CVE-2023-30847
Last modified
CVE-2023-30847 is a high-severity vulnerability rated 8.2/10 on the CVSS scale. H2O is an HTTP server. In versions 2.3.0-beta2 and prior, when the reverse proxy handler tries to processes a certain type of invalid HTTP request, it tries to build an upstream URL by reading from uninitialized pointer. EPSS estimates a 0.90% chance of exploitation in the next 30 days.
Description
H2O is an HTTP server. In versions 2.3.0-beta2 and prior, when the reverse proxy handler tries to processes a certain type of invalid HTTP request, it tries to build an upstream URL by reading from uninitialized pointer. This behavior can lead to crashes or leak of information to back end HTTP servers. Pull request number 3229 fixes the issue. The pull request has been merged to the `master` branch in commit f010336. Users should upgrade to commit f010336 or later.
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H
Weakness Enumeration
Affected Software
| Vendor | Product | Versions | Update |
|---|---|---|---|
| Dena | H2o | <= 2.2.6 | — |
| Dena | H2o | 2.3.0 | Beta1 |
References
- https://github.com/h2o/h2o/pull/3229Vendor Advisory
- https://github.com/h2o/h2o/security/advisories/GHSA-p5hj-phwj-hrvxPatch, Vendor Advisory
- https://github.com/h2o/h2o/pull/3229Vendor Advisory
- https://github.com/h2o/h2o/security/advisories/GHSA-p5hj-phwj-hrvxPatch, Vendor Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2023-30847?
How severe is CVE-2023-30847?
How do I fix CVE-2023-30847?
Are you affected by CVE-2023-30847?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST