Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2023-30847

H2O is an HTTP server. In versions 2.3.0-beta2 and prior, when the reverse proxy handler tries to processes a certain type of invalid HTTP request, it tries to build an upstream URL by reading from uninitialized pointer. This behavior can lead to crashes or leak of information to back end HTTP servers. Pull request number 3229 fixes the issue. The pull request has been merged to the `master` branch in commit f010336. Users should upgrade to commit f010336 or later.

Published

2023-04-27T15:15:13.833

Last Modified

2024-11-21T08:00:57.810

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 8.2 (HIGH)

Weaknesses

Type: Primary
CWE-824

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	dena	h2o	≤ 2.2.6	Yes
Application	dena	h2o	2.3.0	Yes
Application	dena	h2o	2.3.0	Yes

References

https://github.com/h2o/h2o/commit/f010336bab162839df43d9e87570897466c97e33 Patch ([email protected])
https://github.com/h2o/h2o/pull/3229 Vendor Advisory ([email protected])
https://github.com/h2o/h2o/security/advisories/GHSA-p5hj-phwj-hrvx Patch, Vendor Advisory ([email protected])
https://github.com/h2o/h2o/commit/f010336bab162839df43d9e87570897466c97e33 Patch (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/h2o/h2o/pull/3229 Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/h2o/h2o/security/advisories/GHSA-p5hj-phwj-hrvx Patch, Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)