// For flags

CVE-2023-36478

HTTP/2 HPACK integer overflow and buffer allocation

Severity Score

7.5
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

1
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

Eclipse Jetty provides a web server and servlet container. In versions 11.0.0 through 11.0.15, 10.0.0 through 10.0.15, and 9.0.0 through 9.4.52, an integer overflow in `MetaDataBuilder.checkSize` allows for HTTP/2 HPACK header values to
exceed their size limit. `MetaDataBuilder.java` determines if a header name or value exceeds the size limit, and throws an exception if the limit is exceeded. However, when length is very large and huffman is true, the multiplication by 4 in line 295
will overflow, and length will become negative. `(_size+length)` will now be negative, and the check on line 296 will not be triggered. Furthermore, `MetaDataBuilder.checkSize` allows for user-entered HPACK header value sizes to be negative, potentially leading to a very large buffer allocation later on when the user-entered size is multiplied by 2. This means that if a user provides a negative length value (or, more precisely, a length value which, when multiplied by the 4/3 fudge factor, is negative), and this length value is a very large positive number when multiplied by 2, then the user can cause a very large buffer to be allocated on the server. Users of HTTP/2 can be impacted by a remote denial of service attack. The issue has been fixed in versions 11.0.16, 10.0.16, and 9.4.53. There are no known workarounds.

Eclipse Jetty proporciona un servidor web y un contenedor de servlets. En las versiones 11.0.0 a 11.0.15, 10.0.0 a 10.0.15 y 9.0.0 a 9.4.52, un desbordamiento de enteros en `MetaDataBuilder.checkSize` permite que los valores del encabezado HTTP/2 HPACK excedan su límite de tamaño. `MetaDataBuilder.java` determina si el nombre o valor de un encabezado excede el límite de tamaño y genera una excepción si se excede el límite. Sin embargo, cuando la longitud es muy grande y Huffman es verdadera, la multiplicación por 4 en la línea 295 se desbordará y la longitud se volverá negativa. `(_size+length)` ahora será negativo y la verificación en la línea 296 no se activará. Además, `MetaDataBuilder.checkSize` permite que los tamaños de los valores del encabezado HPACK ingresados por el usuario sean negativos, lo que podría generar una asignación de búfer muy grande más adelante cuando el tamaño ingresado por el usuario se multiplique por 2. Esto significa que si un usuario proporciona un tamaño con valor de longitud negativo (o, más precisamente, un valor de longitud que, cuando se multiplica por el factor de manipulación 4/3, es negativo), y este valor de longitud es un número positivo muy grande cuando se multiplica por 2, entonces el usuario puede causar un valor de longitud muy grande de búfer que se asignará en el servidor. Los usuarios de HTTP/2 pueden verse afectados por un ataque remoto de denegación de servicio. El problema se solucionó en las versiones 11.0.16, 10.0.16 y 9.4.53. No se conocen workarounds.

A flaw was found in Jetty http2-hpack and http3-qpack. If header values exceed the size limit and Huffman is the true`MetaDataBuilder.checkSize`, the multiplication will overflow, and the length will become negative, causing a large buffer allocation on the server, leading to a Denial of Service (DoS) attack.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2023-06-21 CVE Reserved
  • 2023-10-10 CVE Published
  • 2024-08-02 CVE Updated
  • 2024-08-02 First Exploit
  • 2024-09-09 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
CWE
  • CWE-190: Integer Overflow or Wraparound
  • CWE-400: Uncontrolled Resource Consumption
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Eclipse
Search vendor "Eclipse"
 Jetty
Search vendor "Eclipse" for product "Jetty"
 >= 9.3.0 < 9.4.53
Search vendor "Eclipse" for product "Jetty" and version " >= 9.3.0 < 9.4.53"
-
Affected
Eclipse
Search vendor "Eclipse"
 Jetty
Search vendor "Eclipse" for product "Jetty"
 >= 10.0.0 < 10.0.16
Search vendor "Eclipse" for product "Jetty" and version " >= 10.0.0 < 10.0.16"
-
Affected
Eclipse
Search vendor "Eclipse"
 Jetty
Search vendor "Eclipse" for product "Jetty"
 >= 11.0.0 < 11.0.16
Search vendor "Eclipse" for product "Jetty" and version " >= 11.0.0 < 11.0.16"
-
Affected
Jenkins
Search vendor "Jenkins"
 Jenkins
Search vendor "Jenkins" for product "Jenkins"
 < 2.414.3
Search vendor "Jenkins" for product "Jenkins" and version " < 2.414.3"
lts
Affected
Jenkins
Search vendor "Jenkins"
 Jenkins
Search vendor "Jenkins" for product "Jenkins"
 < 2.428
Search vendor "Jenkins" for product "Jenkins" and version " < 2.428"
-
Affected
Debian
Search vendor "Debian"
 Debian Linux
Search vendor "Debian" for product "Debian Linux"
 10.0
Search vendor "Debian" for product "Debian Linux" and version "10.0"
-
Affected
Debian
Search vendor "Debian"
 Debian Linux
Search vendor "Debian" for product "Debian Linux"
 11.0
Search vendor "Debian" for product "Debian Linux" and version "11.0"
-
Affected
Debian
Search vendor "Debian"
 Debian Linux
Search vendor "Debian" for product "Debian Linux"
 12.0
Search vendor "Debian" for product "Debian Linux" and version "12.0"
-
Affected