CVE-2023-43622

An attacker, opening a HTTP/2 connection with an initial window size of 0, was able to block handling of that connection indefinitely in Apache HTTP Server. This could be used to exhaust worker resources in the server, similar to the well known "slow loris" attack pattern. This has been fixed in version 2.4.58, so that such connection are terminated properly after the configured connection timeout. This issue affects Apache HTTP Server: from 2.4.55 through 2.4.57. Users are recommended to upgrade to version 2.4.58, which fixes the issue.
Configurations

Configuration 1 (hide)

cpe:2.3:a:apache:http_server:*:*:*:*:*:*:*:*

History

01 Nov 2023, 18:11

Type Values Removed Values Added
References (MISC) https://httpd.apache.org/security/vulnerabilities_24.html - (MISC) https://httpd.apache.org/security/vulnerabilities_24.html - Vendor Advisory
References (MISC) https://security.netapp.com/advisory/ntap-20231027-0011/ - (MISC) https://security.netapp.com/advisory/ntap-20231027-0011/ - Third Party Advisory
CPE cpe:2.3:a:apache:http_server:*:*:*:*:*:*:*:*
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 7.5
First Time Apache
Apache http Server

27 Oct 2023, 15:15

Type Values Removed Values Added
References
  • (MISC) https://security.netapp.com/advisory/ntap-20231027-0011/ -

23 Oct 2023, 07:15

Type Values Removed Values Added
New CVE

Information

Published : 2023-10-23 07:15

Updated : 2024-02-28 20:33


NVD link : CVE-2023-43622

Mitre link : CVE-2023-43622

CVE.ORG link : CVE-2023-43622


JSON object : View

Products Affected

apache

  • http_server
CWE
CWE-400

Uncontrolled Resource Consumption