CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-45402 – Picotls double free
https://notcve.org/view.php?id=CVE-2024-45402
11 Oct 2024 — Picotls is a TLS protocol library that allows users select different crypto backends based on their use case. When parsing a spoofed TLS handshake message, picotls (specifically, bindings within picotls that call the crypto libraries) may attempt to free the same memory twice. This double free occurs during the disposal of multiple objects without any intervening calls to malloc Typically, this triggers the malloc implementation to detect the error and abort the process. However, depending on the internals ... • https://github.com/h2o/picotls/commit/9b88159ce763d680e4a13b6e8f3171ae923a535d • CWE-415: Double Free •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-45396 – Quicly assertion failures
https://notcve.org/view.php?id=CVE-2024-45396
11 Oct 2024 — Quicly is an IETF QUIC protocol implementation. Quicly up to commtit d720707 is susceptible to a denial-of-service attack. A remote attacker can exploit these bugs to trigger an assertion failure that crashes process using quicly. The vulnerability is addressed with commit 2a95896104901589c495bc41460262e64ffcad5c. • https://github.com/h2o/quicly/commit/2a95896104901589c495bc41460262e64ffcad5c • CWE-617: Reachable Assertion •
CVSS: 3.7EPSS: 0%CPEs: 1EXPL: 0CVE-2024-45403 – H2O assertion failure when HTTP/3 requests are cancelled
https://notcve.org/view.php?id=CVE-2024-45403
11 Oct 2024 — h2o is an HTTP server with support for HTTP/1.x, HTTP/2 and HTTP/3. When h2o is configured as a reverse proxy and HTTP/3 requests are cancelled by the client, h2o might crash due to an assertion failure. The crash can be exploited by an attacker to mount a Denial-of-Service attack. By default, the h2o standalone server automatically restarts, minimizing the impact. However, HTTP requests that were served concurrently will still be disrupted. • https://github.com/h2o/h2o/commit/16b13eee8ad7895b4fe3fcbcabee53bd52782562 • CWE-617: Reachable Assertion •
CVSS: 5.9EPSS: 0%CPEs: 1EXPL: 0CVE-2024-45397 – H2O alllows bypassing address-based access control with 0-RTT
https://notcve.org/view.php?id=CVE-2024-45397
11 Oct 2024 — h2o is an HTTP server with support for HTTP/1.x, HTTP/2 and HTTP/3. When an HTTP request using TLS/1.3 early data on top of TCP Fast Open or QUIC 0-RTT packets is received and the IP-address-based access control is used, the access control does not detect and prohibit HTTP requests conveyed by packets with a spoofed source address. This behavior allows attackers on the network to execute HTTP requests from addresses that are otherwise rejected by the address-based access control. The vulnerability has been ... • https://github.com/h2o/h2o/commit/15ed15a2efb83a77bb4baaa5a119e639c2f6898a • CWE-284: Improper Access Control •
CVSS: 3.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-25622 – H2O ignores headers configuration directives
https://notcve.org/view.php?id=CVE-2024-25622
11 Oct 2024 — h2o is an HTTP server with support for HTTP/1.x, HTTP/2 and HTTP/3. The configuration directives provided by the headers handler allows users to modify the response headers being sent by h2o. The configuration file of h2o has scopes, and the inner scopes (e.g., path level) are expected to inherit the configuration defined in outer scopes (e.g., global level). However, if a header directive is used in the inner scope, all the definition in outer scopes are ignored. This can lead to headers not being modified... • https://github.com/h2o/h2o/commit/123f5e2b65dcdba8f7ef659a00d24bd1249141be • CWE-670: Always-Incorrect Control Flow Implementation •
CVSS: 5.3EPSS: 0%CPEs: 2EXPL: 0CVE-2024-5550 – Exposure of Sensitive Information via Arbitrary System Path Lookup in h2oai/h2o-3
https://notcve.org/view.php?id=CVE-2024-5550
06 Jun 2024 — In h2oai/h2o-3 version 3.40.0.4, an exposure of sensitive information vulnerability exists due to an arbitrary system path lookup feature. This vulnerability allows any remote user to view full paths in the entire file system where h2o-3 is hosted. Specifically, the issue resides in the Typeahead API call, which when requested with a typeahead lookup of '/', exposes the root filesystem including directories such as /home, /usr, /bin, among others. This vulnerability could allow attackers to explore the enti... • https://huntr.com/bounties/e76372c2-39be-4984-a7c8-7048a75a25dc • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 9.3EPSS: 0%CPEs: 1EXPL: 1CVE-2023-6569 – External Control of File Name or Path in h2oai/h2o-3
https://notcve.org/view.php?id=CVE-2023-6569
14 Dec 2023 — External Control of File Name or Path in h2oai/h2o-3 Control externo del nombre o ruta del archivo en h2oai/h2o-3 • https://huntr.com/bounties/a5d003dc-c23e-4c98-8dcf-35ba9252fa3c • CWE-73: External Control of File Name or Path CWE-610: Externally Controlled Reference to a Resource in Another Sphere •
CVSS: 9.3EPSS: 0%CPEs: 1EXPL: 1CVE-2023-6013 – H2O Local File Include
https://notcve.org/view.php?id=CVE-2023-6013
16 Nov 2023 — H2O is vulnerable to stored XSS vulnerability which can lead to a Local File Include attack. H2O es afectado por una vulnerabilidad de XSS almacenada que puede provocar un ataque de inclusión de archivos locales. • https://huntr.com/bounties/9881569f-dc2a-437e-86b0-20d4b70ae7af • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.7EPSS: 0%CPEs: 1EXPL: 1CVE-2023-6017 – H2O S3 Bucket Takeover
https://notcve.org/view.php?id=CVE-2023-6017
16 Nov 2023 — H2O included a reference to an S3 bucket that no longer existed allowing an attacker to take over the S3 bucket URL. H2O incluyó una referencia a un depósito de S3 que ya no existía, lo que permitía a un atacante hacerse cargo de la URL del depósito de S3. • https://huntr.com/bounties/6a69952f-a1ba-4dee-9d8c-e87f52508b58 • CWE-840: Business Logic Errors •
CVSS: 9.3EPSS: 52%CPEs: 1EXPL: 1CVE-2023-6038 – Local File Inclusion in h2oai/h2o-3
https://notcve.org/view.php?id=CVE-2023-6038
16 Nov 2023 — A Local File Inclusion (LFI) vulnerability exists in the h2o-3 REST API, allowing unauthenticated remote attackers to read arbitrary files on the server with the permissions of the user running the h2o-3 instance. This issue affects the default installation and does not require user interaction. The vulnerability can be exploited by making specific GET or POST requests to the ImportFiles and ParseSetup endpoints, respectively. This issue was identified in version 3.40.0.4 of h2o-3. Un atacante puede leer cu... • https://huntr.com/bounties/380fce33-fec5-49d9-a101-12c972125d8c • CWE-862: Missing Authorization •