CVE-2024-45403

h2o is an HTTP server with support for HTTP/1.x, HTTP/2 and HTTP/3. When h2o is configured as a reverse proxy and HTTP/3 requests are cancelled by the client, h2o might crash due to an assertion failure. The crash can be exploited by an attacker to mount a Denial-of-Service attack. By default, the h2o standalone server automatically restarts, minimizing the impact. However, HTTP requests that were served concurrently will still be disrupted. The vulnerability has been addressed in commit 1ed32b2. Users may disable the use of HTTP/3 to mitigate the issue.
Configurations

Configuration 1 (hide)

cpe:2.3:a:dena:h2o:*:*:*:*:*:*:*:*

History

12 Nov 2024, 19:59

Type Values Removed Values Added
First Time Dena h2o
Dena
CVSS v2 : unknown
v3 : 3.7
v2 : unknown
v3 : 7.5
CPE cpe:2.3:a:dena:h2o:*:*:*:*:*:*:*:*
References () https://github.com/h2o/h2o/commit/16b13eee8ad7895b4fe3fcbcabee53bd52782562 - () https://github.com/h2o/h2o/commit/16b13eee8ad7895b4fe3fcbcabee53bd52782562 - Patch
References () https://github.com/h2o/h2o/commit/1ed32b23f999acf0c5029f09c8525f93eb1d354c - () https://github.com/h2o/h2o/commit/1ed32b23f999acf0c5029f09c8525f93eb1d354c - Patch
References () https://github.com/h2o/h2o/security/advisories/GHSA-4xp5-3jhc-3m92 - () https://github.com/h2o/h2o/security/advisories/GHSA-4xp5-3jhc-3m92 - Vendor Advisory
References () https://h2o.examp1e.net/configure/http3_directives.html - () https://h2o.examp1e.net/configure/http3_directives.html - Product

15 Oct 2024, 12:58

Type Values Removed Values Added
Summary
  • (es) h2o es un servidor HTTP compatible con HTTP/1.x, HTTP/2 y HTTP/3. Cuando h2o está configurado como un proxy inverso y el cliente cancela las solicitudes HTTP/3, h2o puede bloquearse debido a un error de aserción. Un atacante puede aprovechar el bloqueo para lanzar un ataque de denegación de servicio. De forma predeterminada, el servidor independiente h2o se reinicia automáticamente, lo que minimiza el impacto. Sin embargo, las solicitudes HTTP que se atendieron simultáneamente seguirán siendo interrumpidas. La vulnerabilidad se ha solucionado en el commit 1ed32b2. Los usuarios pueden desactivar el uso de HTTP/3 para mitigar el problema.

11 Oct 2024, 15:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-10-11 15:15

Updated : 2024-11-12 19:59


NVD link : CVE-2024-45403

Mitre link : CVE-2024-45403

CVE.ORG link : CVE-2024-45403


JSON object : View

Products Affected

dena

  • h2o
CWE
CWE-617

Reachable Assertion