CVSS: 9.3EPSS: 0%CPEs: 1EXPL: 1CVE-2023-6569 – External Control of File Name or Path in h2oai/h2o-3
https://notcve.org/view.php?id=CVE-2023-6569
External Control of File Name or Path in h2oai/h2o-3 Control externo del nombre o ruta del archivo en h2oai/h2o-3 • https://huntr.com/bounties/a5d003dc-c23e-4c98-8dcf-35ba9252fa3c • CWE-73: External Control of File Name or Path CWE-610: Externally Controlled Reference to a Resource in Another Sphere •
CVSS: 7.5EPSS: 0%CPEs: 3EXPL: 0CVE-2023-50247 – h2o QUIC state exhaustion DoS
https://notcve.org/view.php?id=CVE-2023-50247
h2o is an HTTP server with support for HTTP/1.x, HTTP/2 and HTTP/3. The QUIC stack (quicly), as used by H2O up to commit 43f86e5 (in version 2.3.0-beta and prior), is susceptible to a state exhaustion attack. When H2O is serving HTTP/3, a remote attacker can exploit this vulnerability to progressively increase the memory retained by the QUIC stack. This can eventually cause H2O to abort due to memory exhaustion. The vulnerability has been resolved in commit d67e81d03be12a9d53dc8271af6530f40164cd35. • https://github.com/h2o/h2o/commit/d67e81d03be12a9d53dc8271af6530f40164cd35 https://github.com/h2o/h2o/security/advisories/GHSA-2ch5-p59c-7mv6 • CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 6.7EPSS: 0%CPEs: 3EXPL: 0CVE-2023-41337 – h2o vulnerable to TLS session resumption misdirection
https://notcve.org/view.php?id=CVE-2023-41337
h2o is an HTTP server with support for HTTP/1.x, HTTP/2 and HTTP/3. In version 2.3.0-beta2 and prior, when h2o is configured to listen to multiple addresses or ports with each of them using different backend servers managed by multiple entities, a malicious backend entity that also has the opportunity to observe or inject packets exchanged between the client and h2o may misdirect HTTPS requests going to other backends and observe the contents of that HTTPS request being sent. The attack involves a victim client trying to resume a TLS connection and an attacker redirecting the packets to a different address or port than that intended by the client. The attacker must already have been configured by the administrator of h2o to act as a backend to one of the addresses or ports that the h2o instance listens to. Session IDs and tickets generated by h2o are not bound to information specific to the server address, port, or the X.509 certificate, and therefore it is possible for an attacker to force the victim connection to wrongfully resume against a different server address or port on which the same h2o instance is listening. Once a TLS session is misdirected to resume to a server address / port that is configured to use an attacker-controlled server as the backend, depending on the configuration, HTTPS requests from the victim client may be forwarded to the attacker's server. An H2O instance is vulnerable to this attack only if the instance is configured to listen to different addresses or ports using the listen directive at the host level and the instance is configured to connect to backend servers managed by multiple entities. A patch is available at commit 35760540337a47e5150da0f4a66a609fad2ef0ab. As a workaround, one may stop using using host-level listen directives in favor of global-level ones. h2o es un servidor HTTP compatible con HTTP/1.x, HTTP/2 y HTTP/3. • https://github.com/h2o/h2o/commit/35760540337a47e5150da0f4a66a609fad2ef0ab https://github.com/h2o/h2o/security/advisories/GHSA-5v5r-rghf-rm6q • CWE-347: Improper Verification of Cryptographic Signature •
CVSS: 7.5EPSS: 81%CPEs: 444EXPL: 7CVE-2023-44487 – HTTP/2 Rapid Reset Attack Vulnerability
https://notcve.org/view.php?id=CVE-2023-44487
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023. El protocolo HTTP/2 permite una denegación de servicio (consumo de recursos del servidor) porque la cancelación de solicitudes puede restablecer muchas transmisiones rápidamente, como se explotó en la naturaleza entre agosto y octubre de 2023. A flaw was found in handling multiplexed streams in the HTTP/2 protocol. A client can repeatedly make a request for a new multiplex stream and immediately send an RST_STREAM frame to cancel it. This creates extra work for the server setting up and tearing down the streams while not hitting any server-side limit for the maximum number of active streams per connection, resulting in a denial of service due to server resource consumption. • https://github.com/imabee101/CVE-2023-44487 https://github.com/studiogangster/CVE-2023-44487 https://github.com/bcdannyboy/CVE-2023-44487 https://github.com/sigridou/CVE-2023-44487- https://github.com/ByteHackr/CVE-2023-44487 https://github.com/ReToCode/golang-CVE-2023-44487 http://www.openwall.com/lists/oss-security/2023/10/13/4 http://www.openwall.com/lists/oss-security/2023/10/13/9 http://www.openwall.com/lists/oss-security/2023/10/18/4 http://www. • CWE-400: Uncontrolled Resource Consumption •
CVSS: 8.2EPSS: 0%CPEs: 3EXPL: 0CVE-2023-30847 – H2O vulnerable to read from uninitialized pointer in the reverse proxy handler
https://notcve.org/view.php?id=CVE-2023-30847
H2O is an HTTP server. In versions 2.3.0-beta2 and prior, when the reverse proxy handler tries to processes a certain type of invalid HTTP request, it tries to build an upstream URL by reading from uninitialized pointer. This behavior can lead to crashes or leak of information to back end HTTP servers. Pull request number 3229 fixes the issue. The pull request has been merged to the `master` branch in commit f010336. • https://github.com/h2o/h2o/commit/f010336bab162839df43d9e87570897466c97e33 https://github.com/h2o/h2o/pull/3229 https://github.com/h2o/h2o/security/advisories/GHSA-p5hj-phwj-hrvx • CWE-824: Access of Uninitialized Pointer •