PT-2024-31607 · H2O · H2O
Lowkazu
·
Published
2024-10-11
·
Updated
2024-11-12
·
CVE-2024-45403
CVSS v3.1
7.5
High
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
Name of the Vulnerable Software and Affected Versions:
h2o versions prior to the version containing commit 1ed32b2
Description:
The issue affects h2o, an HTTP server that supports HTTP/1.x, HTTP/2, and HTTP/3. When configured as a reverse proxy, h2o may crash due to an assertion failure if HTTP/3 requests are cancelled by the client. This crash can be exploited to mount a Denial-of-Service attack. Although the standalone h2o server automatically restarts by default, minimizing the impact, concurrent HTTP requests will still be disrupted.
Recommendations:
To mitigate the issue, users may disable the use of HTTP/3 until a patch is available.
Update to the version containing commit 1ed32b2 to resolve the issue.
Exploit
Fix
DoS
Assertion Failure
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
H2O