apple/swift-nio-http2/security/advisories/GHSA-ccw9-q5h2-8c2w • CWE-130: Improper Handling of Length Parameter Inconsistency •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2019-8849
https://notcve.org/view.php?id=CVE-2019-8849
18 Dec 2019 — The issue was addressed by signaling that an executable stack is not required. This issue is fixed in SwiftNIO SSL 2.4.1. A SwiftNIO application using TLS may be able to execute arbitrary code. El problema fue abordado señalando que una pila ejecutable no es requerida. Este problema es corregido en SwiftNIO SSL versión 2.4.1. • https://support.apple.com/HT210772 •
CVSS: 7.8EPSS: 20%CPEs: 39EXPL: 1CVE-2019-9511 – Some HTTP/2 implementations are vulnerable to window size manipulation and stream prioritization manipulation, potentially leading to a denial of service
https://notcve.org/view.php?id=CVE-2019-9511
13 Aug 2019 — Some HTTP/2 implementations are vulnerable to window size manipulation and stream prioritization manipulation, potentially leading to a denial of service. The attacker requests a large amount of data from a specified resource over multiple streams. They manipulate window size and stream priority to force the server to queue the data in 1-byte chunks. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both. Algunas implementaciones de HTTP / 2 son vulnerables a la manip... • https://github.com/flyniu666/ingress-nginx-0.21-1.19.5 • CWE-400: Uncontrolled Resource Consumption CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 7.8EPSS: 3%CPEs: 42EXPL: 0CVE-2019-9513 – Some HTTP/2 implementations are vulnerable to resource loops, potentially leading to a denial of service
https://notcve.org/view.php?id=CVE-2019-9513
13 Aug 2019 — Some HTTP/2 implementations are vulnerable to resource loops, potentially leading to a denial of service. The attacker creates multiple request streams and continually shuffles the priority of the streams in a way that causes substantial churn to the priority tree. This can consume excess CPU. Algunas implementaciones de HTTP / 2 son vulnerables a los bucles de recursos, lo que puede conducir a una denegación de servicio. El atacante crea múltiples flujos de solicitud y baraja continuamente la prioridad de ... • http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00031.html • CWE-400: Uncontrolled Resource Consumption •
CVSS: 7.8EPSS: 2%CPEs: 44EXPL: 0CVE-2019-9515 – Some HTTP/2 implementations are vulnerable to a settings flood, potentially leading to a denial of service
https://notcve.org/view.php?id=CVE-2019-9515
13 Aug 2019 — Some HTTP/2 implementations are vulnerable to a settings flood, potentially leading to a denial of service. The attacker sends a stream of SETTINGS frames to the peer. Since the RFC requires that the peer reply with one acknowledgement per SETTINGS frame, an empty SETTINGS frame is almost equivalent in behavior to a ping. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both. Algunas implementaciones de HTTP / 2 son vulnerables a una inundación de configuraciones, lo... • http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00031.html • CWE-400: Uncontrolled Resource Consumption CWE-770: Allocation of Resources Without Limits or Throttling •