CVSS: 3.7EPSS: 0%CPEs: 1EXPL: 0CVE-2024-45403 – H2O assertion failure when HTTP/3 requests are cancelled
https://notcve.org/view.php?id=CVE-2024-45403
11 Oct 2024 — h2o is an HTTP server with support for HTTP/1.x, HTTP/2 and HTTP/3. When h2o is configured as a reverse proxy and HTTP/3 requests are cancelled by the client, h2o might crash due to an assertion failure. The crash can be exploited by an attacker to mount a Denial-of-Service attack. By default, the h2o standalone server automatically restarts, minimizing the impact. However, HTTP requests that were served concurrently will still be disrupted. • https://github.com/h2o/h2o/commit/16b13eee8ad7895b4fe3fcbcabee53bd52782562 • CWE-617: Reachable Assertion •
CVSS: 5.9EPSS: 0%CPEs: 1EXPL: 0CVE-2024-45397 – H2O alllows bypassing address-based access control with 0-RTT
https://notcve.org/view.php?id=CVE-2024-45397
11 Oct 2024 — h2o is an HTTP server with support for HTTP/1.x, HTTP/2 and HTTP/3. When an HTTP request using TLS/1.3 early data on top of TCP Fast Open or QUIC 0-RTT packets is received and the IP-address-based access control is used, the access control does not detect and prohibit HTTP requests conveyed by packets with a spoofed source address. This behavior allows attackers on the network to execute HTTP requests from addresses that are otherwise rejected by the address-based access control. The vulnerability has been ... • https://github.com/h2o/h2o/commit/15ed15a2efb83a77bb4baaa5a119e639c2f6898a • CWE-284: Improper Access Control •
CVSS: 3.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-25622 – H2O ignores headers configuration directives
https://notcve.org/view.php?id=CVE-2024-25622
11 Oct 2024 — h2o is an HTTP server with support for HTTP/1.x, HTTP/2 and HTTP/3. The configuration directives provided by the headers handler allows users to modify the response headers being sent by h2o. The configuration file of h2o has scopes, and the inner scopes (e.g., path level) are expected to inherit the configuration defined in outer scopes (e.g., global level). However, if a header directive is used in the inner scope, all the definition in outer scopes are ignored. This can lead to headers not being modified... • https://github.com/h2o/h2o/commit/123f5e2b65dcdba8f7ef659a00d24bd1249141be • CWE-670: Always-Incorrect Control Flow Implementation •
CVSS: 9.3EPSS: 0%CPEs: 1EXPL: 1CVE-2023-6569 – External Control of File Name or Path in h2oai/h2o-3
https://notcve.org/view.php?id=CVE-2023-6569
14 Dec 2023 — External Control of File Name or Path in h2oai/h2o-3 Control externo del nombre o ruta del archivo en h2oai/h2o-3 • https://huntr.com/bounties/a5d003dc-c23e-4c98-8dcf-35ba9252fa3c • CWE-73: External Control of File Name or Path CWE-610: Externally Controlled Reference to a Resource in Another Sphere •
CVSS: 9.8EPSS: 94%CPEs: 444EXPL: 20CVE-2023-44487 – HTTP/2 Rapid Reset Attack Vulnerability
https://notcve.org/view.php?id=CVE-2023-44487
10 Oct 2023 — The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023. El protocolo HTTP/2 permite una denegación de servicio (consumo de recursos del servidor) porque la cancelación de solicitudes puede restablecer muchas transmisiones rápidamente, como se explotó en la naturaleza entre agosto y octubre de 2023. A flaw was found in handling multiplexed streams in the HTTP/2 protocol. ... • https://github.com/imabee101/CVE-2023-44487 • CWE-400: Uncontrolled Resource Consumption •
CVSS: 7.4EPSS: 13%CPEs: 1EXPL: 1CVE-2021-43848 – Unititialized memory access in h2o
https://notcve.org/view.php?id=CVE-2021-43848
01 Feb 2022 — h2o is an open source http server. In code prior to the `8c0eca3` commit h2o may attempt to access uninitialized memory. When receiving QUIC frames in certain order, HTTP/3 server-side implementation of h2o can be misguided to treat uninitialized memory as HTTP/3 frames that have been received. When h2o is used as a reverse proxy, an attacker can abuse this vulnerability to send internal state of h2o to backend servers controlled by the attacker or third party. Also, if there is an HTTP endpoint that reflec... • https://github.com/neex/hui2ochko • CWE-908: Use of Uninitialized Resource •