PT-2023-6292 · Apache+10 · Apache Http Server+10

David Warren

+1

·

Published

2023-10-12

·

Updated

2026-06-29

·

CVE-2023-45802

CVSS v2.0

7.8

High

VectorAV:N/AC:L/Au:N/C:N/I:N/A:C
Name of the Vulnerable Software and Affected Versions Apache HTTP Server versions prior to 2.4.58
Description The issue is related to the handling of HTTP/2 streams in the Apache HTTP Server. When a client resets an HTTP/2 stream using an RST frame, there is a time window where the request's memory resources are not immediately reclaimed. Instead, de-allocation is deferred until the connection is closed. A client can exploit this by sending new requests and resets, keeping the connection busy and open, and causing the memory footprint to grow. This can lead to a denial-of-service condition if the process runs out of memory before the connection is closed.
Recommendations To resolve the issue, upgrade to version 2.4.58 or later, which fixes the problem. As a temporary workaround, consider restricting the use of HTTP/2 streams or limiting the number of concurrent connections to minimize the risk of exploitation.

Exploit

Fix

RCE

DoS

Improper Resource Release

Resource Exhaustion

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

ALSA-2024:2368
ALSA-2024:3121
ALSA-2024_2368
ALSA-2024_3121
ALT-PU-2023-6508
ALT-PU-2023-6511
ALT-PU-2023-6542
ALT-PU-2023-6543
ALT-PU-2023-6594
ALT-PU-2023-6831
ALT-PU-2023-7243
ALT-PU-2024-1938
AZL-31611
AZL-43531
AZL-45147
BDU:2023-07003
BIT-APACHE-2023-45802
CESA-2024_3121
CVE-2023-45802
DLA-3818-1
DSA-5662-1
INFSA-2024_2368
INFSA-2024_3121
MGASA-2023-0304
OESA-2023-1802
OESA-2023-1803
OESA-2023-1804
OESA-2023-1805
OESA-2023-1806
OPENSUSE-SU-2024:13350-1
OPENSUSE-SU-2024_3961-1
OPENSUSE-SU-2024_3999-1
RHSA-2023:7625
RHSA-2024:2368
RHSA-2024:2891
RHSA-2024:3121
RHSA-2024_2368
RHSA-2024_3121
RLSA-2024:3121
SUSE-SU-2024:3949-1
SUSE-SU-2024:3961-1
SUSE-SU-2024:3962-1
SUSE-SU-2024:3999-1
SUSE-SU-2024_3949-1
SUSE-SU-2024_3961-1
SUSE-SU-2024_3962-1
SUSE-SU-2024_3999-1
SUSE-SU-2026:2686-1
USN-6506-1
USN-8338-1

Affected Products

Alt Linux
Almalinux
Apache Http Server
Astra Linux
Centos
Linuxmint
Red Hat
Red Os
Rocky Linux
Suse
Ubuntu