CVSS: 8.6EPSS: 0%CPEs: 1EXPL: 0CVE-2024-45402 – Picotls double free
https://notcve.org/view.php?id=CVE-2024-45402
Picotls is a TLS protocol library that allows users select different crypto backends based on their use case. When parsing a spoofed TLS handshake message, picotls (specifically, bindings within picotls that call the crypto libraries) may attempt to free the same memory twice. This double free occurs during the disposal of multiple objects without any intervening calls to malloc Typically, this triggers the malloc implementation to detect the error and abort the process. However, depending on the internals of malloc and the crypto backend being used, the flaw could potentially lead to a use-after-free scenario, which might allow for arbitrary code execution. The vulnerability is addressed with commit 9b88159ce763d680e4a13b6e8f3171ae923a535d. • https://github.com/h2o/picotls/commit/9b88159ce763d680e4a13b6e8f3171ae923a535d https://github.com/h2o/picotls/security/advisories/GHSA-w7c8-wjx9-vvvv • CWE-415: Double Free •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-45396 – Quicly assertion failures
https://notcve.org/view.php?id=CVE-2024-45396
Quicly is an IETF QUIC protocol implementation. Quicly up to commtit d720707 is susceptible to a denial-of-service attack. A remote attacker can exploit these bugs to trigger an assertion failure that crashes process using quicly. The vulnerability is addressed with commit 2a95896104901589c495bc41460262e64ffcad5c. • https://github.com/h2o/quicly/commit/2a95896104901589c495bc41460262e64ffcad5c https://github.com/h2o/quicly/security/advisories/GHSA-mp3c-h5gg-mm6p • CWE-617: Reachable Assertion •
CVSS: 3.7EPSS: 0%CPEs: 1EXPL: 0CVE-2024-45403 – H2O assertion failure when HTTP/3 requests are cancelled
https://notcve.org/view.php?id=CVE-2024-45403
h2o is an HTTP server with support for HTTP/1.x, HTTP/2 and HTTP/3. When h2o is configured as a reverse proxy and HTTP/3 requests are cancelled by the client, h2o might crash due to an assertion failure. The crash can be exploited by an attacker to mount a Denial-of-Service attack. By default, the h2o standalone server automatically restarts, minimizing the impact. However, HTTP requests that were served concurrently will still be disrupted. • https://github.com/h2o/h2o/commit/16b13eee8ad7895b4fe3fcbcabee53bd52782562 https://github.com/h2o/h2o/commit/1ed32b23f999acf0c5029f09c8525f93eb1d354c https://github.com/h2o/h2o/security/advisories/GHSA-4xp5-3jhc-3m92 https://h2o.examp1e.net/configure/http3_directives.html • CWE-617: Reachable Assertion •
CVSS: 5.9EPSS: 0%CPEs: 1EXPL: 0CVE-2024-45397 – H2O alllows bypassing address-based access control with 0-RTT
https://notcve.org/view.php?id=CVE-2024-45397
h2o is an HTTP server with support for HTTP/1.x, HTTP/2 and HTTP/3. When an HTTP request using TLS/1.3 early data on top of TCP Fast Open or QUIC 0-RTT packets is received and the IP-address-based access control is used, the access control does not detect and prohibit HTTP requests conveyed by packets with a spoofed source address. This behavior allows attackers on the network to execute HTTP requests from addresses that are otherwise rejected by the address-based access control. The vulnerability has been addressed in commit 15ed15a. Users may disable the use of TCP FastOpen and QUIC to mitigate the issue. • https://github.com/h2o/h2o/commit/15ed15a2efb83a77bb4baaa5a119e639c2f6898a https://github.com/h2o/h2o/security/advisories/GHSA-jf2c-xjcp-wg4c https://h2o.examp1e.net/configure/http3_directives.html • CWE-284: Improper Access Control •
CVSS: 3.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-25622 – H2O ignores headers configuration directives
https://notcve.org/view.php?id=CVE-2024-25622
h2o is an HTTP server with support for HTTP/1.x, HTTP/2 and HTTP/3. The configuration directives provided by the headers handler allows users to modify the response headers being sent by h2o. The configuration file of h2o has scopes, and the inner scopes (e.g., path level) are expected to inherit the configuration defined in outer scopes (e.g., global level). However, if a header directive is used in the inner scope, all the definition in outer scopes are ignored. This can lead to headers not being modified as expected. • https://github.com/h2o/h2o/commit/123f5e2b65dcdba8f7ef659a00d24bd1249141be https://github.com/h2o/h2o/issues/3332 https://github.com/h2o/h2o/security/advisories/GHSA-5m7v-cj65-h6pj • CWE-670: Always-Incorrect Control Flow Implementation •