cyber-dojo
flows
shas-archived-at-1705491385
artifacts
eaa2885bdceaeb49372ec734bab19f5e3e2d1ce59661fe6f97ad2d10ee39a8b0
By signing up, you agree to the
Terms of Service.
For more information about Kosli’s privacy practices, see the Kosli’s
Privacy Policy.
We’ll occasionally send you account-related emails.
We’ll occasionally send you account-related emails.
shas-archived-at-1705491385
UX for git+image shas
cyberdojo/shas:81ab491
Non-compliant
Download Evidence Package
JSON
{
"created_at": 1696224032.592977,
"fingerprint": "eaa2885bdceaeb49372ec734bab19f5e3e2d1ce59661fe6f97ad2d10ee39a8b0",
"filename": "cyberdojo/shas:81ab491",
"git_commit": "81ab49132e118a98b5c2e3f9e447a6bc3a472379",
"build_url": "https://github.com/cyber-dojo/shas/actions/runs/6376298305",
"commit_url": "https://github.com/cyber-dojo/shas/commit/81ab49132e118a98b5c2e3f9e447a6bc3a472379",
"evidence": {
"branch-coverage": {
"evidence_type": "generic",
"is_compliant": true,
"build_url": "https://github.com/cyber-dojo/shas/actions/runs/6376298305",
"description": "server & client branch-coverage reports",
"user_data": {
"client": {
"command_name": "Minitest",
"groups": {
"app": {
"branches": {
"covered": 1,
"missed": 1,
"total": 2
},
"lines": {
"covered": 52,
"missed": 0,
"total": 52
}
},
"test": {
"branches": {
"covered": 0,
"missed": 0,
"total": 0
},
"lines": {
"covered": 0,
"missed": 0,
"total": 0
}
}
},
"timestamp": 1696224014
},
"server": {
"command_name": "Minitest",
"groups": {
"app": {
"branches": {
"covered": 0,
"missed": 0,
"total": 0
},
"lines": {
"covered": 69,
"missed": 0,
"total": 69
}
},
"test": {
"branches": {
"covered": 0,
"missed": 0,
"total": 0
},
"lines": {
"covered": 0,
"missed": 0,
"total": 0
}
}
},
"timestamp": 1696224008
}
},
"created_at": 1696224034.3924313,
"has_audit_package": false
},
"snyk-scan": {
"evidence_type": "snyk",
"is_compliant": false,
"build_url": "https://github.com/cyber-dojo/snyk_scans/actions/runs/6492936605",
"evidence_archive_fingerprint": "9d440cce891ab3a302ef52b100fb125529881041853192672140ccf73db597a9",
"user_data": {},
"snyk_results": {
"applications": [
{
"dependencyCount": 0,
"displayTargetFile": "/usr/local/bundle/gems/concurrent-ruby-1.2.2/lib/concurrent-ruby/concurrent",
"docker": {},
"filesystemPolicy": true,
"hasUnknownVersions": false,
"ignoreSettings": {
"adminOnly": false,
"disregardFilesystemIgnores": false,
"reasonRequired": false
},
"isPrivate": true,
"licensesPolicy": {
"orgLicenseRules": {
"AGPL-1.0": {
"instructions": "",
"licenseType": "AGPL-1.0",
"severity": "high"
},
"AGPL-3.0": {
"instructions": "",
"licenseType": "AGPL-3.0",
"severity": "high"
},
"Artistic-1.0": {
"instructions": "",
"licenseType": "Artistic-1.0",
"severity": "medium"
},
"Artistic-2.0": {
"instructions": "",
"licenseType": "Artistic-2.0",
"severity": "medium"
},
"CDDL-1.0": {
"instructions": "",
"licenseType": "CDDL-1.0",
"severity": "medium"
},
"CPOL-1.02": {
"instructions": "",
"licenseType": "CPOL-1.02",
"severity": "high"
},
"EPL-1.0": {
"instructions": "",
"licenseType": "EPL-1.0",
"severity": "medium"
},
"GPL-2.0": {
"instructions": "",
"licenseType": "GPL-2.0",
"severity": "high"
},
"GPL-3.0": {
"instructions": "",
"licenseType": "GPL-3.0",
"severity": "high"
},
"LGPL-2.0": {
"instructions": "",
"licenseType": "LGPL-2.0",
"severity": "medium"
},
"LGPL-2.1": {
"instructions": "",
"licenseType": "LGPL-2.1",
"severity": "medium"
},
"LGPL-3.0": {
"instructions": "",
"licenseType": "LGPL-3.0",
"severity": "medium"
},
"MPL-1.1": {
"instructions": "",
"licenseType": "MPL-1.1",
"severity": "medium"
},
"MPL-2.0": {
"instructions": "",
"licenseType": "MPL-2.0",
"severity": "medium"
},
"MS-RL": {
"instructions": "",
"licenseType": "MS-RL",
"severity": "medium"
},
"SimPL-2.0": {
"instructions": "",
"licenseType": "SimPL-2.0",
"severity": "high"
}
},
"severities": {}
},
"ok": true,
"org": "jonjagger",
"packageManager": "maven",
"path": "cyberdojo/shas@sha256:eaa2885bdceaeb49372ec734bab19f5e3e2d1ce59661fe6f97ad2d10ee39a8b0/shas@sha256:eaa2885bdceaeb49372ec734bab19f5e3e2d1ce59661fe6f97ad2d10ee39a8b0:/usr/local/bundle/gems/concurrent-ruby-1.2.2/lib/concurrent-ruby/concurrent",
"policy": "# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.\nversion: v1.25.1\nignore: {}\npatch: {}\n",
"projectName": "cyberdojo/shas@sha256:eaa2885bdceaeb49372ec734bab19f5e3e2d1ce59661fe6f97ad2d10ee39a8b0:/usr/local/bundle/gems/concurrent-ruby-1.2.2/lib/concurrent-ruby/concurrent",
"severityThreshold": "medium",
"summary": "No medium or high or critical severity vulnerabilities",
"targetFile": "/usr/local/bundle/gems/concurrent-ruby-1.2.2/lib/concurrent-ruby/concurrent",
"uniqueCount": 0,
"vulnerabilities": []
}
],
"dependencyCount": 80,
"docker": {
"baseImage": "ruby:3.2.2-alpine3.18",
"baseImageRemediation": {
"advice": [
{
"bold": true,
"message": "According to our scan, you are currently using the most secure version of the selected base image"
}
],
"code": "NO_REMEDIATION_AVAILABLE"
},
"binariesVulns": {
"affectedPkgs": {},
"issuesData": {}
}
},
"filesystemPolicy": true,
"filtered": {
"ignore": [],
"patch": []
},
"hasUnknownVersions": false,
"ignoreSettings": {
"adminOnly": false,
"disregardFilesystemIgnores": false,
"reasonRequired": false
},
"isPrivate": true,
"licensesPolicy": {
"orgLicenseRules": {
"AGPL-1.0": {
"instructions": "",
"licenseType": "AGPL-1.0",
"severity": "high"
},
"AGPL-3.0": {
"instructions": "",
"licenseType": "AGPL-3.0",
"severity": "high"
},
"Artistic-1.0": {
"instructions": "",
"licenseType": "Artistic-1.0",
"severity": "medium"
},
"Artistic-2.0": {
"instructions": "",
"licenseType": "Artistic-2.0",
"severity": "medium"
},
"CDDL-1.0": {
"instructions": "",
"licenseType": "CDDL-1.0",
"severity": "medium"
},
"CPOL-1.02": {
"instructions": "",
"licenseType": "CPOL-1.02",
"severity": "high"
},
"EPL-1.0": {
"instructions": "",
"licenseType": "EPL-1.0",
"severity": "medium"
},
"GPL-2.0": {
"instructions": "",
"licenseType": "GPL-2.0",
"severity": "high"
},
"GPL-3.0": {
"instructions": "",
"licenseType": "GPL-3.0",
"severity": "high"
},
"LGPL-2.0": {
"instructions": "",
"licenseType": "LGPL-2.0",
"severity": "medium"
},
"LGPL-2.1": {
"instructions": "",
"licenseType": "LGPL-2.1",
"severity": "medium"
},
"LGPL-3.0": {
"instructions": "",
"licenseType": "LGPL-3.0",
"severity": "medium"
},
"MPL-1.1": {
"instructions": "",
"licenseType": "MPL-1.1",
"severity": "medium"
},
"MPL-2.0": {
"instructions": "",
"licenseType": "MPL-2.0",
"severity": "medium"
},
"MS-RL": {
"instructions": "",
"licenseType": "MS-RL",
"severity": "medium"
},
"SimPL-2.0": {
"instructions": "",
"licenseType": "SimPL-2.0",
"severity": "high"
}
},
"severities": {}
},
"ok": false,
"org": "jonjagger",
"packageManager": "apk",
"path": "cyberdojo/shas@sha256:eaa2885bdceaeb49372ec734bab19f5e3e2d1ce59661fe6f97ad2d10ee39a8b0/shas",
"platform": "linux/amd64",
"policy": "# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.\nversion: v1.25.1\nignore: {}\npatch: {}\n",
"projectName": "docker-image|cyberdojo/shas",
"severityThreshold": "medium",
"summary": "6 medium or high or critical severity vulnerable dependency paths",
"uniqueCount": 2,
"vulnerabilities": [
{
"CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L/E:P",
"cpes": [],
"creationTime": "2023-10-11T11:45:04.817337Z",
"credit": [],
"cvssDetails": [],
"cvssScore": 7.7,
"description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `curl` package and not the `curl` package as distributed by `Alpine`._\n_See `How to fix?` for `Alpine:3.18` relevant fixed versions and status._\n\nin the `SOCKS5` proxy handshake process when the hostname is longer than the target buffer.\nThe local variable `socks5_resolve_local` could get the wrong value during a slow SOCKS5 handshake.\nSince the code wrongly thinks it should pass on the hostname, even though the hostname is too long to fit, the memory copy can overflow the allocated target buffer. \n\nThis is only exploitable if the SOCKS5 handshake is slow enough to trigger a local variable bug and the client uses a hostname longer than the download buffer.\n\nExploiting this vulnerability could allow an attacker to execute arbitrary code on the target system under certain conditions.\n\n\n**Note:**\n\nAn overflow is only possible in applications that don't set `CURLOPT_BUFFERSIZE` or set it smaller than 65541. \nSince the curl tool sets `CURLOPT_BUFFERSIZE` to 100kB by default, it is not vulnerable unless the user sets the rate limiting to a rate smaller than 65541 bytes/second.\n\nThe options that cause SOCKS5 with remote hostname to be used in `libcurl`:\n\n1) `CURLOPT_PROXYTYPE` set to type `CURLPROXY_SOCKS5_HOSTNAME`, or:\n`CURLOPT_PROXY` or `CURLOPT_PRE_PROXY` set to use the scheme `socks5h://`\n\n2) One of the proxy environment variables can be set to use the `socks5h://` scheme. For example, `http_proxy`, `HTTPS_PROXY` or `ALL_PROXY`.\n\n\nThe options that cause SOCKS5 with remote hostname to be used in the `curl` tool:\n\n1) `--socks5-hostname`, `--proxy` or `--preproxy` set to use the scheme `socks5h://`\n\n2) Environment variables as described in the libcurl section.\n\n\n\n**Changelog:**\n\n2023-10-04: Initial publication\n\n2023-10-11: Published updated information, including CWE, CVSS, official references and affected versions range.\n## Remediation\nUpgrade `Alpine:3.18` `curl` to version 8.4.0-r0 or higher.\n",
"disclosureTime": null,
"dockerBaseImage": "ruby:3.2.2-alpine3.18",
"epssDetails": null,
"exploit": "Proof of Concept",
"fixedIn": [
"8.4.0-r0"
],
"from": [
"docker-image|cyberdojo/shas@*",
"curl/libcurl@8.3.0-r0"
],
"id": "SNYK-ALPINE318-CURL-5958913",
"identifiers": {
"ALTERNATIVE": [],
"CVE": [
"CVE-2023-38545"
],
"CWE": [
"CWE-122"
]
},
"insights": {
"triageAdvice": null
},
"isDisputed": false,
"isPatchable": false,
"isUpgradable": true,
"language": "linux",
"malicious": false,
"modificationTime": "2023-10-12T06:20:00.497141Z",
"name": "curl/libcurl",
"nearestFixedInVersion": "8.4.0-r0",
"nvdSeverity": null,
"packageManager": "alpine:3.18",
"packageName": "curl",
"patches": [],
"publicationTime": "2023-10-11T11:43:48.209416Z",
"references": [],
"relativeImportance": null,
"semver": {
"vulnerable": [
"<8.4.0-r0"
]
},
"severity": "high",
"severityWithCritical": "high",
"socialTrendAlert": false,
"title": "Heap-based Buffer Overflow",
"upgradePath": [
false,
"curl/libcurl@8.4.0-r0"
],
"version": "8.3.0-r0"
},
{
"CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L/E:P",
"cpes": [],
"creationTime": "2023-10-11T11:45:04.817337Z",
"credit": [],
"cvssDetails": [],
"cvssScore": 7.7,
"description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `curl` package and not the `curl` package as distributed by `Alpine`._\n_See `How to fix?` for `Alpine:3.18` relevant fixed versions and status._\n\nin the `SOCKS5` proxy handshake process when the hostname is longer than the target buffer.\nThe local variable `socks5_resolve_local` could get the wrong value during a slow SOCKS5 handshake.\nSince the code wrongly thinks it should pass on the hostname, even though the hostname is too long to fit, the memory copy can overflow the allocated target buffer. \n\nThis is only exploitable if the SOCKS5 handshake is slow enough to trigger a local variable bug and the client uses a hostname longer than the download buffer.\n\nExploiting this vulnerability could allow an attacker to execute arbitrary code on the target system under certain conditions.\n\n\n**Note:**\n\nAn overflow is only possible in applications that don't set `CURLOPT_BUFFERSIZE` or set it smaller than 65541. \nSince the curl tool sets `CURLOPT_BUFFERSIZE` to 100kB by default, it is not vulnerable unless the user sets the rate limiting to a rate smaller than 65541 bytes/second.\n\nThe options that cause SOCKS5 with remote hostname to be used in `libcurl`:\n\n1) `CURLOPT_PROXYTYPE` set to type `CURLPROXY_SOCKS5_HOSTNAME`, or:\n`CURLOPT_PROXY` or `CURLOPT_PRE_PROXY` set to use the scheme `socks5h://`\n\n2) One of the proxy environment variables can be set to use the `socks5h://` scheme. For example, `http_proxy`, `HTTPS_PROXY` or `ALL_PROXY`.\n\n\nThe options that cause SOCKS5 with remote hostname to be used in the `curl` tool:\n\n1) `--socks5-hostname`, `--proxy` or `--preproxy` set to use the scheme `socks5h://`\n\n2) Environment variables as described in the libcurl section.\n\n\n\n**Changelog:**\n\n2023-10-04: Initial publication\n\n2023-10-11: Published updated information, including CWE, CVSS, official references and affected versions range.\n## Remediation\nUpgrade `Alpine:3.18` `curl` to version 8.4.0-r0 or higher.\n",
"disclosureTime": null,
"dockerBaseImage": "ruby:3.2.2-alpine3.18",
"epssDetails": null,
"exploit": "Proof of Concept",
"fixedIn": [
"8.4.0-r0"
],
"from": [
"docker-image|cyberdojo/shas@*",
"curl/curl@8.3.0-r0",
"curl/libcurl@8.3.0-r0"
],
"id": "SNYK-ALPINE318-CURL-5958913",
"identifiers": {
"ALTERNATIVE": [],
"CVE": [
"CVE-2023-38545"
],
"CWE": [
"CWE-122"
]
},
"insights": {
"triageAdvice": null
},
"isDisputed": false,
"isPatchable": false,
"isUpgradable": false,
"language": "linux",
"malicious": false,
"modificationTime": "2023-10-12T06:20:00.497141Z",
"name": "curl/libcurl",
"nearestFixedInVersion": "8.4.0-r0",
"nvdSeverity": null,
"packageManager": "alpine:3.18",
"packageName": "curl",
"patches": [],
"publicationTime": "2023-10-11T11:43:48.209416Z",
"references": [],
"relativeImportance": null,
"semver": {
"vulnerable": [
"<8.4.0-r0"
]
},
"severity": "high",
"severityWithCritical": "high",
"socialTrendAlert": false,
"title": "Heap-based Buffer Overflow",
"upgradePath": [],
"version": "8.3.0-r0"
},
{
"CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L/E:P",
"cpes": [],
"creationTime": "2023-10-11T11:45:04.817337Z",
"credit": [],
"cvssDetails": [],
"cvssScore": 7.7,
"description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `curl` package and not the `curl` package as distributed by `Alpine`._\n_See `How to fix?` for `Alpine:3.18` relevant fixed versions and status._\n\nin the `SOCKS5` proxy handshake process when the hostname is longer than the target buffer.\nThe local variable `socks5_resolve_local` could get the wrong value during a slow SOCKS5 handshake.\nSince the code wrongly thinks it should pass on the hostname, even though the hostname is too long to fit, the memory copy can overflow the allocated target buffer. \n\nThis is only exploitable if the SOCKS5 handshake is slow enough to trigger a local variable bug and the client uses a hostname longer than the download buffer.\n\nExploiting this vulnerability could allow an attacker to execute arbitrary code on the target system under certain conditions.\n\n\n**Note:**\n\nAn overflow is only possible in applications that don't set `CURLOPT_BUFFERSIZE` or set it smaller than 65541. \nSince the curl tool sets `CURLOPT_BUFFERSIZE` to 100kB by default, it is not vulnerable unless the user sets the rate limiting to a rate smaller than 65541 bytes/second.\n\nThe options that cause SOCKS5 with remote hostname to be used in `libcurl`:\n\n1) `CURLOPT_PROXYTYPE` set to type `CURLPROXY_SOCKS5_HOSTNAME`, or:\n`CURLOPT_PROXY` or `CURLOPT_PRE_PROXY` set to use the scheme `socks5h://`\n\n2) One of the proxy environment variables can be set to use the `socks5h://` scheme. For example, `http_proxy`, `HTTPS_PROXY` or `ALL_PROXY`.\n\n\nThe options that cause SOCKS5 with remote hostname to be used in the `curl` tool:\n\n1) `--socks5-hostname`, `--proxy` or `--preproxy` set to use the scheme `socks5h://`\n\n2) Environment variables as described in the libcurl section.\n\n\n\n**Changelog:**\n\n2023-10-04: Initial publication\n\n2023-10-11: Published updated information, including CWE, CVSS, official references and affected versions range.\n## Remediation\nUpgrade `Alpine:3.18` `curl` to version 8.4.0-r0 or higher.\n",
"disclosureTime": null,
"dockerBaseImage": "ruby:3.2.2-alpine3.18",
"epssDetails": null,
"exploit": "Proof of Concept",
"fixedIn": [
"8.4.0-r0"
],
"from": [
"docker-image|cyberdojo/shas@*",
"curl/curl@8.3.0-r0"
],
"id": "SNYK-ALPINE318-CURL-5958913",
"identifiers": {
"ALTERNATIVE": [],
"CVE": [
"CVE-2023-38545"
],
"CWE": [
"CWE-122"
]
},
"insights": {
"triageAdvice": null
},
"isDisputed": false,
"isPatchable": false,
"isUpgradable": true,
"language": "linux",
"malicious": false,
"modificationTime": "2023-10-12T06:20:00.497141Z",
"name": "curl/curl",
"nearestFixedInVersion": "8.4.0-r0",
"nvdSeverity": null,
"packageManager": "alpine:3.18",
"packageName": "curl",
"patches": [],
"publicationTime": "2023-10-11T11:43:48.209416Z",
"references": [],
"relativeImportance": null,
"semver": {
"vulnerable": [
"<8.4.0-r0"
]
},
"severity": "high",
"severityWithCritical": "high",
"socialTrendAlert": false,
"title": "Heap-based Buffer Overflow",
"upgradePath": [
false,
"curl/curl@8.4.0-r0"
],
"version": "8.3.0-r0"
},
{
"CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:H",
"cpes": [],
"creationTime": "2023-10-11T04:04:38.629011Z",
"credit": [
""
],
"cvssDetails": [
{
"assigner": "NVD",
"cvssV3BaseScore": 7.5,
"cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:H",
"modificationTime": "2023-10-11T14:31:08.807516Z",
"severity": "high"
}
],
"cvssScore": 7.5,
"description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `nghttp2` package and not the `nghttp2` package as distributed by `Alpine`._\n_See `How to fix?` for `Alpine:3.18` relevant fixed versions and status._\n\nThe HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.\n## Remediation\nUpgrade `Alpine:3.18` `nghttp2` to version 1.57.0-r0 or higher.\n## References\n- [cve@mitre.org](https://aws.amazon.com/security/security-bulletins/AWS-2023-011/)\n- [cve@mitre.org](https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/)\n- [cve@mitre.org](https://blog.cloudflare.com/zero-day-rapid-reset-http2-record-breaking-ddos-attack/)\n- [cve@mitre.org](https://cloud.google.com/blog/products/identity-security/google-cloud-mitigated-largest-ddos-attack-peaking-above-398-million-rps/)\n- [cve@mitre.org](https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack)\n- [cve@mitre.org](https://news.ycombinator.com/item?id=37831062)\n- [cve@mitre.org](https://www.nginx.com/blog/http-2-rapid-reset-attack-impacting-f5-nginx-products/)\n- [cve@mitre.org](https://www.phoronix.com/news/HTTP2-Rapid-Reset-Attack)\n- [cve@mitre.org](https://chaos.social/@icing/111210915918780532)\n- [cve@mitre.org](https://forums.swift.org/t/swift-nio-http2-security-update-cve-2023-44487-http-2-dos/67764)\n- [cve@mitre.org](https://github.com/alibaba/tengine/issues/1872)\n- [cve@mitre.org](https://github.com/apache/tomcat/tree/main/java/org/apache/coyote/http2)\n- [cve@mitre.org](https://github.com/bcdannyboy/CVE-2023-44487)\n- [cve@mitre.org](https://github.com/caddyserver/caddy/issues/5877)\n- [cve@mitre.org](https://github.com/eclipse/jetty.project/issues/10679)\n- [cve@mitre.org](https://github.com/envoyproxy/envoy/pull/30055)\n- [cve@mitre.org](https://github.com/haproxy/haproxy/issues/2312)\n- [cve@mitre.org](https://github.com/hyperium/hyper/issues/3337)\n- [cve@mitre.org](https://github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61)\n- [cve@mitre.org](https://github.com/nghttp2/nghttp2/pull/1961)\n- [cve@mitre.org](https://news.ycombinator.com/item?id=37830987)\n- [cve@mitre.org](https://news.ycombinator.com/item?id=37830998)\n- [cve@mitre.org](https://www.bleepingcomputer.com/news/security/new-http-2-rapid-reset-zero-day-attack-breaks-ddos-records/)\n- [cve@mitre.org](https://github.com/grpc/grpc-go/pull/6703)\n- [cve@mitre.org](https://github.com/icing/mod_h2/blob/0a864782af0a942aa2ad4ed960a6b32cd35bcf0a/mod_http2/README.md?plain=1#L239-L244)\n- [cve@mitre.org](https://github.com/nghttp2/nghttp2/releases/tag/v1.57.0)\n- [cve@mitre.org](https://mailman.nginx.org/pipermail/nginx-devel/2023-October/S36Q5HBXR7CAIMPLLPRSSSYR4PCMWILK.html)\n- [cve@mitre.org](https://my.f5.com/manage/s/article/K000137106)\n- [cve@mitre.org](https://bugzilla.proxmox.com/show_bug.cgi?id=4988)\n- [cve@mitre.org](https://cgit.freebsd.org/ports/commit/?id=c64c329c2c1752f46b73e3e6ce9f4329be6629f9)\n- [cve@mitre.org](https://msrc.microsoft.com/blog/2023/10/microsoft-response-to-distributed-denial-of-service-ddos-attacks-against-http/2/)\n- [cve@mitre.org](https://edg.io/lp/blog/resets-leaks-ddos-and-the-tale-of-a-hidden-cve)\n- [cve@mitre.org](https://gist.github.com/adulau/7c2bfb8e9cdbe4b35a5e131c66a0c088)\n- [cve@mitre.org](https://github.com/advisories/GHSA-vx74-f528-fxqg)\n- [cve@mitre.org](https://github.com/apache/trafficserver/pull/10564)\n- [cve@mitre.org](https://github.com/dotnet/announcements/issues/277)\n- [cve@mitre.org](https://github.com/facebook/proxygen/pull/466)\n- [cve@mitre.org](https://github.com/golang/go/issues/63417)\n- [cve@mitre.org](https://github.com/h2o/h2o/pull/3291)\n- [cve@mitre.org](https://github.com/h2o/h2o/security/advisories/GHSA-2m7v-gc89-fjqf)\n- [cve@mitre.org](https://github.com/micrictor/http2-rst-stream)\n- [cve@mitre.org](https://github.com/microsoft/CBL-Mariner/pull/6381)\n- [cve@mitre.org](https://github.com/nodejs/node/pull/50121)\n- [cve@mitre.org](https://groups.google.com/g/golang-announce/c/iNNxDTCjZvo)\n- [cve@mitre.org](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-44487)\n- [cve@mitre.org](https://openssf.org/blog/2023/10/10/http-2-rapid-reset-vulnerability-highlights-need-for-rapid-response/)\n- [cve@mitre.org](https://lists.apache.org/thread/5py8h42mxfsn8l1wy6o41xwhsjlsd87q)\n- [cve@mitre.org](https://seanmonstar.com/post/730794151136935936/hyper-http2-rapid-reset-unaffected)\n- [cve@mitre.org](https://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.1.14)\n- [cve@mitre.org](https://www.openwall.com/lists/oss-security/2023/10/10/6)\n- [cve@mitre.org](https://github.com/dotnet/core/blob/e4613450ea0da7fd2fc6b61dfb2c1c1dec1ce9ec/release-notes/6.0/6.0.23/6.0.23.md?plain=1#L73)\n- [cve@mitre.org](https://github.com/advisories/GHSA-xpw8-rcwv-8f8p)\n- [cve@mitre.org](https://github.com/kubernetes/kubernetes/pull/121120)\n- [cve@mitre.org](https://github.com/opensearch-project/data-prepper/issues/3474)\n- [cve@mitre.org](https://github.com/oqtane/oqtane.framework/discussions/3367)\n- [cve@mitre.org](https://netty.io/news/2023/10/10/4-1-100-Final.html)\n- [cve@mitre.org](https://www.haproxy.com/blog/haproxy-is-not-affected-by-the-http-2-rapid-reset-attack-cve-2023-44487)\n- [cve@mitre.org](https://blog.qualys.com/vulnerabilities-threat-research/2023/10/10/cve-2023-44487-http-2-rapid-reset-attack)\n- [cve@mitre.org](https://github.com/apache/httpd/blob/afcdbeebbff4b0c50ea26cdd16e178c0d1f24152/modules/http2/h2_mplx.c#L1101-L1113)\n- [cve@mitre.org](https://github.com/kazu-yamamoto/http2/commit/f61d41a502bd0f60eb24e1ce14edc7b6df6722a1)\n- [cve@mitre.org](https://github.com/kazu-yamamoto/http2/issues/93)\n- [cve@mitre.org](https://martinthomson.github.io/h2-stream-limits/draft-thomson-httpbis-h2-stream-limits.html)\n- [cve@mitre.org](https://news.ycombinator.com/item?id=37837043)\n- [cve@mitre.org](https://www.cisa.gov/news-events/alerts/2023/10/10/http2-rapid-reset-vulnerability-cve-2023-44487)\n- [cve@mitre.org](https://www.debian.org/security/2023/dsa-5521)\n- [cve@mitre.org](https://www.debian.org/security/2023/dsa-5522)\n- [cve@mitre.org](https://www.theregister.com/2023/10/10/http2_rapid_reset_zeroday/)\n- [cve@mitre.org](https://access.redhat.com/security/cve/cve-2023-44487)\n- [cve@mitre.org](https://blog.vespa.ai/cve-2023-44487/)\n- [cve@mitre.org](https://bugzilla.redhat.com/show_bug.cgi?id=2242803)\n- [cve@mitre.org](https://bugzilla.suse.com/show_bug.cgi?id=1216123)\n- [cve@mitre.org](https://community.traefik.io/t/is-traefik-vulnerable-to-cve-2023-44487/20125)\n- [cve@mitre.org](https://github.com/advisories/GHSA-qppj-fm5r-hxr3)\n- [cve@mitre.org](https://github.com/etcd-io/etcd/issues/16740)\n- [cve@mitre.org](https://github.com/junkurihara/rust-rpxy/issues/97)\n- [cve@mitre.org](https://github.com/ninenines/cowboy/issues/1615)\n- [cve@mitre.org](https://github.com/tempesta-tech/tempesta/issues/1986)\n- [cve@mitre.org](https://github.com/varnishcache/varnish-cache/issues/3996)\n- [cve@mitre.org](https://istio.io/latest/news/security/istio-security-2023-004/)\n- [cve@mitre.org](https://ubuntu.com/security/CVE-2023-44487)\n- [cve@mitre.org](https://www.darkreading.com/cloud/internet-wide-zero-day-bug-fuels-largest-ever-ddos-event)\n- [cve@mitre.org](https://github.com/apache/httpd-site/pull/10)\n- [cve@mitre.org](https://github.com/line/armeria/pull/5232)\n- [cve@mitre.org](https://github.com/linkerd/website/pull/1695/commits/4b9c6836471bc8270ab48aae6fd2181bc73fd632)\n- [cve@mitre.org](https://github.com/projectcontour/contour/pull/5826)\n- [cve@mitre.org](https://blog.litespeedtech.com/2023/10/11/rapid-reset-http-2-vulnerablilty/)\n- [CISA - Known Exploited Vulnerabilities](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)\n",
"disclosureTime": "2023-10-10T14:15:10.883000Z",
"dockerBaseImage": "ruby:3.2.2-alpine3.18",
"dockerfileInstruction": "apk add nodejs",
"epssDetails": null,
"exploit": "High",
"fixedIn": [
"1.57.0-r0"
],
"from": [
"docker-image|cyberdojo/shas@*",
"nghttp2/nghttp2-libs@1.55.1-r0"
],
"id": "SNYK-ALPINE318-NGHTTP2-5954768",
"identifiers": {
"ALTERNATIVE": [],
"CVE": [
"CVE-2023-44487"
],
"CWE": [
"CWE-400"
]
},
"insights": {
"triageAdvice": null
},
"isDisputed": false,
"isPatchable": false,
"isUpgradable": true,
"language": "linux",
"malicious": false,
"modificationTime": "2023-10-12T01:11:09.035012Z",
"name": "nghttp2/nghttp2-libs",
"nearestFixedInVersion": "1.57.0-r0",
"nvdSeverity": "high",
"packageManager": "alpine:3.18",
"packageName": "nghttp2",
"patches": [],
"publicationTime": "2023-10-11T04:04:38.608135Z",
"references": [
{
"title": "https://aws.amazon.com/security/security-bulletins/AWS-2023-011/",
"url": "https://aws.amazon.com/security/security-bulletins/AWS-2023-011/"
},
{
"title": "https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/",
"url": "https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/"
},
{
"title": "https://blog.cloudflare.com/zero-day-rapid-reset-http2-record-breaking-ddos-attack/",
"url": "https://blog.cloudflare.com/zero-day-rapid-reset-http2-record-breaking-ddos-attack/"
},
{
"title": "https://cloud.google.com/blog/products/identity-security/google-cloud-mitigated-largest-ddos-attack-peaking-above-398-million-rps/",
"url": "https://cloud.google.com/blog/products/identity-security/google-cloud-mitigated-largest-ddos-attack-peaking-above-398-million-rps/"
},
{
"title": "https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack",
"url": "https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack"
},
{
"title": "https://news.ycombinator.com/item?id=37831062",
"url": "https://news.ycombinator.com/item?id=37831062"
},
{
"title": "https://www.nginx.com/blog/http-2-rapid-reset-attack-impacting-f5-nginx-products/",
"url": "https://www.nginx.com/blog/http-2-rapid-reset-attack-impacting-f5-nginx-products/"
},
{
"title": "https://www.phoronix.com/news/HTTP2-Rapid-Reset-Attack",
"url": "https://www.phoronix.com/news/HTTP2-Rapid-Reset-Attack"
},
{
"title": "https://chaos.social/@icing/111210915918780532",
"url": "https://chaos.social/@icing/111210915918780532"
},
{
"title": "https://forums.swift.org/t/swift-nio-http2-security-update-cve-2023-44487-http-2-dos/67764",
"url": "https://forums.swift.org/t/swift-nio-http2-security-update-cve-2023-44487-http-2-dos/67764"
},
{
"title": "https://github.com/alibaba/tengine/issues/1872",
"url": "https://github.com/alibaba/tengine/issues/1872"
},
{
"title": "https://github.com/apache/tomcat/tree/main/java/org/apache/coyote/http2",
"url": "https://github.com/apache/tomcat/tree/main/java/org/apache/coyote/http2"
},
{
"title": "https://github.com/bcdannyboy/CVE-2023-44487",
"url": "https://github.com/bcdannyboy/CVE-2023-44487"
},
{
"title": "https://github.com/caddyserver/caddy/issues/5877",
"url": "https://github.com/caddyserver/caddy/issues/5877"
},
{
"title": "https://github.com/eclipse/jetty.project/issues/10679",
"url": "https://github.com/eclipse/jetty.project/issues/10679"
},
{
"title": "https://github.com/envoyproxy/envoy/pull/30055",
"url": "https://github.com/envoyproxy/envoy/pull/30055"
},
{
"title": "https://github.com/haproxy/haproxy/issues/2312",
"url": "https://github.com/haproxy/haproxy/issues/2312"
},
{
"title": "https://github.com/hyperium/hyper/issues/3337",
"url": "https://github.com/hyperium/hyper/issues/3337"
},
{
"title": "https://github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61",
"url": "https://github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61"
},
{
"title": "https://github.com/nghttp2/nghttp2/pull/1961",
"url": "https://github.com/nghttp2/nghttp2/pull/1961"
},
{
"title": "https://news.ycombinator.com/item?id=37830987",
"url": "https://news.ycombinator.com/item?id=37830987"
},
{
"title": "https://news.ycombinator.com/item?id=37830998",
"url": "https://news.ycombinator.com/item?id=37830998"
},
{
"title": "https://www.bleepingcomputer.com/news/security/new-http-2-rapid-reset-zero-day-attack-breaks-ddos-records/",
"url": "https://www.bleepingcomputer.com/news/security/new-http-2-rapid-reset-zero-day-attack-breaks-ddos-records/"
},
{
"title": "https://github.com/grpc/grpc-go/pull/6703",
"url": "https://github.com/grpc/grpc-go/pull/6703"
},
{
"title": "https://github.com/icing/mod_h2/blob/0a864782af0a942aa2ad4ed960a6b32cd35bcf0a/mod_http2/README.md?plain=1%23L239-L244",
"url": "https://github.com/icing/mod_h2/blob/0a864782af0a942aa2ad4ed960a6b32cd35bcf0a/mod_http2/README.md?plain=1%23L239-L244"
},
{
"title": "https://github.com/nghttp2/nghttp2/releases/tag/v1.57.0",
"url": "https://github.com/nghttp2/nghttp2/releases/tag/v1.57.0"
},
{
"title": "https://mailman.nginx.org/pipermail/nginx-devel/2023-October/S36Q5HBXR7CAIMPLLPRSSSYR4PCMWILK.html",
"url": "https://mailman.nginx.org/pipermail/nginx-devel/2023-October/S36Q5HBXR7CAIMPLLPRSSSYR4PCMWILK.html"
},
{
"title": "https://my.f5.com/manage/s/article/K000137106",
"url": "https://my.f5.com/manage/s/article/K000137106"
},
{
"title": "https://bugzilla.proxmox.com/show_bug.cgi?id=4988",
"url": "https://bugzilla.proxmox.com/show_bug.cgi?id=4988"
},
{
"title": "https://cgit.freebsd.org/ports/commit/?id=c64c329c2c1752f46b73e3e6ce9f4329be6629f9",
"url": "https://cgit.freebsd.org/ports/commit/?id=c64c329c2c1752f46b73e3e6ce9f4329be6629f9"
},
{
"title": "https://msrc.microsoft.com/blog/2023/10/microsoft-response-to-distributed-denial-of-service-ddos-attacks-against-http/2/",
"url": "https://msrc.microsoft.com/blog/2023/10/microsoft-response-to-distributed-denial-of-service-ddos-attacks-against-http/2/"
},
{
"title": "https://edg.io/lp/blog/resets-leaks-ddos-and-the-tale-of-a-hidden-cve",
"url": "https://edg.io/lp/blog/resets-leaks-ddos-and-the-tale-of-a-hidden-cve"
},
{
"title": "https://gist.github.com/adulau/7c2bfb8e9cdbe4b35a5e131c66a0c088",
"url": "https://gist.github.com/adulau/7c2bfb8e9cdbe4b35a5e131c66a0c088"
},
{
"title": "https://github.com/advisories/GHSA-vx74-f528-fxqg",
"url": "https://github.com/advisories/GHSA-vx74-f528-fxqg"
},
{
"title": "https://github.com/apache/trafficserver/pull/10564",
"url": "https://github.com/apache/trafficserver/pull/10564"
},
{
"title": "https://github.com/dotnet/announcements/issues/277",
"url": "https://github.com/dotnet/announcements/issues/277"
},
{
"title": "https://github.com/facebook/proxygen/pull/466",
"url": "https://github.com/facebook/proxygen/pull/466"
},
{
"title": "https://github.com/golang/go/issues/63417",
"url": "https://github.com/golang/go/issues/63417"
},
{
"title": "https://github.com/h2o/h2o/pull/3291",
"url": "https://github.com/h2o/h2o/pull/3291"
},
{
"title": "https://github.com/h2o/h2o/security/advisories/GHSA-2m7v-gc89-fjqf",
"url": "https://github.com/h2o/h2o/security/advisories/GHSA-2m7v-gc89-fjqf"
},
{
"title": "https://github.com/micrictor/http2-rst-stream",
"url": "https://github.com/micrictor/http2-rst-stream"
},
{
"title": "https://github.com/microsoft/CBL-Mariner/pull/6381",
"url": "https://github.com/microsoft/CBL-Mariner/pull/6381"
},
{
"title": "https://github.com/nodejs/node/pull/50121",
"url": "https://github.com/nodejs/node/pull/50121"
},
{
"title": "https://groups.google.com/g/golang-announce/c/iNNxDTCjZvo",
"url": "https://groups.google.com/g/golang-announce/c/iNNxDTCjZvo"
},
{
"title": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-44487",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-44487"
},
{
"title": "https://openssf.org/blog/2023/10/10/http-2-rapid-reset-vulnerability-highlights-need-for-rapid-response/",
"url": "https://openssf.org/blog/2023/10/10/http-2-rapid-reset-vulnerability-highlights-need-for-rapid-response/"
},
{
"title": "https://lists.apache.org/thread/5py8h42mxfsn8l1wy6o41xwhsjlsd87q",
"url": "https://lists.apache.org/thread/5py8h42mxfsn8l1wy6o41xwhsjlsd87q"
},
{
"title": "https://seanmonstar.com/post/730794151136935936/hyper-http2-rapid-reset-unaffected",
"url": "https://seanmonstar.com/post/730794151136935936/hyper-http2-rapid-reset-unaffected"
},
{
"title": "https://tomcat.apache.org/security-10.html%23Fixed_in_Apache_Tomcat_10.1.14",
"url": "https://tomcat.apache.org/security-10.html%23Fixed_in_Apache_Tomcat_10.1.14"
},
{
"title": "https://www.openwall.com/lists/oss-security/2023/10/10/6",
"url": "https://www.openwall.com/lists/oss-security/2023/10/10/6"
},
{
"title": "https://github.com/dotnet/core/blob/e4613450ea0da7fd2fc6b61dfb2c1c1dec1ce9ec/release-notes/6.0/6.0.23/6.0.23.md?plain=1%23L73",
"url": "https://github.com/dotnet/core/blob/e4613450ea0da7fd2fc6b61dfb2c1c1dec1ce9ec/release-notes/6.0/6.0.23/6.0.23.md?plain=1%23L73"
},
{
"title": "https://github.com/advisories/GHSA-xpw8-rcwv-8f8p",
"url": "https://github.com/advisories/GHSA-xpw8-rcwv-8f8p"
},
{
"title": "https://github.com/kubernetes/kubernetes/pull/121120",
"url": "https://github.com/kubernetes/kubernetes/pull/121120"
},
{
"title": "https://github.com/opensearch-project/data-prepper/issues/3474",
"url": "https://github.com/opensearch-project/data-prepper/issues/3474"
},
{
"title": "https://github.com/oqtane/oqtane.framework/discussions/3367",
"url": "https://github.com/oqtane/oqtane.framework/discussions/3367"
},
{
"title": "https://netty.io/news/2023/10/10/4-1-100-Final.html",
"url": "https://netty.io/news/2023/10/10/4-1-100-Final.html"
},
{
"title": "https://www.haproxy.com/blog/haproxy-is-not-affected-by-the-http-2-rapid-reset-attack-cve-2023-44487",
"url": "https://www.haproxy.com/blog/haproxy-is-not-affected-by-the-http-2-rapid-reset-attack-cve-2023-44487"
},
{
"title": "https://blog.qualys.com/vulnerabilities-threat-research/2023/10/10/cve-2023-44487-http-2-rapid-reset-attack",
"url": "https://blog.qualys.com/vulnerabilities-threat-research/2023/10/10/cve-2023-44487-http-2-rapid-reset-attack"
},
{
"title": "https://github.com/apache/httpd/blob/afcdbeebbff4b0c50ea26cdd16e178c0d1f24152/modules/http2/h2_mplx.c%23L1101-L1113",
"url": "https://github.com/apache/httpd/blob/afcdbeebbff4b0c50ea26cdd16e178c0d1f24152/modules/http2/h2_mplx.c%23L1101-L1113"
},
{
"title": "https://github.com/kazu-yamamoto/http2/commit/f61d41a502bd0f60eb24e1ce14edc7b6df6722a1",
"url": "https://github.com/kazu-yamamoto/http2/commit/f61d41a502bd0f60eb24e1ce14edc7b6df6722a1"
},
{
"title": "https://github.com/kazu-yamamoto/http2/issues/93",
"url": "https://github.com/kazu-yamamoto/http2/issues/93"
},
{
"title": "https://martinthomson.github.io/h2-stream-limits/draft-thomson-httpbis-h2-stream-limits.html",
"url": "https://martinthomson.github.io/h2-stream-limits/draft-thomson-httpbis-h2-stream-limits.html"
},
{
"title": "https://news.ycombinator.com/item?id=37837043",
"url": "https://news.ycombinator.com/item?id=37837043"
},
{
"title": "https://www.cisa.gov/news-events/alerts/2023/10/10/http2-rapid-reset-vulnerability-cve-2023-44487",
"url": "https://www.cisa.gov/news-events/alerts/2023/10/10/http2-rapid-reset-vulnerability-cve-2023-44487"
},
{
"title": "https://www.debian.org/security/2023/dsa-5521",
"url": "https://www.debian.org/security/2023/dsa-5521"
},
{
"title": "https://www.debian.org/security/2023/dsa-5522",
"url": "https://www.debian.org/security/2023/dsa-5522"
},
{
"title": "https://www.theregister.com/2023/10/10/http2_rapid_reset_zeroday/",
"url": "https://www.theregister.com/2023/10/10/http2_rapid_reset_zeroday/"
},
{
"title": "https://access.redhat.com/security/cve/cve-2023-44487",
"url": "https://access.redhat.com/security/cve/cve-2023-44487"
},
{
"title": "https://blog.vespa.ai/cve-2023-44487/",
"url": "https://blog.vespa.ai/cve-2023-44487/"
},
{
"title": "https://bugzilla.redhat.com/show_bug.cgi?id=2242803",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2242803"
},
{
"title": "https://bugzilla.suse.com/show_bug.cgi?id=1216123",
"url": "https://bugzilla.suse.com/show_bug.cgi?id=1216123"
},
{
"title": "https://community.traefik.io/t/is-traefik-vulnerable-to-cve-2023-44487/20125",
"url": "https://community.traefik.io/t/is-traefik-vulnerable-to-cve-2023-44487/20125"
},
{
"title": "https://github.com/advisories/GHSA-qppj-fm5r-hxr3",
"url": "https://github.com/advisories/GHSA-qppj-fm5r-hxr3"
},
{
"title": "https://github.com/etcd-io/etcd/issues/16740",
"url": "https://github.com/etcd-io/etcd/issues/16740"
},
{
"title": "https://github.com/junkurihara/rust-rpxy/issues/97",
"url": "https://github.com/junkurihara/rust-rpxy/issues/97"
},
{
"title": "https://github.com/ninenines/cowboy/issues/1615",
"url": "https://github.com/ninenines/cowboy/issues/1615"
},
{
"title": "https://github.com/tempesta-tech/tempesta/issues/1986",
"url": "https://github.com/tempesta-tech/tempesta/issues/1986"
},
{
"title": "https://github.com/varnishcache/varnish-cache/issues/3996",
"url": "https://github.com/varnishcache/varnish-cache/issues/3996"
},
{
"title": "https://istio.io/latest/news/security/istio-security-2023-004/",
"url": "https://istio.io/latest/news/security/istio-security-2023-004/"
},
{
"title": "https://ubuntu.com/security/CVE-2023-44487",
"url": "https://ubuntu.com/security/CVE-2023-44487"
},
{
"title": "https://www.darkreading.com/cloud/internet-wide-zero-day-bug-fuels-largest-ever-ddos-event",
"url": "https://www.darkreading.com/cloud/internet-wide-zero-day-bug-fuels-largest-ever-ddos-event"
},
{
"title": "https://github.com/apache/httpd-site/pull/10",
"url": "https://github.com/apache/httpd-site/pull/10"
},
{
"title": "https://github.com/line/armeria/pull/5232",
"url": "https://github.com/line/armeria/pull/5232"
},
{
"title": "https://github.com/linkerd/website/pull/1695/commits/4b9c6836471bc8270ab48aae6fd2181bc73fd632",
"url": "https://github.com/linkerd/website/pull/1695/commits/4b9c6836471bc8270ab48aae6fd2181bc73fd632"
},
{
"title": "https://github.com/projectcontour/contour/pull/5826",
"url": "https://github.com/projectcontour/contour/pull/5826"
},
{
"title": "https://blog.litespeedtech.com/2023/10/11/rapid-reset-http-2-vulnerablilty/",
"url": "https://blog.litespeedtech.com/2023/10/11/rapid-reset-http-2-vulnerablilty/"
},
{
"title": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog"
}
],
"relativeImportance": null,
"semver": {
"vulnerable": [
"<1.57.0-r0"
]
},
"severity": "high",
"severityWithCritical": "high",
"socialTrendAlert": false,
"title": "Resource Exhaustion",
"upgradePath": [
false,
"nghttp2/nghttp2-libs@1.57.0-r0"
],
"version": "1.55.1-r0"
},
{
"CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:H",
"cpes": [],
"creationTime": "2023-10-11T04:04:38.629011Z",
"credit": [
""
],
"cvssDetails": [
{
"assigner": "NVD",
"cvssV3BaseScore": 7.5,
"cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:H",
"modificationTime": "2023-10-11T14:31:08.807516Z",
"severity": "high"
}
],
"cvssScore": 7.5,
"description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `nghttp2` package and not the `nghttp2` package as distributed by `Alpine`._\n_See `How to fix?` for `Alpine:3.18` relevant fixed versions and status._\n\nThe HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.\n## Remediation\nUpgrade `Alpine:3.18` `nghttp2` to version 1.57.0-r0 or higher.\n## References\n- [cve@mitre.org](https://aws.amazon.com/security/security-bulletins/AWS-2023-011/)\n- [cve@mitre.org](https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/)\n- [cve@mitre.org](https://blog.cloudflare.com/zero-day-rapid-reset-http2-record-breaking-ddos-attack/)\n- [cve@mitre.org](https://cloud.google.com/blog/products/identity-security/google-cloud-mitigated-largest-ddos-attack-peaking-above-398-million-rps/)\n- [cve@mitre.org](https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack)\n- [cve@mitre.org](https://news.ycombinator.com/item?id=37831062)\n- [cve@mitre.org](https://www.nginx.com/blog/http-2-rapid-reset-attack-impacting-f5-nginx-products/)\n- [cve@mitre.org](https://www.phoronix.com/news/HTTP2-Rapid-Reset-Attack)\n- [cve@mitre.org](https://chaos.social/@icing/111210915918780532)\n- [cve@mitre.org](https://forums.swift.org/t/swift-nio-http2-security-update-cve-2023-44487-http-2-dos/67764)\n- [cve@mitre.org](https://github.com/alibaba/tengine/issues/1872)\n- [cve@mitre.org](https://github.com/apache/tomcat/tree/main/java/org/apache/coyote/http2)\n- [cve@mitre.org](https://github.com/bcdannyboy/CVE-2023-44487)\n- [cve@mitre.org](https://github.com/caddyserver/caddy/issues/5877)\n- [cve@mitre.org](https://github.com/eclipse/jetty.project/issues/10679)\n- [cve@mitre.org](https://github.com/envoyproxy/envoy/pull/30055)\n- [cve@mitre.org](https://github.com/haproxy/haproxy/issues/2312)\n- [cve@mitre.org](https://github.com/hyperium/hyper/issues/3337)\n- [cve@mitre.org](https://github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61)\n- [cve@mitre.org](https://github.com/nghttp2/nghttp2/pull/1961)\n- [cve@mitre.org](https://news.ycombinator.com/item?id=37830987)\n- [cve@mitre.org](https://news.ycombinator.com/item?id=37830998)\n- [cve@mitre.org](https://www.bleepingcomputer.com/news/security/new-http-2-rapid-reset-zero-day-attack-breaks-ddos-records/)\n- [cve@mitre.org](https://github.com/grpc/grpc-go/pull/6703)\n- [cve@mitre.org](https://github.com/icing/mod_h2/blob/0a864782af0a942aa2ad4ed960a6b32cd35bcf0a/mod_http2/README.md?plain=1#L239-L244)\n- [cve@mitre.org](https://github.com/nghttp2/nghttp2/releases/tag/v1.57.0)\n- [cve@mitre.org](https://mailman.nginx.org/pipermail/nginx-devel/2023-October/S36Q5HBXR7CAIMPLLPRSSSYR4PCMWILK.html)\n- [cve@mitre.org](https://my.f5.com/manage/s/article/K000137106)\n- [cve@mitre.org](https://bugzilla.proxmox.com/show_bug.cgi?id=4988)\n- [cve@mitre.org](https://cgit.freebsd.org/ports/commit/?id=c64c329c2c1752f46b73e3e6ce9f4329be6629f9)\n- [cve@mitre.org](https://msrc.microsoft.com/blog/2023/10/microsoft-response-to-distributed-denial-of-service-ddos-attacks-against-http/2/)\n- [cve@mitre.org](https://edg.io/lp/blog/resets-leaks-ddos-and-the-tale-of-a-hidden-cve)\n- [cve@mitre.org](https://gist.github.com/adulau/7c2bfb8e9cdbe4b35a5e131c66a0c088)\n- [cve@mitre.org](https://github.com/advisories/GHSA-vx74-f528-fxqg)\n- [cve@mitre.org](https://github.com/apache/trafficserver/pull/10564)\n- [cve@mitre.org](https://github.com/dotnet/announcements/issues/277)\n- [cve@mitre.org](https://github.com/facebook/proxygen/pull/466)\n- [cve@mitre.org](https://github.com/golang/go/issues/63417)\n- [cve@mitre.org](https://github.com/h2o/h2o/pull/3291)\n- [cve@mitre.org](https://github.com/h2o/h2o/security/advisories/GHSA-2m7v-gc89-fjqf)\n- [cve@mitre.org](https://github.com/micrictor/http2-rst-stream)\n- [cve@mitre.org](https://github.com/microsoft/CBL-Mariner/pull/6381)\n- [cve@mitre.org](https://github.com/nodejs/node/pull/50121)\n- [cve@mitre.org](https://groups.google.com/g/golang-announce/c/iNNxDTCjZvo)\n- [cve@mitre.org](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-44487)\n- [cve@mitre.org](https://openssf.org/blog/2023/10/10/http-2-rapid-reset-vulnerability-highlights-need-for-rapid-response/)\n- [cve@mitre.org](https://lists.apache.org/thread/5py8h42mxfsn8l1wy6o41xwhsjlsd87q)\n- [cve@mitre.org](https://seanmonstar.com/post/730794151136935936/hyper-http2-rapid-reset-unaffected)\n- [cve@mitre.org](https://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.1.14)\n- [cve@mitre.org](https://www.openwall.com/lists/oss-security/2023/10/10/6)\n- [cve@mitre.org](https://github.com/dotnet/core/blob/e4613450ea0da7fd2fc6b61dfb2c1c1dec1ce9ec/release-notes/6.0/6.0.23/6.0.23.md?plain=1#L73)\n- [cve@mitre.org](https://github.com/advisories/GHSA-xpw8-rcwv-8f8p)\n- [cve@mitre.org](https://github.com/kubernetes/kubernetes/pull/121120)\n- [cve@mitre.org](https://github.com/opensearch-project/data-prepper/issues/3474)\n- [cve@mitre.org](https://github.com/oqtane/oqtane.framework/discussions/3367)\n- [cve@mitre.org](https://netty.io/news/2023/10/10/4-1-100-Final.html)\n- [cve@mitre.org](https://www.haproxy.com/blog/haproxy-is-not-affected-by-the-http-2-rapid-reset-attack-cve-2023-44487)\n- [cve@mitre.org](https://blog.qualys.com/vulnerabilities-threat-research/2023/10/10/cve-2023-44487-http-2-rapid-reset-attack)\n- [cve@mitre.org](https://github.com/apache/httpd/blob/afcdbeebbff4b0c50ea26cdd16e178c0d1f24152/modules/http2/h2_mplx.c#L1101-L1113)\n- [cve@mitre.org](https://github.com/kazu-yamamoto/http2/commit/f61d41a502bd0f60eb24e1ce14edc7b6df6722a1)\n- [cve@mitre.org](https://github.com/kazu-yamamoto/http2/issues/93)\n- [cve@mitre.org](https://martinthomson.github.io/h2-stream-limits/draft-thomson-httpbis-h2-stream-limits.html)\n- [cve@mitre.org](https://news.ycombinator.com/item?id=37837043)\n- [cve@mitre.org](https://www.cisa.gov/news-events/alerts/2023/10/10/http2-rapid-reset-vulnerability-cve-2023-44487)\n- [cve@mitre.org](https://www.debian.org/security/2023/dsa-5521)\n- [cve@mitre.org](https://www.debian.org/security/2023/dsa-5522)\n- [cve@mitre.org](https://www.theregister.com/2023/10/10/http2_rapid_reset_zeroday/)\n- [cve@mitre.org](https://access.redhat.com/security/cve/cve-2023-44487)\n- [cve@mitre.org](https://blog.vespa.ai/cve-2023-44487/)\n- [cve@mitre.org](https://bugzilla.redhat.com/show_bug.cgi?id=2242803)\n- [cve@mitre.org](https://bugzilla.suse.com/show_bug.cgi?id=1216123)\n- [cve@mitre.org](https://community.traefik.io/t/is-traefik-vulnerable-to-cve-2023-44487/20125)\n- [cve@mitre.org](https://github.com/advisories/GHSA-qppj-fm5r-hxr3)\n- [cve@mitre.org](https://github.com/etcd-io/etcd/issues/16740)\n- [cve@mitre.org](https://github.com/junkurihara/rust-rpxy/issues/97)\n- [cve@mitre.org](https://github.com/ninenines/cowboy/issues/1615)\n- [cve@mitre.org](https://github.com/tempesta-tech/tempesta/issues/1986)\n- [cve@mitre.org](https://github.com/varnishcache/varnish-cache/issues/3996)\n- [cve@mitre.org](https://istio.io/latest/news/security/istio-security-2023-004/)\n- [cve@mitre.org](https://ubuntu.com/security/CVE-2023-44487)\n- [cve@mitre.org](https://www.darkreading.com/cloud/internet-wide-zero-day-bug-fuels-largest-ever-ddos-event)\n- [cve@mitre.org](https://github.com/apache/httpd-site/pull/10)\n- [cve@mitre.org](https://github.com/line/armeria/pull/5232)\n- [cve@mitre.org](https://github.com/linkerd/website/pull/1695/commits/4b9c6836471bc8270ab48aae6fd2181bc73fd632)\n- [cve@mitre.org](https://github.com/projectcontour/contour/pull/5826)\n- [cve@mitre.org](https://blog.litespeedtech.com/2023/10/11/rapid-reset-http-2-vulnerablilty/)\n- [CISA - Known Exploited Vulnerabilities](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)\n",
"disclosureTime": "2023-10-10T14:15:10.883000Z",
"dockerBaseImage": "ruby:3.2.2-alpine3.18",
"dockerfileInstruction": "apk add nodejs",
"epssDetails": null,
"exploit": "High",
"fixedIn": [
"1.57.0-r0"
],
"from": [
"docker-image|cyberdojo/shas@*",
"nodejs/nodejs@18.17.1-r0",
"nghttp2/nghttp2-libs@1.55.1-r0"
],
"id": "SNYK-ALPINE318-NGHTTP2-5954768",
"identifiers": {
"ALTERNATIVE": [],
"CVE": [
"CVE-2023-44487"
],
"CWE": [
"CWE-400"
]
},
"insights": {
"triageAdvice": null
},
"isDisputed": false,
"isPatchable": false,
"isUpgradable": false,
"language": "linux",
"malicious": false,
"modificationTime": "2023-10-12T01:11:09.035012Z",
"name": "nghttp2/nghttp2-libs",
"nearestFixedInVersion": "1.57.0-r0",
"nvdSeverity": "high",
"packageManager": "alpine:3.18",
"packageName": "nghttp2",
"patches": [],
"publicationTime": "2023-10-11T04:04:38.608135Z",
"references": [
{
"title": "https://aws.amazon.com/security/security-bulletins/AWS-2023-011/",
"url": "https://aws.amazon.com/security/security-bulletins/AWS-2023-011/"
},
{
"title": "https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/",
"url": "https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/"
},
{
"title": "https://blog.cloudflare.com/zero-day-rapid-reset-http2-record-breaking-ddos-attack/",
"url": "https://blog.cloudflare.com/zero-day-rapid-reset-http2-record-breaking-ddos-attack/"
},
{
"title": "https://cloud.google.com/blog/products/identity-security/google-cloud-mitigated-largest-ddos-attack-peaking-above-398-million-rps/",
"url": "https://cloud.google.com/blog/products/identity-security/google-cloud-mitigated-largest-ddos-attack-peaking-above-398-million-rps/"
},
{
"title": "https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack",
"url": "https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack"
},
{
"title": "https://news.ycombinator.com/item?id=37831062",
"url": "https://news.ycombinator.com/item?id=37831062"
},
{
"title": "https://www.nginx.com/blog/http-2-rapid-reset-attack-impacting-f5-nginx-products/",
"url": "https://www.nginx.com/blog/http-2-rapid-reset-attack-impacting-f5-nginx-products/"
},
{
"title": "https://www.phoronix.com/news/HTTP2-Rapid-Reset-Attack",
"url": "https://www.phoronix.com/news/HTTP2-Rapid-Reset-Attack"
},
{
"title": "https://chaos.social/@icing/111210915918780532",
"url": "https://chaos.social/@icing/111210915918780532"
},
{
"title": "https://forums.swift.org/t/swift-nio-http2-security-update-cve-2023-44487-http-2-dos/67764",
"url": "https://forums.swift.org/t/swift-nio-http2-security-update-cve-2023-44487-http-2-dos/67764"
},
{
"title": "https://github.com/alibaba/tengine/issues/1872",
"url": "https://github.com/alibaba/tengine/issues/1872"
},
{
"title": "https://github.com/apache/tomcat/tree/main/java/org/apache/coyote/http2",
"url": "https://github.com/apache/tomcat/tree/main/java/org/apache/coyote/http2"
},
{
"title": "https://github.com/bcdannyboy/CVE-2023-44487",
"url": "https://github.com/bcdannyboy/CVE-2023-44487"
},
{
"title": "https://github.com/caddyserver/caddy/issues/5877",
"url": "https://github.com/caddyserver/caddy/issues/5877"
},
{
"title": "https://github.com/eclipse/jetty.project/issues/10679",
"url": "https://github.com/eclipse/jetty.project/issues/10679"
},
{
"title": "https://github.com/envoyproxy/envoy/pull/30055",
"url": "https://github.com/envoyproxy/envoy/pull/30055"
},
{
"title": "https://github.com/haproxy/haproxy/issues/2312",
"url": "https://github.com/haproxy/haproxy/issues/2312"
},
{
"title": "https://github.com/hyperium/hyper/issues/3337",
"url": "https://github.com/hyperium/hyper/issues/3337"
},
{
"title": "https://github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61",
"url": "https://github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61"
},
{
"title": "https://github.com/nghttp2/nghttp2/pull/1961",
"url": "https://github.com/nghttp2/nghttp2/pull/1961"
},
{
"title": "https://news.ycombinator.com/item?id=37830987",
"url": "https://news.ycombinator.com/item?id=37830987"
},
{
"title": "https://news.ycombinator.com/item?id=37830998",
"url": "https://news.ycombinator.com/item?id=37830998"
},
{
"title": "https://www.bleepingcomputer.com/news/security/new-http-2-rapid-reset-zero-day-attack-breaks-ddos-records/",
"url": "https://www.bleepingcomputer.com/news/security/new-http-2-rapid-reset-zero-day-attack-breaks-ddos-records/"
},
{
"title": "https://github.com/grpc/grpc-go/pull/6703",
"url": "https://github.com/grpc/grpc-go/pull/6703"
},
{
"title": "https://github.com/icing/mod_h2/blob/0a864782af0a942aa2ad4ed960a6b32cd35bcf0a/mod_http2/README.md?plain=1%23L239-L244",
"url": "https://github.com/icing/mod_h2/blob/0a864782af0a942aa2ad4ed960a6b32cd35bcf0a/mod_http2/README.md?plain=1%23L239-L244"
},
{
"title": "https://github.com/nghttp2/nghttp2/releases/tag/v1.57.0",
"url": "https://github.com/nghttp2/nghttp2/releases/tag/v1.57.0"
},
{
"title": "https://mailman.nginx.org/pipermail/nginx-devel/2023-October/S36Q5HBXR7CAIMPLLPRSSSYR4PCMWILK.html",
"url": "https://mailman.nginx.org/pipermail/nginx-devel/2023-October/S36Q5HBXR7CAIMPLLPRSSSYR4PCMWILK.html"
},
{
"title": "https://my.f5.com/manage/s/article/K000137106",
"url": "https://my.f5.com/manage/s/article/K000137106"
},
{
"title": "https://bugzilla.proxmox.com/show_bug.cgi?id=4988",
"url": "https://bugzilla.proxmox.com/show_bug.cgi?id=4988"
},
{
"title": "https://cgit.freebsd.org/ports/commit/?id=c64c329c2c1752f46b73e3e6ce9f4329be6629f9",
"url": "https://cgit.freebsd.org/ports/commit/?id=c64c329c2c1752f46b73e3e6ce9f4329be6629f9"
},
{
"title": "https://msrc.microsoft.com/blog/2023/10/microsoft-response-to-distributed-denial-of-service-ddos-attacks-against-http/2/",
"url": "https://msrc.microsoft.com/blog/2023/10/microsoft-response-to-distributed-denial-of-service-ddos-attacks-against-http/2/"
},
{
"title": "https://edg.io/lp/blog/resets-leaks-ddos-and-the-tale-of-a-hidden-cve",
"url": "https://edg.io/lp/blog/resets-leaks-ddos-and-the-tale-of-a-hidden-cve"
},
{
"title": "https://gist.github.com/adulau/7c2bfb8e9cdbe4b35a5e131c66a0c088",
"url": "https://gist.github.com/adulau/7c2bfb8e9cdbe4b35a5e131c66a0c088"
},
{
"title": "https://github.com/advisories/GHSA-vx74-f528-fxqg",
"url": "https://github.com/advisories/GHSA-vx74-f528-fxqg"
},
{
"title": "https://github.com/apache/trafficserver/pull/10564",
"url": "https://github.com/apache/trafficserver/pull/10564"
},
{
"title": "https://github.com/dotnet/announcements/issues/277",
"url": "https://github.com/dotnet/announcements/issues/277"
},
{
"title": "https://github.com/facebook/proxygen/pull/466",
"url": "https://github.com/facebook/proxygen/pull/466"
},
{
"title": "https://github.com/golang/go/issues/63417",
"url": "https://github.com/golang/go/issues/63417"
},
{
"title": "https://github.com/h2o/h2o/pull/3291",
"url": "https://github.com/h2o/h2o/pull/3291"
},
{
"title": "https://github.com/h2o/h2o/security/advisories/GHSA-2m7v-gc89-fjqf",
"url": "https://github.com/h2o/h2o/security/advisories/GHSA-2m7v-gc89-fjqf"
},
{
"title": "https://github.com/micrictor/http2-rst-stream",
"url": "https://github.com/micrictor/http2-rst-stream"
},
{
"title": "https://github.com/microsoft/CBL-Mariner/pull/6381",
"url": "https://github.com/microsoft/CBL-Mariner/pull/6381"
},
{
"title": "https://github.com/nodejs/node/pull/50121",
"url": "https://github.com/nodejs/node/pull/50121"
},
{
"title": "https://groups.google.com/g/golang-announce/c/iNNxDTCjZvo",
"url": "https://groups.google.com/g/golang-announce/c/iNNxDTCjZvo"
},
{
"title": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-44487",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-44487"
},
{
"title": "https://openssf.org/blog/2023/10/10/http-2-rapid-reset-vulnerability-highlights-need-for-rapid-response/",
"url": "https://openssf.org/blog/2023/10/10/http-2-rapid-reset-vulnerability-highlights-need-for-rapid-response/"
},
{
"title": "https://lists.apache.org/thread/5py8h42mxfsn8l1wy6o41xwhsjlsd87q",
"url": "https://lists.apache.org/thread/5py8h42mxfsn8l1wy6o41xwhsjlsd87q"
},
{
"title": "https://seanmonstar.com/post/730794151136935936/hyper-http2-rapid-reset-unaffected",
"url": "https://seanmonstar.com/post/730794151136935936/hyper-http2-rapid-reset-unaffected"
},
{
"title": "https://tomcat.apache.org/security-10.html%23Fixed_in_Apache_Tomcat_10.1.14",
"url": "https://tomcat.apache.org/security-10.html%23Fixed_in_Apache_Tomcat_10.1.14"
},
{
"title": "https://www.openwall.com/lists/oss-security/2023/10/10/6",
"url": "https://www.openwall.com/lists/oss-security/2023/10/10/6"
},
{
"title": "https://github.com/dotnet/core/blob/e4613450ea0da7fd2fc6b61dfb2c1c1dec1ce9ec/release-notes/6.0/6.0.23/6.0.23.md?plain=1%23L73",
"url": "https://github.com/dotnet/core/blob/e4613450ea0da7fd2fc6b61dfb2c1c1dec1ce9ec/release-notes/6.0/6.0.23/6.0.23.md?plain=1%23L73"
},
{
"title": "https://github.com/advisories/GHSA-xpw8-rcwv-8f8p",
"url": "https://github.com/advisories/GHSA-xpw8-rcwv-8f8p"
},
{
"title": "https://github.com/kubernetes/kubernetes/pull/121120",
"url": "https://github.com/kubernetes/kubernetes/pull/121120"
},
{
"title": "https://github.com/opensearch-project/data-prepper/issues/3474",
"url": "https://github.com/opensearch-project/data-prepper/issues/3474"
},
{
"title": "https://github.com/oqtane/oqtane.framework/discussions/3367",
"url": "https://github.com/oqtane/oqtane.framework/discussions/3367"
},
{
"title": "https://netty.io/news/2023/10/10/4-1-100-Final.html",
"url": "https://netty.io/news/2023/10/10/4-1-100-Final.html"
},
{
"title": "https://www.haproxy.com/blog/haproxy-is-not-affected-by-the-http-2-rapid-reset-attack-cve-2023-44487",
"url": "https://www.haproxy.com/blog/haproxy-is-not-affected-by-the-http-2-rapid-reset-attack-cve-2023-44487"
},
{
"title": "https://blog.qualys.com/vulnerabilities-threat-research/2023/10/10/cve-2023-44487-http-2-rapid-reset-attack",
"url": "https://blog.qualys.com/vulnerabilities-threat-research/2023/10/10/cve-2023-44487-http-2-rapid-reset-attack"
},
{
"title": "https://github.com/apache/httpd/blob/afcdbeebbff4b0c50ea26cdd16e178c0d1f24152/modules/http2/h2_mplx.c%23L1101-L1113",
"url": "https://github.com/apache/httpd/blob/afcdbeebbff4b0c50ea26cdd16e178c0d1f24152/modules/http2/h2_mplx.c%23L1101-L1113"
},
{
"title": "https://github.com/kazu-yamamoto/http2/commit/f61d41a502bd0f60eb24e1ce14edc7b6df6722a1",
"url": "https://github.com/kazu-yamamoto/http2/commit/f61d41a502bd0f60eb24e1ce14edc7b6df6722a1"
},
{
"title": "https://github.com/kazu-yamamoto/http2/issues/93",
"url": "https://github.com/kazu-yamamoto/http2/issues/93"
},
{
"title": "https://martinthomson.github.io/h2-stream-limits/draft-thomson-httpbis-h2-stream-limits.html",
"url": "https://martinthomson.github.io/h2-stream-limits/draft-thomson-httpbis-h2-stream-limits.html"
},
{
"title": "https://news.ycombinator.com/item?id=37837043",
"url": "https://news.ycombinator.com/item?id=37837043"
},
{
"title": "https://www.cisa.gov/news-events/alerts/2023/10/10/http2-rapid-reset-vulnerability-cve-2023-44487",
"url": "https://www.cisa.gov/news-events/alerts/2023/10/10/http2-rapid-reset-vulnerability-cve-2023-44487"
},
{
"title": "https://www.debian.org/security/2023/dsa-5521",
"url": "https://www.debian.org/security/2023/dsa-5521"
},
{
"title": "https://www.debian.org/security/2023/dsa-5522",
"url": "https://www.debian.org/security/2023/dsa-5522"
},
{
"title": "https://www.theregister.com/2023/10/10/http2_rapid_reset_zeroday/",
"url": "https://www.theregister.com/2023/10/10/http2_rapid_reset_zeroday/"
},
{
"title": "https://access.redhat.com/security/cve/cve-2023-44487",
"url": "https://access.redhat.com/security/cve/cve-2023-44487"
},
{
"title": "https://blog.vespa.ai/cve-2023-44487/",
"url": "https://blog.vespa.ai/cve-2023-44487/"
},
{
"title": "https://bugzilla.redhat.com/show_bug.cgi?id=2242803",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2242803"
},
{
"title": "https://bugzilla.suse.com/show_bug.cgi?id=1216123",
"url": "https://bugzilla.suse.com/show_bug.cgi?id=1216123"
},
{
"title": "https://community.traefik.io/t/is-traefik-vulnerable-to-cve-2023-44487/20125",
"url": "https://community.traefik.io/t/is-traefik-vulnerable-to-cve-2023-44487/20125"
},
{
"title": "https://github.com/advisories/GHSA-qppj-fm5r-hxr3",
"url": "https://github.com/advisories/GHSA-qppj-fm5r-hxr3"
},
{
"title": "https://github.com/etcd-io/etcd/issues/16740",
"url": "https://github.com/etcd-io/etcd/issues/16740"
},
{
"title": "https://github.com/junkurihara/rust-rpxy/issues/97",
"url": "https://github.com/junkurihara/rust-rpxy/issues/97"
},
{
"title": "https://github.com/ninenines/cowboy/issues/1615",
"url": "https://github.com/ninenines/cowboy/issues/1615"
},
{
"title": "https://github.com/tempesta-tech/tempesta/issues/1986",
"url": "https://github.com/tempesta-tech/tempesta/issues/1986"
},
{
"title": "https://github.com/varnishcache/varnish-cache/issues/3996",
"url": "https://github.com/varnishcache/varnish-cache/issues/3996"
},
{
"title": "https://istio.io/latest/news/security/istio-security-2023-004/",
"url": "https://istio.io/latest/news/security/istio-security-2023-004/"
},
{
"title": "https://ubuntu.com/security/CVE-2023-44487",
"url": "https://ubuntu.com/security/CVE-2023-44487"
},
{
"title": "https://www.darkreading.com/cloud/internet-wide-zero-day-bug-fuels-largest-ever-ddos-event",
"url": "https://www.darkreading.com/cloud/internet-wide-zero-day-bug-fuels-largest-ever-ddos-event"
},
{
"title": "https://github.com/apache/httpd-site/pull/10",
"url": "https://github.com/apache/httpd-site/pull/10"
},
{
"title": "https://github.com/line/armeria/pull/5232",
"url": "https://github.com/line/armeria/pull/5232"
},
{
"title": "https://github.com/linkerd/website/pull/1695/commits/4b9c6836471bc8270ab48aae6fd2181bc73fd632",
"url": "https://github.com/linkerd/website/pull/1695/commits/4b9c6836471bc8270ab48aae6fd2181bc73fd632"
},
{
"title": "https://github.com/projectcontour/contour/pull/5826",
"url": "https://github.com/projectcontour/contour/pull/5826"
},
{
"title": "https://blog.litespeedtech.com/2023/10/11/rapid-reset-http-2-vulnerablilty/",
"url": "https://blog.litespeedtech.com/2023/10/11/rapid-reset-http-2-vulnerablilty/"
},
{
"title": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog"
}
],
"relativeImportance": null,
"semver": {
"vulnerable": [
"<1.57.0-r0"
]
},
"severity": "high",
"severityWithCritical": "high",
"socialTrendAlert": false,
"title": "Resource Exhaustion",
"upgradePath": [],
"version": "1.55.1-r0"
},
{
"CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:H",
"cpes": [],
"creationTime": "2023-10-11T04:04:38.629011Z",
"credit": [
""
],
"cvssDetails": [
{
"assigner": "NVD",
"cvssV3BaseScore": 7.5,
"cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:H",
"modificationTime": "2023-10-11T14:31:08.807516Z",
"severity": "high"
}
],
"cvssScore": 7.5,
"description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `nghttp2` package and not the `nghttp2` package as distributed by `Alpine`._\n_See `How to fix?` for `Alpine:3.18` relevant fixed versions and status._\n\nThe HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.\n## Remediation\nUpgrade `Alpine:3.18` `nghttp2` to version 1.57.0-r0 or higher.\n## References\n- [cve@mitre.org](https://aws.amazon.com/security/security-bulletins/AWS-2023-011/)\n- [cve@mitre.org](https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/)\n- [cve@mitre.org](https://blog.cloudflare.com/zero-day-rapid-reset-http2-record-breaking-ddos-attack/)\n- [cve@mitre.org](https://cloud.google.com/blog/products/identity-security/google-cloud-mitigated-largest-ddos-attack-peaking-above-398-million-rps/)\n- [cve@mitre.org](https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack)\n- [cve@mitre.org](https://news.ycombinator.com/item?id=37831062)\n- [cve@mitre.org](https://www.nginx.com/blog/http-2-rapid-reset-attack-impacting-f5-nginx-products/)\n- [cve@mitre.org](https://www.phoronix.com/news/HTTP2-Rapid-Reset-Attack)\n- [cve@mitre.org](https://chaos.social/@icing/111210915918780532)\n- [cve@mitre.org](https://forums.swift.org/t/swift-nio-http2-security-update-cve-2023-44487-http-2-dos/67764)\n- [cve@mitre.org](https://github.com/alibaba/tengine/issues/1872)\n- [cve@mitre.org](https://github.com/apache/tomcat/tree/main/java/org/apache/coyote/http2)\n- [cve@mitre.org](https://github.com/bcdannyboy/CVE-2023-44487)\n- [cve@mitre.org](https://github.com/caddyserver/caddy/issues/5877)\n- [cve@mitre.org](https://github.com/eclipse/jetty.project/issues/10679)\n- [cve@mitre.org](https://github.com/envoyproxy/envoy/pull/30055)\n- [cve@mitre.org](https://github.com/haproxy/haproxy/issues/2312)\n- [cve@mitre.org](https://github.com/hyperium/hyper/issues/3337)\n- [cve@mitre.org](https://github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61)\n- [cve@mitre.org](https://github.com/nghttp2/nghttp2/pull/1961)\n- [cve@mitre.org](https://news.ycombinator.com/item?id=37830987)\n- [cve@mitre.org](https://news.ycombinator.com/item?id=37830998)\n- [cve@mitre.org](https://www.bleepingcomputer.com/news/security/new-http-2-rapid-reset-zero-day-attack-breaks-ddos-records/)\n- [cve@mitre.org](https://github.com/grpc/grpc-go/pull/6703)\n- [cve@mitre.org](https://github.com/icing/mod_h2/blob/0a864782af0a942aa2ad4ed960a6b32cd35bcf0a/mod_http2/README.md?plain=1#L239-L244)\n- [cve@mitre.org](https://github.com/nghttp2/nghttp2/releases/tag/v1.57.0)\n- [cve@mitre.org](https://mailman.nginx.org/pipermail/nginx-devel/2023-October/S36Q5HBXR7CAIMPLLPRSSSYR4PCMWILK.html)\n- [cve@mitre.org](https://my.f5.com/manage/s/article/K000137106)\n- [cve@mitre.org](https://bugzilla.proxmox.com/show_bug.cgi?id=4988)\n- [cve@mitre.org](https://cgit.freebsd.org/ports/commit/?id=c64c329c2c1752f46b73e3e6ce9f4329be6629f9)\n- [cve@mitre.org](https://msrc.microsoft.com/blog/2023/10/microsoft-response-to-distributed-denial-of-service-ddos-attacks-against-http/2/)\n- [cve@mitre.org](https://edg.io/lp/blog/resets-leaks-ddos-and-the-tale-of-a-hidden-cve)\n- [cve@mitre.org](https://gist.github.com/adulau/7c2bfb8e9cdbe4b35a5e131c66a0c088)\n- [cve@mitre.org](https://github.com/advisories/GHSA-vx74-f528-fxqg)\n- [cve@mitre.org](https://github.com/apache/trafficserver/pull/10564)\n- [cve@mitre.org](https://github.com/dotnet/announcements/issues/277)\n- [cve@mitre.org](https://github.com/facebook/proxygen/pull/466)\n- [cve@mitre.org](https://github.com/golang/go/issues/63417)\n- [cve@mitre.org](https://github.com/h2o/h2o/pull/3291)\n- [cve@mitre.org](https://github.com/h2o/h2o/security/advisories/GHSA-2m7v-gc89-fjqf)\n- [cve@mitre.org](https://github.com/micrictor/http2-rst-stream)\n- [cve@mitre.org](https://github.com/microsoft/CBL-Mariner/pull/6381)\n- [cve@mitre.org](https://github.com/nodejs/node/pull/50121)\n- [cve@mitre.org](https://groups.google.com/g/golang-announce/c/iNNxDTCjZvo)\n- [cve@mitre.org](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-44487)\n- [cve@mitre.org](https://openssf.org/blog/2023/10/10/http-2-rapid-reset-vulnerability-highlights-need-for-rapid-response/)\n- [cve@mitre.org](https://lists.apache.org/thread/5py8h42mxfsn8l1wy6o41xwhsjlsd87q)\n- [cve@mitre.org](https://seanmonstar.com/post/730794151136935936/hyper-http2-rapid-reset-unaffected)\n- [cve@mitre.org](https://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.1.14)\n- [cve@mitre.org](https://www.openwall.com/lists/oss-security/2023/10/10/6)\n- [cve@mitre.org](https://github.com/dotnet/core/blob/e4613450ea0da7fd2fc6b61dfb2c1c1dec1ce9ec/release-notes/6.0/6.0.23/6.0.23.md?plain=1#L73)\n- [cve@mitre.org](https://github.com/advisories/GHSA-xpw8-rcwv-8f8p)\n- [cve@mitre.org](https://github.com/kubernetes/kubernetes/pull/121120)\n- [cve@mitre.org](https://github.com/opensearch-project/data-prepper/issues/3474)\n- [cve@mitre.org](https://github.com/oqtane/oqtane.framework/discussions/3367)\n- [cve@mitre.org](https://netty.io/news/2023/10/10/4-1-100-Final.html)\n- [cve@mitre.org](https://www.haproxy.com/blog/haproxy-is-not-affected-by-the-http-2-rapid-reset-attack-cve-2023-44487)\n- [cve@mitre.org](https://blog.qualys.com/vulnerabilities-threat-research/2023/10/10/cve-2023-44487-http-2-rapid-reset-attack)\n- [cve@mitre.org](https://github.com/apache/httpd/blob/afcdbeebbff4b0c50ea26cdd16e178c0d1f24152/modules/http2/h2_mplx.c#L1101-L1113)\n- [cve@mitre.org](https://github.com/kazu-yamamoto/http2/commit/f61d41a502bd0f60eb24e1ce14edc7b6df6722a1)\n- [cve@mitre.org](https://github.com/kazu-yamamoto/http2/issues/93)\n- [cve@mitre.org](https://martinthomson.github.io/h2-stream-limits/draft-thomson-httpbis-h2-stream-limits.html)\n- [cve@mitre.org](https://news.ycombinator.com/item?id=37837043)\n- [cve@mitre.org](https://www.cisa.gov/news-events/alerts/2023/10/10/http2-rapid-reset-vulnerability-cve-2023-44487)\n- [cve@mitre.org](https://www.debian.org/security/2023/dsa-5521)\n- [cve@mitre.org](https://www.debian.org/security/2023/dsa-5522)\n- [cve@mitre.org](https://www.theregister.com/2023/10/10/http2_rapid_reset_zeroday/)\n- [cve@mitre.org](https://access.redhat.com/security/cve/cve-2023-44487)\n- [cve@mitre.org](https://blog.vespa.ai/cve-2023-44487/)\n- [cve@mitre.org](https://bugzilla.redhat.com/show_bug.cgi?id=2242803)\n- [cve@mitre.org](https://bugzilla.suse.com/show_bug.cgi?id=1216123)\n- [cve@mitre.org](https://community.traefik.io/t/is-traefik-vulnerable-to-cve-2023-44487/20125)\n- [cve@mitre.org](https://github.com/advisories/GHSA-qppj-fm5r-hxr3)\n- [cve@mitre.org](https://github.com/etcd-io/etcd/issues/16740)\n- [cve@mitre.org](https://github.com/junkurihara/rust-rpxy/issues/97)\n- [cve@mitre.org](https://github.com/ninenines/cowboy/issues/1615)\n- [cve@mitre.org](https://github.com/tempesta-tech/tempesta/issues/1986)\n- [cve@mitre.org](https://github.com/varnishcache/varnish-cache/issues/3996)\n- [cve@mitre.org](https://istio.io/latest/news/security/istio-security-2023-004/)\n- [cve@mitre.org](https://ubuntu.com/security/CVE-2023-44487)\n- [cve@mitre.org](https://www.darkreading.com/cloud/internet-wide-zero-day-bug-fuels-largest-ever-ddos-event)\n- [cve@mitre.org](https://github.com/apache/httpd-site/pull/10)\n- [cve@mitre.org](https://github.com/line/armeria/pull/5232)\n- [cve@mitre.org](https://github.com/linkerd/website/pull/1695/commits/4b9c6836471bc8270ab48aae6fd2181bc73fd632)\n- [cve@mitre.org](https://github.com/projectcontour/contour/pull/5826)\n- [cve@mitre.org](https://blog.litespeedtech.com/2023/10/11/rapid-reset-http-2-vulnerablilty/)\n- [CISA - Known Exploited Vulnerabilities](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)\n",
"disclosureTime": "2023-10-10T14:15:10.883000Z",
"dockerBaseImage": "ruby:3.2.2-alpine3.18",
"dockerfileInstruction": "apk add nodejs",
"epssDetails": null,
"exploit": "High",
"fixedIn": [
"1.57.0-r0"
],
"from": [
"docker-image|cyberdojo/shas@*",
"curl/curl@8.3.0-r0",
"curl/libcurl@8.3.0-r0",
"nghttp2/nghttp2-libs@1.55.1-r0"
],
"id": "SNYK-ALPINE318-NGHTTP2-5954768",
"identifiers": {
"ALTERNATIVE": [],
"CVE": [
"CVE-2023-44487"
],
"CWE": [
"CWE-400"
]
},
"insights": {
"triageAdvice": null
},
"isDisputed": false,
"isPatchable": false,
"isUpgradable": false,
"language": "linux",
"malicious": false,
"modificationTime": "2023-10-12T01:11:09.035012Z",
"name": "nghttp2/nghttp2-libs",
"nearestFixedInVersion": "1.57.0-r0",
"nvdSeverity": "high",
"packageManager": "alpine:3.18",
"packageName": "nghttp2",
"patches": [],
"publicationTime": "2023-10-11T04:04:38.608135Z",
"references": [
{
"title": "https://aws.amazon.com/security/security-bulletins/AWS-2023-011/",
"url": "https://aws.amazon.com/security/security-bulletins/AWS-2023-011/"
},
{
"title": "https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/",
"url": "https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/"
},
{
"title": "https://blog.cloudflare.com/zero-day-rapid-reset-http2-record-breaking-ddos-attack/",
"url": "https://blog.cloudflare.com/zero-day-rapid-reset-http2-record-breaking-ddos-attack/"
},
{
"title": "https://cloud.google.com/blog/products/identity-security/google-cloud-mitigated-largest-ddos-attack-peaking-above-398-million-rps/",
"url": "https://cloud.google.com/blog/products/identity-security/google-cloud-mitigated-largest-ddos-attack-peaking-above-398-million-rps/"
},
{
"title": "https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack",
"url": "https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack"
},
{
"title": "https://news.ycombinator.com/item?id=37831062",
"url": "https://news.ycombinator.com/item?id=37831062"
},
{
"title": "https://www.nginx.com/blog/http-2-rapid-reset-attack-impacting-f5-nginx-products/",
"url": "https://www.nginx.com/blog/http-2-rapid-reset-attack-impacting-f5-nginx-products/"
},
{
"title": "https://www.phoronix.com/news/HTTP2-Rapid-Reset-Attack",
"url": "https://www.phoronix.com/news/HTTP2-Rapid-Reset-Attack"
},
{
"title": "https://chaos.social/@icing/111210915918780532",
"url": "https://chaos.social/@icing/111210915918780532"
},
{
"title": "https://forums.swift.org/t/swift-nio-http2-security-update-cve-2023-44487-http-2-dos/67764",
"url": "https://forums.swift.org/t/swift-nio-http2-security-update-cve-2023-44487-http-2-dos/67764"
},
{
"title": "https://github.com/alibaba/tengine/issues/1872",
"url": "https://github.com/alibaba/tengine/issues/1872"
},
{
"title": "https://github.com/apache/tomcat/tree/main/java/org/apache/coyote/http2",
"url": "https://github.com/apache/tomcat/tree/main/java/org/apache/coyote/http2"
},
{
"title": "https://github.com/bcdannyboy/CVE-2023-44487",
"url": "https://github.com/bcdannyboy/CVE-2023-44487"
},
{
"title": "https://github.com/caddyserver/caddy/issues/5877",
"url": "https://github.com/caddyserver/caddy/issues/5877"
},
{
"title": "https://github.com/eclipse/jetty.project/issues/10679",
"url": "https://github.com/eclipse/jetty.project/issues/10679"
},
{
"title": "https://github.com/envoyproxy/envoy/pull/30055",
"url": "https://github.com/envoyproxy/envoy/pull/30055"
},
{
"title": "https://github.com/haproxy/haproxy/issues/2312",
"url": "https://github.com/haproxy/haproxy/issues/2312"
},
{
"title": "https://github.com/hyperium/hyper/issues/3337",
"url": "https://github.com/hyperium/hyper/issues/3337"
},
{
"title": "https://github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61",
"url": "https://github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61"
},
{
"title": "https://github.com/nghttp2/nghttp2/pull/1961",
"url": "https://github.com/nghttp2/nghttp2/pull/1961"
},
{
"title": "https://news.ycombinator.com/item?id=37830987",
"url": "https://news.ycombinator.com/item?id=37830987"
},
{
"title": "https://news.ycombinator.com/item?id=37830998",
"url": "https://news.ycombinator.com/item?id=37830998"
},
{
"title": "https://www.bleepingcomputer.com/news/security/new-http-2-rapid-reset-zero-day-attack-breaks-ddos-records/",
"url": "https://www.bleepingcomputer.com/news/security/new-http-2-rapid-reset-zero-day-attack-breaks-ddos-records/"
},
{
"title": "https://github.com/grpc/grpc-go/pull/6703",
"url": "https://github.com/grpc/grpc-go/pull/6703"
},
{
"title": "https://github.com/icing/mod_h2/blob/0a864782af0a942aa2ad4ed960a6b32cd35bcf0a/mod_http2/README.md?plain=1%23L239-L244",
"url": "https://github.com/icing/mod_h2/blob/0a864782af0a942aa2ad4ed960a6b32cd35bcf0a/mod_http2/README.md?plain=1%23L239-L244"
},
{
"title": "https://github.com/nghttp2/nghttp2/releases/tag/v1.57.0",
"url": "https://github.com/nghttp2/nghttp2/releases/tag/v1.57.0"
},
{
"title": "https://mailman.nginx.org/pipermail/nginx-devel/2023-October/S36Q5HBXR7CAIMPLLPRSSSYR4PCMWILK.html",
"url": "https://mailman.nginx.org/pipermail/nginx-devel/2023-October/S36Q5HBXR7CAIMPLLPRSSSYR4PCMWILK.html"
},
{
"title": "https://my.f5.com/manage/s/article/K000137106",
"url": "https://my.f5.com/manage/s/article/K000137106"
},
{
"title": "https://bugzilla.proxmox.com/show_bug.cgi?id=4988",
"url": "https://bugzilla.proxmox.com/show_bug.cgi?id=4988"
},
{
"title": "https://cgit.freebsd.org/ports/commit/?id=c64c329c2c1752f46b73e3e6ce9f4329be6629f9",
"url": "https://cgit.freebsd.org/ports/commit/?id=c64c329c2c1752f46b73e3e6ce9f4329be6629f9"
},
{
"title": "https://msrc.microsoft.com/blog/2023/10/microsoft-response-to-distributed-denial-of-service-ddos-attacks-against-http/2/",
"url": "https://msrc.microsoft.com/blog/2023/10/microsoft-response-to-distributed-denial-of-service-ddos-attacks-against-http/2/"
},
{
"title": "https://edg.io/lp/blog/resets-leaks-ddos-and-the-tale-of-a-hidden-cve",
"url": "https://edg.io/lp/blog/resets-leaks-ddos-and-the-tale-of-a-hidden-cve"
},
{
"title": "https://gist.github.com/adulau/7c2bfb8e9cdbe4b35a5e131c66a0c088",
"url": "https://gist.github.com/adulau/7c2bfb8e9cdbe4b35a5e131c66a0c088"
},
{
"title": "https://github.com/advisories/GHSA-vx74-f528-fxqg",
"url": "https://github.com/advisories/GHSA-vx74-f528-fxqg"
},
{
"title": "https://github.com/apache/trafficserver/pull/10564",
"url": "https://github.com/apache/trafficserver/pull/10564"
},
{
"title": "https://github.com/dotnet/announcements/issues/277",
"url": "https://github.com/dotnet/announcements/issues/277"
},
{
"title": "https://github.com/facebook/proxygen/pull/466",
"url": "https://github.com/facebook/proxygen/pull/466"
},
{
"title": "https://github.com/golang/go/issues/63417",
"url": "https://github.com/golang/go/issues/63417"
},
{
"title": "https://github.com/h2o/h2o/pull/3291",
"url": "https://github.com/h2o/h2o/pull/3291"
},
{
"title": "https://github.com/h2o/h2o/security/advisories/GHSA-2m7v-gc89-fjqf",
"url": "https://github.com/h2o/h2o/security/advisories/GHSA-2m7v-gc89-fjqf"
},
{
"title": "https://github.com/micrictor/http2-rst-stream",
"url": "https://github.com/micrictor/http2-rst-stream"
},
{
"title": "https://github.com/microsoft/CBL-Mariner/pull/6381",
"url": "https://github.com/microsoft/CBL-Mariner/pull/6381"
},
{
"title": "https://github.com/nodejs/node/pull/50121",
"url": "https://github.com/nodejs/node/pull/50121"
},
{
"title": "https://groups.google.com/g/golang-announce/c/iNNxDTCjZvo",
"url": "https://groups.google.com/g/golang-announce/c/iNNxDTCjZvo"
},
{
"title": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-44487",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-44487"
},
{
"title": "https://openssf.org/blog/2023/10/10/http-2-rapid-reset-vulnerability-highlights-need-for-rapid-response/",
"url": "https://openssf.org/blog/2023/10/10/http-2-rapid-reset-vulnerability-highlights-need-for-rapid-response/"
},
{
"title": "https://lists.apache.org/thread/5py8h42mxfsn8l1wy6o41xwhsjlsd87q",
"url": "https://lists.apache.org/thread/5py8h42mxfsn8l1wy6o41xwhsjlsd87q"
},
{
"title": "https://seanmonstar.com/post/730794151136935936/hyper-http2-rapid-reset-unaffected",
"url": "https://seanmonstar.com/post/730794151136935936/hyper-http2-rapid-reset-unaffected"
},
{
"title": "https://tomcat.apache.org/security-10.html%23Fixed_in_Apache_Tomcat_10.1.14",
"url": "https://tomcat.apache.org/security-10.html%23Fixed_in_Apache_Tomcat_10.1.14"
},
{
"title": "https://www.openwall.com/lists/oss-security/2023/10/10/6",
"url": "https://www.openwall.com/lists/oss-security/2023/10/10/6"
},
{
"title": "https://github.com/dotnet/core/blob/e4613450ea0da7fd2fc6b61dfb2c1c1dec1ce9ec/release-notes/6.0/6.0.23/6.0.23.md?plain=1%23L73",
"url": "https://github.com/dotnet/core/blob/e4613450ea0da7fd2fc6b61dfb2c1c1dec1ce9ec/release-notes/6.0/6.0.23/6.0.23.md?plain=1%23L73"
},
{
"title": "https://github.com/advisories/GHSA-xpw8-rcwv-8f8p",
"url": "https://github.com/advisories/GHSA-xpw8-rcwv-8f8p"
},
{
"title": "https://github.com/kubernetes/kubernetes/pull/121120",
"url": "https://github.com/kubernetes/kubernetes/pull/121120"
},
{
"title": "https://github.com/opensearch-project/data-prepper/issues/3474",
"url": "https://github.com/opensearch-project/data-prepper/issues/3474"
},
{
"title": "https://github.com/oqtane/oqtane.framework/discussions/3367",
"url": "https://github.com/oqtane/oqtane.framework/discussions/3367"
},
{
"title": "https://netty.io/news/2023/10/10/4-1-100-Final.html",
"url": "https://netty.io/news/2023/10/10/4-1-100-Final.html"
},
{
"title": "https://www.haproxy.com/blog/haproxy-is-not-affected-by-the-http-2-rapid-reset-attack-cve-2023-44487",
"url": "https://www.haproxy.com/blog/haproxy-is-not-affected-by-the-http-2-rapid-reset-attack-cve-2023-44487"
},
{
"title": "https://blog.qualys.com/vulnerabilities-threat-research/2023/10/10/cve-2023-44487-http-2-rapid-reset-attack",
"url": "https://blog.qualys.com/vulnerabilities-threat-research/2023/10/10/cve-2023-44487-http-2-rapid-reset-attack"
},
{
"title": "https://github.com/apache/httpd/blob/afcdbeebbff4b0c50ea26cdd16e178c0d1f24152/modules/http2/h2_mplx.c%23L1101-L1113",
"url": "https://github.com/apache/httpd/blob/afcdbeebbff4b0c50ea26cdd16e178c0d1f24152/modules/http2/h2_mplx.c%23L1101-L1113"
},
{
"title": "https://github.com/kazu-yamamoto/http2/commit/f61d41a502bd0f60eb24e1ce14edc7b6df6722a1",
"url": "https://github.com/kazu-yamamoto/http2/commit/f61d41a502bd0f60eb24e1ce14edc7b6df6722a1"
},
{
"title": "https://github.com/kazu-yamamoto/http2/issues/93",
"url": "https://github.com/kazu-yamamoto/http2/issues/93"
},
{
"title": "https://martinthomson.github.io/h2-stream-limits/draft-thomson-httpbis-h2-stream-limits.html",
"url": "https://martinthomson.github.io/h2-stream-limits/draft-thomson-httpbis-h2-stream-limits.html"
},
{
"title": "https://news.ycombinator.com/item?id=37837043",
"url": "https://news.ycombinator.com/item?id=37837043"
},
{
"title": "https://www.cisa.gov/news-events/alerts/2023/10/10/http2-rapid-reset-vulnerability-cve-2023-44487",
"url": "https://www.cisa.gov/news-events/alerts/2023/10/10/http2-rapid-reset-vulnerability-cve-2023-44487"
},
{
"title": "https://www.debian.org/security/2023/dsa-5521",
"url": "https://www.debian.org/security/2023/dsa-5521"
},
{
"title": "https://www.debian.org/security/2023/dsa-5522",
"url": "https://www.debian.org/security/2023/dsa-5522"
},
{
"title": "https://www.theregister.com/2023/10/10/http2_rapid_reset_zeroday/",
"url": "https://www.theregister.com/2023/10/10/http2_rapid_reset_zeroday/"
},
{
"title": "https://access.redhat.com/security/cve/cve-2023-44487",
"url": "https://access.redhat.com/security/cve/cve-2023-44487"
},
{
"title": "https://blog.vespa.ai/cve-2023-44487/",
"url": "https://blog.vespa.ai/cve-2023-44487/"
},
{
"title": "https://bugzilla.redhat.com/show_bug.cgi?id=2242803",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2242803"
},
{
"title": "https://bugzilla.suse.com/show_bug.cgi?id=1216123",
"url": "https://bugzilla.suse.com/show_bug.cgi?id=1216123"
},
{
"title": "https://community.traefik.io/t/is-traefik-vulnerable-to-cve-2023-44487/20125",
"url": "https://community.traefik.io/t/is-traefik-vulnerable-to-cve-2023-44487/20125"
},
{
"title": "https://github.com/advisories/GHSA-qppj-fm5r-hxr3",
"url": "https://github.com/advisories/GHSA-qppj-fm5r-hxr3"
},
{
"title": "https://github.com/etcd-io/etcd/issues/16740",
"url": "https://github.com/etcd-io/etcd/issues/16740"
},
{
"title": "https://github.com/junkurihara/rust-rpxy/issues/97",
"url": "https://github.com/junkurihara/rust-rpxy/issues/97"
},
{
"title": "https://github.com/ninenines/cowboy/issues/1615",
"url": "https://github.com/ninenines/cowboy/issues/1615"
},
{
"title": "https://github.com/tempesta-tech/tempesta/issues/1986",
"url": "https://github.com/tempesta-tech/tempesta/issues/1986"
},
{
"title": "https://github.com/varnishcache/varnish-cache/issues/3996",
"url": "https://github.com/varnishcache/varnish-cache/issues/3996"
},
{
"title": "https://istio.io/latest/news/security/istio-security-2023-004/",
"url": "https://istio.io/latest/news/security/istio-security-2023-004/"
},
{
"title": "https://ubuntu.com/security/CVE-2023-44487",
"url": "https://ubuntu.com/security/CVE-2023-44487"
},
{
"title": "https://www.darkreading.com/cloud/internet-wide-zero-day-bug-fuels-largest-ever-ddos-event",
"url": "https://www.darkreading.com/cloud/internet-wide-zero-day-bug-fuels-largest-ever-ddos-event"
},
{
"title": "https://github.com/apache/httpd-site/pull/10",
"url": "https://github.com/apache/httpd-site/pull/10"
},
{
"title": "https://github.com/line/armeria/pull/5232",
"url": "https://github.com/line/armeria/pull/5232"
},
{
"title": "https://github.com/linkerd/website/pull/1695/commits/4b9c6836471bc8270ab48aae6fd2181bc73fd632",
"url": "https://github.com/linkerd/website/pull/1695/commits/4b9c6836471bc8270ab48aae6fd2181bc73fd632"
},
{
"title": "https://github.com/projectcontour/contour/pull/5826",
"url": "https://github.com/projectcontour/contour/pull/5826"
},
{
"title": "https://blog.litespeedtech.com/2023/10/11/rapid-reset-http-2-vulnerablilty/",
"url": "https://blog.litespeedtech.com/2023/10/11/rapid-reset-http-2-vulnerablilty/"
},
{
"title": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog"
}
],
"relativeImportance": null,
"semver": {
"vulnerable": [
"<1.57.0-r0"
]
},
"severity": "high",
"severityWithCritical": "high",
"socialTrendAlert": false,
"title": "Resource Exhaustion",
"upgradePath": [],
"version": "1.55.1-r0"
}
]
},
"created_at": 1697097977.7158828,
"has_audit_package": true
}
},
"repo_url": "https://github.com/cyber-dojo/shas",
"template": [
"artifact",
"branch-coverage",
"snyk-scan"
],
"last_modified_at": 1697097977.7158828,
"deployments": [
60,
59
],
"state": "NON-COMPLIANT",
"html_url": "https://app.kosli.com/cyber-dojo/flows/shas-archived-at-1705491385/artifacts/eaa2885bdceaeb49372ec734bab19f5e3e2d1ce59661fe6f97ad2d10ee39a8b0",
"api_url": "https://app.kosli.com/api/v2/artifacts/cyber-dojo/shas-archived-at-1705491385/fingerprint/eaa2885bdceaeb49372ec734bab19f5e3e2d1ce59661fe6f97ad2d10ee39a8b0"
}
Artifact Information |
|
| Name | cyberdojo/shas:81ab491 |
| Fingerprint | eaa2885bdceaeb49372ec734bab19f5e3e2d1ce59661fe6f97ad2d10ee39a8b0 |
| Git commit | 81ab491 |
| CI Build | https://github.com/cyber-dojo/shas/actions/runs/6376298305 |
| Running | - |
| Exited | aws-beta#1870 aws-prod#1142 |
| Last modified | 1697097977.7158828 • 6 months ago |
Approvals
| None |
Evidence
Evidence for 'branch-coverage'
{ "evidence_type": "generic", "name": "branch-coverage", "is_compliant": true, "build_url": "https://github.com/cyber-dojo/shas/actions/runs/6376298305", "description": "server & client branch-coverage reports", "user_data": { "client": { "command_name": "Minitest", "groups": { "app": { "branches": { "covered": 1, "missed": 1, "total": 2 }, "lines": { "covered": 52, "missed": 0, "total": 52 } }, "test": { "branches": { "covered": 0, "missed": 0, "total": 0 }, "lines": { "covered": 0, "missed": 0, "total": 0 } } }, "timestamp": 1696224014 }, "server": { "command_name": "Minitest", "groups": { "app": { "branches": { "covered": 0, "missed": 0, "total": 0 }, "lines": { "covered": 69, "missed": 0, "total": 69 } }, "test": { "branches": { "covered": 0, "missed": 0, "total": 0 }, "lines": { "covered": 0, "missed": 0, "total": 0 } } }, "timestamp": 1696224008 } }, "created_at": 1696224034.3924313, "has_audit_package": false }
Evidence for 'snyk-scan'
{ "evidence_type": "snyk", "name": "snyk-scan", "is_compliant": false, "build_url": "https://github.com/cyber-dojo/snyk_scans/actions/runs/6492936605", "evidence_archive_fingerprint": "9d440cce891ab3a302ef52b100fb125529881041853192672140ccf73db597a9", "user_data": {}, "snyk_results": { "applications": [ { "dependencyCount": 0, "displayTargetFile": "/usr/local/bundle/gems/concurrent-ruby-1.2.2/lib/concurrent-ruby/concurrent", "docker": {}, "filesystemPolicy": true, "hasUnknownVersions": false, "ignoreSettings": { "adminOnly": false, "disregardFilesystemIgnores": false, "reasonRequired": false }, "isPrivate": true, "licensesPolicy": { "orgLicenseRules": { "AGPL-1.0": { "instructions": "", "licenseType": "AGPL-1.0", "severity": "high" }, "AGPL-3.0": { "instructions": "", "licenseType": "AGPL-3.0", "severity": "high" }, "Artistic-1.0": { "instructions": "", "licenseType": "Artistic-1.0", "severity": "medium" }, "Artistic-2.0": { "instructions": "", "licenseType": "Artistic-2.0", "severity": "medium" }, "CDDL-1.0": { "instructions": "", "licenseType": "CDDL-1.0", "severity": "medium" }, "CPOL-1.02": { "instructions": "", "licenseType": "CPOL-1.02", "severity": "high" }, "EPL-1.0": { "instructions": "", "licenseType": "EPL-1.0", "severity": "medium" }, "GPL-2.0": { "instructions": "", "licenseType": "GPL-2.0", "severity": "high" }, "GPL-3.0": { "instructions": "", "licenseType": "GPL-3.0", "severity": "high" }, "LGPL-2.0": { "instructions": "", "licenseType": "LGPL-2.0", "severity": "medium" }, "LGPL-2.1": { "instructions": "", "licenseType": "LGPL-2.1", "severity": "medium" }, "LGPL-3.0": { "instructions": "", "licenseType": "LGPL-3.0", "severity": "medium" }, "MPL-1.1": { "instructions": "", "licenseType": "MPL-1.1", "severity": "medium" }, "MPL-2.0": { "instructions": "", "licenseType": "MPL-2.0", "severity": "medium" }, "MS-RL": { "instructions": "", "licenseType": "MS-RL", "severity": "medium" }, "SimPL-2.0": { "instructions": "", "licenseType": "SimPL-2.0", "severity": "high" } }, "severities": {} }, "ok": true, "org": "jonjagger", "packageManager": "maven", "path": "cyberdojo/shas@sha256:eaa2885bdceaeb49372ec734bab19f5e3e2d1ce59661fe6f97ad2d10ee39a8b0/shas@sha256:eaa2885bdceaeb49372ec734bab19f5e3e2d1ce59661fe6f97ad2d10ee39a8b0:/usr/local/bundle/gems/concurrent-ruby-1.2.2/lib/concurrent-ruby/concurrent", "policy": "# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.\nversion: v1.25.1\nignore: {}\npatch: {}\n", "projectName": "cyberdojo/shas@sha256:eaa2885bdceaeb49372ec734bab19f5e3e2d1ce59661fe6f97ad2d10ee39a8b0:/usr/local/bundle/gems/concurrent-ruby-1.2.2/lib/concurrent-ruby/concurrent", "severityThreshold": "medium", "summary": "No medium or high or critical severity vulnerabilities", "targetFile": "/usr/local/bundle/gems/concurrent-ruby-1.2.2/lib/concurrent-ruby/concurrent", "uniqueCount": 0, "vulnerabilities": [] } ], "dependencyCount": 80, "docker": { "baseImage": "ruby:3.2.2-alpine3.18", "baseImageRemediation": { "advice": [ { "bold": true, "message": "According to our scan, you are currently using the most secure version of the selected base image" } ], "code": "NO_REMEDIATION_AVAILABLE" }, "binariesVulns": { "affectedPkgs": {}, "issuesData": {} } }, "filesystemPolicy": true, "filtered": { "ignore": [], "patch": [] }, "hasUnknownVersions": false, "ignoreSettings": { "adminOnly": false, "disregardFilesystemIgnores": false, "reasonRequired": false }, "isPrivate": true, "licensesPolicy": { "orgLicenseRules": { "AGPL-1.0": { "instructions": "", "licenseType": "AGPL-1.0", "severity": "high" }, "AGPL-3.0": { "instructions": "", "licenseType": "AGPL-3.0", "severity": "high" }, "Artistic-1.0": { "instructions": "", "licenseType": "Artistic-1.0", "severity": "medium" }, "Artistic-2.0": { "instructions": "", "licenseType": "Artistic-2.0", "severity": "medium" }, "CDDL-1.0": { "instructions": "", "licenseType": "CDDL-1.0", "severity": "medium" }, "CPOL-1.02": { "instructions": "", "licenseType": "CPOL-1.02", "severity": "high" }, "EPL-1.0": { "instructions": "", "licenseType": "EPL-1.0", "severity": "medium" }, "GPL-2.0": { "instructions": "", "licenseType": "GPL-2.0", "severity": "high" }, "GPL-3.0": { "instructions": "", "licenseType": "GPL-3.0", "severity": "high" }, "LGPL-2.0": { "instructions": "", "licenseType": "LGPL-2.0", "severity": "medium" }, "LGPL-2.1": { "instructions": "", "licenseType": "LGPL-2.1", "severity": "medium" }, "LGPL-3.0": { "instructions": "", "licenseType": "LGPL-3.0", "severity": "medium" }, "MPL-1.1": { "instructions": "", "licenseType": "MPL-1.1", "severity": "medium" }, "MPL-2.0": { "instructions": "", "licenseType": "MPL-2.0", "severity": "medium" }, "MS-RL": { "instructions": "", "licenseType": "MS-RL", "severity": "medium" }, "SimPL-2.0": { "instructions": "", "licenseType": "SimPL-2.0", "severity": "high" } }, "severities": {} }, "ok": false, "org": "jonjagger", "packageManager": "apk", "path": "cyberdojo/shas@sha256:eaa2885bdceaeb49372ec734bab19f5e3e2d1ce59661fe6f97ad2d10ee39a8b0/shas", "platform": "linux/amd64", "policy": "# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.\nversion: v1.25.1\nignore: {}\npatch: {}\n", "projectName": "docker-image|cyberdojo/shas", "severityThreshold": "medium", "summary": "6 medium or high or critical severity vulnerable dependency paths", "uniqueCount": 2, "vulnerabilities": [ { "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L/E:P", "cpes": [], "creationTime": "2023-10-11T11:45:04.817337Z", "credit": [], "cvssDetails": [], "cvssScore": 7.7, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `curl` package and not the `curl` package as distributed by `Alpine`._\n_See `How to fix?` for `Alpine:3.18` relevant fixed versions and status._\n\nin the `SOCKS5` proxy handshake process when the hostname is longer than the target buffer.\nThe local variable `socks5_resolve_local` could get the wrong value during a slow SOCKS5 handshake.\nSince the code wrongly thinks it should pass on the hostname, even though the hostname is too long to fit, the memory copy can overflow the allocated target buffer. \n\nThis is only exploitable if the SOCKS5 handshake is slow enough to trigger a local variable bug and the client uses a hostname longer than the download buffer.\n\nExploiting this vulnerability could allow an attacker to execute arbitrary code on the target system under certain conditions.\n\n\n**Note:**\n\nAn overflow is only possible in applications that don't set `CURLOPT_BUFFERSIZE` or set it smaller than 65541. \nSince the curl tool sets `CURLOPT_BUFFERSIZE` to 100kB by default, it is not vulnerable unless the user sets the rate limiting to a rate smaller than 65541 bytes/second.\n\nThe options that cause SOCKS5 with remote hostname to be used in `libcurl`:\n\n1) `CURLOPT_PROXYTYPE` set to type `CURLPROXY_SOCKS5_HOSTNAME`, or:\n`CURLOPT_PROXY` or `CURLOPT_PRE_PROXY` set to use the scheme `socks5h://`\n\n2) One of the proxy environment variables can be set to use the `socks5h://` scheme. For example, `http_proxy`, `HTTPS_PROXY` or `ALL_PROXY`.\n\n\nThe options that cause SOCKS5 with remote hostname to be used in the `curl` tool:\n\n1) `--socks5-hostname`, `--proxy` or `--preproxy` set to use the scheme `socks5h://`\n\n2) Environment variables as described in the libcurl section.\n\n\n\n**Changelog:**\n\n2023-10-04: Initial publication\n\n2023-10-11: Published updated information, including CWE, CVSS, official references and affected versions range.\n## Remediation\nUpgrade `Alpine:3.18` `curl` to version 8.4.0-r0 or higher.\n", "disclosureTime": null, "dockerBaseImage": "ruby:3.2.2-alpine3.18", "epssDetails": null, "exploit": "Proof of Concept", "fixedIn": [ "8.4.0-r0" ], "from": [ "docker-image|cyberdojo/shas@*", "curl/libcurl@8.3.0-r0" ], "id": "SNYK-ALPINE318-CURL-5958913", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2023-38545" ], "CWE": [ "CWE-122" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": true, "language": "linux", "malicious": false, "modificationTime": "2023-10-12T06:20:00.497141Z", "name": "curl/libcurl", "nearestFixedInVersion": "8.4.0-r0", "nvdSeverity": null, "packageManager": "alpine:3.18", "packageName": "curl", "patches": [], "publicationTime": "2023-10-11T11:43:48.209416Z", "references": [], "relativeImportance": null, "semver": { "vulnerable": [ "<8.4.0-r0" ] }, "severity": "high", "severityWithCritical": "high", "socialTrendAlert": false, "title": "Heap-based Buffer Overflow", "upgradePath": [ false, "curl/libcurl@8.4.0-r0" ], "version": "8.3.0-r0" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L/E:P", "cpes": [], "creationTime": "2023-10-11T11:45:04.817337Z", "credit": [], "cvssDetails": [], "cvssScore": 7.7, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `curl` package and not the `curl` package as distributed by `Alpine`._\n_See `How to fix?` for `Alpine:3.18` relevant fixed versions and status._\n\nin the `SOCKS5` proxy handshake process when the hostname is longer than the target buffer.\nThe local variable `socks5_resolve_local` could get the wrong value during a slow SOCKS5 handshake.\nSince the code wrongly thinks it should pass on the hostname, even though the hostname is too long to fit, the memory copy can overflow the allocated target buffer. \n\nThis is only exploitable if the SOCKS5 handshake is slow enough to trigger a local variable bug and the client uses a hostname longer than the download buffer.\n\nExploiting this vulnerability could allow an attacker to execute arbitrary code on the target system under certain conditions.\n\n\n**Note:**\n\nAn overflow is only possible in applications that don't set `CURLOPT_BUFFERSIZE` or set it smaller than 65541. \nSince the curl tool sets `CURLOPT_BUFFERSIZE` to 100kB by default, it is not vulnerable unless the user sets the rate limiting to a rate smaller than 65541 bytes/second.\n\nThe options that cause SOCKS5 with remote hostname to be used in `libcurl`:\n\n1) `CURLOPT_PROXYTYPE` set to type `CURLPROXY_SOCKS5_HOSTNAME`, or:\n`CURLOPT_PROXY` or `CURLOPT_PRE_PROXY` set to use the scheme `socks5h://`\n\n2) One of the proxy environment variables can be set to use the `socks5h://` scheme. For example, `http_proxy`, `HTTPS_PROXY` or `ALL_PROXY`.\n\n\nThe options that cause SOCKS5 with remote hostname to be used in the `curl` tool:\n\n1) `--socks5-hostname`, `--proxy` or `--preproxy` set to use the scheme `socks5h://`\n\n2) Environment variables as described in the libcurl section.\n\n\n\n**Changelog:**\n\n2023-10-04: Initial publication\n\n2023-10-11: Published updated information, including CWE, CVSS, official references and affected versions range.\n## Remediation\nUpgrade `Alpine:3.18` `curl` to version 8.4.0-r0 or higher.\n", "disclosureTime": null, "dockerBaseImage": "ruby:3.2.2-alpine3.18", "epssDetails": null, "exploit": "Proof of Concept", "fixedIn": [ "8.4.0-r0" ], "from": [ "docker-image|cyberdojo/shas@*", "curl/curl@8.3.0-r0", "curl/libcurl@8.3.0-r0" ], "id": "SNYK-ALPINE318-CURL-5958913", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2023-38545" ], "CWE": [ "CWE-122" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "linux", "malicious": false, "modificationTime": "2023-10-12T06:20:00.497141Z", "name": "curl/libcurl", "nearestFixedInVersion": "8.4.0-r0", "nvdSeverity": null, "packageManager": "alpine:3.18", "packageName": "curl", "patches": [], "publicationTime": "2023-10-11T11:43:48.209416Z", "references": [], "relativeImportance": null, "semver": { "vulnerable": [ "<8.4.0-r0" ] }, "severity": "high", "severityWithCritical": "high", "socialTrendAlert": false, "title": "Heap-based Buffer Overflow", "upgradePath": [], "version": "8.3.0-r0" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L/E:P", "cpes": [], "creationTime": "2023-10-11T11:45:04.817337Z", "credit": [], "cvssDetails": [], "cvssScore": 7.7, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `curl` package and not the `curl` package as distributed by `Alpine`._\n_See `How to fix?` for `Alpine:3.18` relevant fixed versions and status._\n\nin the `SOCKS5` proxy handshake process when the hostname is longer than the target buffer.\nThe local variable `socks5_resolve_local` could get the wrong value during a slow SOCKS5 handshake.\nSince the code wrongly thinks it should pass on the hostname, even though the hostname is too long to fit, the memory copy can overflow the allocated target buffer. \n\nThis is only exploitable if the SOCKS5 handshake is slow enough to trigger a local variable bug and the client uses a hostname longer than the download buffer.\n\nExploiting this vulnerability could allow an attacker to execute arbitrary code on the target system under certain conditions.\n\n\n**Note:**\n\nAn overflow is only possible in applications that don't set `CURLOPT_BUFFERSIZE` or set it smaller than 65541. \nSince the curl tool sets `CURLOPT_BUFFERSIZE` to 100kB by default, it is not vulnerable unless the user sets the rate limiting to a rate smaller than 65541 bytes/second.\n\nThe options that cause SOCKS5 with remote hostname to be used in `libcurl`:\n\n1) `CURLOPT_PROXYTYPE` set to type `CURLPROXY_SOCKS5_HOSTNAME`, or:\n`CURLOPT_PROXY` or `CURLOPT_PRE_PROXY` set to use the scheme `socks5h://`\n\n2) One of the proxy environment variables can be set to use the `socks5h://` scheme. For example, `http_proxy`, `HTTPS_PROXY` or `ALL_PROXY`.\n\n\nThe options that cause SOCKS5 with remote hostname to be used in the `curl` tool:\n\n1) `--socks5-hostname`, `--proxy` or `--preproxy` set to use the scheme `socks5h://`\n\n2) Environment variables as described in the libcurl section.\n\n\n\n**Changelog:**\n\n2023-10-04: Initial publication\n\n2023-10-11: Published updated information, including CWE, CVSS, official references and affected versions range.\n## Remediation\nUpgrade `Alpine:3.18` `curl` to version 8.4.0-r0 or higher.\n", "disclosureTime": null, "dockerBaseImage": "ruby:3.2.2-alpine3.18", "epssDetails": null, "exploit": "Proof of Concept", "fixedIn": [ "8.4.0-r0" ], "from": [ "docker-image|cyberdojo/shas@*", "curl/curl@8.3.0-r0" ], "id": "SNYK-ALPINE318-CURL-5958913", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2023-38545" ], "CWE": [ "CWE-122" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": true, "language": "linux", "malicious": false, "modificationTime": "2023-10-12T06:20:00.497141Z", "name": "curl/curl", "nearestFixedInVersion": "8.4.0-r0", "nvdSeverity": null, "packageManager": "alpine:3.18", "packageName": "curl", "patches": [], "publicationTime": "2023-10-11T11:43:48.209416Z", "references": [], "relativeImportance": null, "semver": { "vulnerable": [ "<8.4.0-r0" ] }, "severity": "high", "severityWithCritical": "high", "socialTrendAlert": false, "title": "Heap-based Buffer Overflow", "upgradePath": [ false, "curl/curl@8.4.0-r0" ], "version": "8.3.0-r0" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:H", "cpes": [], "creationTime": "2023-10-11T04:04:38.629011Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:H", "modificationTime": "2023-10-11T14:31:08.807516Z", "severity": "high" } ], "cvssScore": 7.5, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `nghttp2` package and not the `nghttp2` package as distributed by `Alpine`._\n_See `How to fix?` for `Alpine:3.18` relevant fixed versions and status._\n\nThe HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.\n## Remediation\nUpgrade `Alpine:3.18` `nghttp2` to version 1.57.0-r0 or higher.\n## References\n- [cve@mitre.org](https://aws.amazon.com/security/security-bulletins/AWS-2023-011/)\n- [cve@mitre.org](https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/)\n- [cve@mitre.org](https://blog.cloudflare.com/zero-day-rapid-reset-http2-record-breaking-ddos-attack/)\n- [cve@mitre.org](https://cloud.google.com/blog/products/identity-security/google-cloud-mitigated-largest-ddos-attack-peaking-above-398-million-rps/)\n- [cve@mitre.org](https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack)\n- [cve@mitre.org](https://news.ycombinator.com/item?id=37831062)\n- [cve@mitre.org](https://www.nginx.com/blog/http-2-rapid-reset-attack-impacting-f5-nginx-products/)\n- [cve@mitre.org](https://www.phoronix.com/news/HTTP2-Rapid-Reset-Attack)\n- [cve@mitre.org](https://chaos.social/@icing/111210915918780532)\n- [cve@mitre.org](https://forums.swift.org/t/swift-nio-http2-security-update-cve-2023-44487-http-2-dos/67764)\n- [cve@mitre.org](https://github.com/alibaba/tengine/issues/1872)\n- [cve@mitre.org](https://github.com/apache/tomcat/tree/main/java/org/apache/coyote/http2)\n- [cve@mitre.org](https://github.com/bcdannyboy/CVE-2023-44487)\n- [cve@mitre.org](https://github.com/caddyserver/caddy/issues/5877)\n- [cve@mitre.org](https://github.com/eclipse/jetty.project/issues/10679)\n- [cve@mitre.org](https://github.com/envoyproxy/envoy/pull/30055)\n- [cve@mitre.org](https://github.com/haproxy/haproxy/issues/2312)\n- [cve@mitre.org](https://github.com/hyperium/hyper/issues/3337)\n- [cve@mitre.org](https://github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61)\n- [cve@mitre.org](https://github.com/nghttp2/nghttp2/pull/1961)\n- [cve@mitre.org](https://news.ycombinator.com/item?id=37830987)\n- [cve@mitre.org](https://news.ycombinator.com/item?id=37830998)\n- [cve@mitre.org](https://www.bleepingcomputer.com/news/security/new-http-2-rapid-reset-zero-day-attack-breaks-ddos-records/)\n- [cve@mitre.org](https://github.com/grpc/grpc-go/pull/6703)\n- [cve@mitre.org](https://github.com/icing/mod_h2/blob/0a864782af0a942aa2ad4ed960a6b32cd35bcf0a/mod_http2/README.md?plain=1#L239-L244)\n- [cve@mitre.org](https://github.com/nghttp2/nghttp2/releases/tag/v1.57.0)\n- [cve@mitre.org](https://mailman.nginx.org/pipermail/nginx-devel/2023-October/S36Q5HBXR7CAIMPLLPRSSSYR4PCMWILK.html)\n- [cve@mitre.org](https://my.f5.com/manage/s/article/K000137106)\n- [cve@mitre.org](https://bugzilla.proxmox.com/show_bug.cgi?id=4988)\n- [cve@mitre.org](https://cgit.freebsd.org/ports/commit/?id=c64c329c2c1752f46b73e3e6ce9f4329be6629f9)\n- [cve@mitre.org](https://msrc.microsoft.com/blog/2023/10/microsoft-response-to-distributed-denial-of-service-ddos-attacks-against-http/2/)\n- [cve@mitre.org](https://edg.io/lp/blog/resets-leaks-ddos-and-the-tale-of-a-hidden-cve)\n- [cve@mitre.org](https://gist.github.com/adulau/7c2bfb8e9cdbe4b35a5e131c66a0c088)\n- [cve@mitre.org](https://github.com/advisories/GHSA-vx74-f528-fxqg)\n- [cve@mitre.org](https://github.com/apache/trafficserver/pull/10564)\n- [cve@mitre.org](https://github.com/dotnet/announcements/issues/277)\n- [cve@mitre.org](https://github.com/facebook/proxygen/pull/466)\n- [cve@mitre.org](https://github.com/golang/go/issues/63417)\n- [cve@mitre.org](https://github.com/h2o/h2o/pull/3291)\n- [cve@mitre.org](https://github.com/h2o/h2o/security/advisories/GHSA-2m7v-gc89-fjqf)\n- [cve@mitre.org](https://github.com/micrictor/http2-rst-stream)\n- [cve@mitre.org](https://github.com/microsoft/CBL-Mariner/pull/6381)\n- [cve@mitre.org](https://github.com/nodejs/node/pull/50121)\n- [cve@mitre.org](https://groups.google.com/g/golang-announce/c/iNNxDTCjZvo)\n- [cve@mitre.org](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-44487)\n- [cve@mitre.org](https://openssf.org/blog/2023/10/10/http-2-rapid-reset-vulnerability-highlights-need-for-rapid-response/)\n- [cve@mitre.org](https://lists.apache.org/thread/5py8h42mxfsn8l1wy6o41xwhsjlsd87q)\n- [cve@mitre.org](https://seanmonstar.com/post/730794151136935936/hyper-http2-rapid-reset-unaffected)\n- [cve@mitre.org](https://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.1.14)\n- [cve@mitre.org](https://www.openwall.com/lists/oss-security/2023/10/10/6)\n- [cve@mitre.org](https://github.com/dotnet/core/blob/e4613450ea0da7fd2fc6b61dfb2c1c1dec1ce9ec/release-notes/6.0/6.0.23/6.0.23.md?plain=1#L73)\n- [cve@mitre.org](https://github.com/advisories/GHSA-xpw8-rcwv-8f8p)\n- [cve@mitre.org](https://github.com/kubernetes/kubernetes/pull/121120)\n- [cve@mitre.org](https://github.com/opensearch-project/data-prepper/issues/3474)\n- [cve@mitre.org](https://github.com/oqtane/oqtane.framework/discussions/3367)\n- [cve@mitre.org](https://netty.io/news/2023/10/10/4-1-100-Final.html)\n- [cve@mitre.org](https://www.haproxy.com/blog/haproxy-is-not-affected-by-the-http-2-rapid-reset-attack-cve-2023-44487)\n- [cve@mitre.org](https://blog.qualys.com/vulnerabilities-threat-research/2023/10/10/cve-2023-44487-http-2-rapid-reset-attack)\n- [cve@mitre.org](https://github.com/apache/httpd/blob/afcdbeebbff4b0c50ea26cdd16e178c0d1f24152/modules/http2/h2_mplx.c#L1101-L1113)\n- [cve@mitre.org](https://github.com/kazu-yamamoto/http2/commit/f61d41a502bd0f60eb24e1ce14edc7b6df6722a1)\n- [cve@mitre.org](https://github.com/kazu-yamamoto/http2/issues/93)\n- [cve@mitre.org](https://martinthomson.github.io/h2-stream-limits/draft-thomson-httpbis-h2-stream-limits.html)\n- [cve@mitre.org](https://news.ycombinator.com/item?id=37837043)\n- [cve@mitre.org](https://www.cisa.gov/news-events/alerts/2023/10/10/http2-rapid-reset-vulnerability-cve-2023-44487)\n- [cve@mitre.org](https://www.debian.org/security/2023/dsa-5521)\n- [cve@mitre.org](https://www.debian.org/security/2023/dsa-5522)\n- [cve@mitre.org](https://www.theregister.com/2023/10/10/http2_rapid_reset_zeroday/)\n- [cve@mitre.org](https://access.redhat.com/security/cve/cve-2023-44487)\n- [cve@mitre.org](https://blog.vespa.ai/cve-2023-44487/)\n- [cve@mitre.org](https://bugzilla.redhat.com/show_bug.cgi?id=2242803)\n- [cve@mitre.org](https://bugzilla.suse.com/show_bug.cgi?id=1216123)\n- [cve@mitre.org](https://community.traefik.io/t/is-traefik-vulnerable-to-cve-2023-44487/20125)\n- [cve@mitre.org](https://github.com/advisories/GHSA-qppj-fm5r-hxr3)\n- [cve@mitre.org](https://github.com/etcd-io/etcd/issues/16740)\n- [cve@mitre.org](https://github.com/junkurihara/rust-rpxy/issues/97)\n- [cve@mitre.org](https://github.com/ninenines/cowboy/issues/1615)\n- [cve@mitre.org](https://github.com/tempesta-tech/tempesta/issues/1986)\n- [cve@mitre.org](https://github.com/varnishcache/varnish-cache/issues/3996)\n- [cve@mitre.org](https://istio.io/latest/news/security/istio-security-2023-004/)\n- [cve@mitre.org](https://ubuntu.com/security/CVE-2023-44487)\n- [cve@mitre.org](https://www.darkreading.com/cloud/internet-wide-zero-day-bug-fuels-largest-ever-ddos-event)\n- [cve@mitre.org](https://github.com/apache/httpd-site/pull/10)\n- [cve@mitre.org](https://github.com/line/armeria/pull/5232)\n- [cve@mitre.org](https://github.com/linkerd/website/pull/1695/commits/4b9c6836471bc8270ab48aae6fd2181bc73fd632)\n- [cve@mitre.org](https://github.com/projectcontour/contour/pull/5826)\n- [cve@mitre.org](https://blog.litespeedtech.com/2023/10/11/rapid-reset-http-2-vulnerablilty/)\n- [CISA - Known Exploited Vulnerabilities](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)\n", "disclosureTime": "2023-10-10T14:15:10.883000Z", "dockerBaseImage": "ruby:3.2.2-alpine3.18", "dockerfileInstruction": "apk add nodejs", "epssDetails": null, "exploit": "High", "fixedIn": [ "1.57.0-r0" ], "from": [ "docker-image|cyberdojo/shas@*", "nghttp2/nghttp2-libs@1.55.1-r0" ], "id": "SNYK-ALPINE318-NGHTTP2-5954768", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2023-44487" ], "CWE": [ "CWE-400" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": true, "language": "linux", "malicious": false, "modificationTime": "2023-10-12T01:11:09.035012Z", "name": "nghttp2/nghttp2-libs", "nearestFixedInVersion": "1.57.0-r0", "nvdSeverity": "high", "packageManager": "alpine:3.18", "packageName": "nghttp2", "patches": [], "publicationTime": "2023-10-11T04:04:38.608135Z", "references": [ { "title": "https://aws.amazon.com/security/security-bulletins/AWS-2023-011/", "url": "https://aws.amazon.com/security/security-bulletins/AWS-2023-011/" }, { "title": "https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/", "url": "https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/" }, { "title": "https://blog.cloudflare.com/zero-day-rapid-reset-http2-record-breaking-ddos-attack/", "url": "https://blog.cloudflare.com/zero-day-rapid-reset-http2-record-breaking-ddos-attack/" }, { "title": "https://cloud.google.com/blog/products/identity-security/google-cloud-mitigated-largest-ddos-attack-peaking-above-398-million-rps/", "url": "https://cloud.google.com/blog/products/identity-security/google-cloud-mitigated-largest-ddos-attack-peaking-above-398-million-rps/" }, { "title": "https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack", "url": "https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack" }, { "title": "https://news.ycombinator.com/item?id=37831062", "url": "https://news.ycombinator.com/item?id=37831062" }, { "title": "https://www.nginx.com/blog/http-2-rapid-reset-attack-impacting-f5-nginx-products/", "url": "https://www.nginx.com/blog/http-2-rapid-reset-attack-impacting-f5-nginx-products/" }, { "title": "https://www.phoronix.com/news/HTTP2-Rapid-Reset-Attack", "url": "https://www.phoronix.com/news/HTTP2-Rapid-Reset-Attack" }, { "title": "https://chaos.social/@icing/111210915918780532", "url": "https://chaos.social/@icing/111210915918780532" }, { "title": "https://forums.swift.org/t/swift-nio-http2-security-update-cve-2023-44487-http-2-dos/67764", "url": "https://forums.swift.org/t/swift-nio-http2-security-update-cve-2023-44487-http-2-dos/67764" }, { "title": "https://github.com/alibaba/tengine/issues/1872", "url": "https://github.com/alibaba/tengine/issues/1872" }, { "title": "https://github.com/apache/tomcat/tree/main/java/org/apache/coyote/http2", "url": "https://github.com/apache/tomcat/tree/main/java/org/apache/coyote/http2" }, { "title": "https://github.com/bcdannyboy/CVE-2023-44487", "url": "https://github.com/bcdannyboy/CVE-2023-44487" }, { "title": "https://github.com/caddyserver/caddy/issues/5877", "url": "https://github.com/caddyserver/caddy/issues/5877" }, { "title": "https://github.com/eclipse/jetty.project/issues/10679", "url": "https://github.com/eclipse/jetty.project/issues/10679" }, { "title": "https://github.com/envoyproxy/envoy/pull/30055", "url": "https://github.com/envoyproxy/envoy/pull/30055" }, { "title": "https://github.com/haproxy/haproxy/issues/2312", "url": "https://github.com/haproxy/haproxy/issues/2312" }, { "title": "https://github.com/hyperium/hyper/issues/3337", "url": "https://github.com/hyperium/hyper/issues/3337" }, { "title": "https://github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61", "url": "https://github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61" }, { "title": "https://github.com/nghttp2/nghttp2/pull/1961", "url": "https://github.com/nghttp2/nghttp2/pull/1961" }, { "title": "https://news.ycombinator.com/item?id=37830987", "url": "https://news.ycombinator.com/item?id=37830987" }, { "title": "https://news.ycombinator.com/item?id=37830998", "url": "https://news.ycombinator.com/item?id=37830998" }, { "title": "https://www.bleepingcomputer.com/news/security/new-http-2-rapid-reset-zero-day-attack-breaks-ddos-records/", "url": "https://www.bleepingcomputer.com/news/security/new-http-2-rapid-reset-zero-day-attack-breaks-ddos-records/" }, { "title": "https://github.com/grpc/grpc-go/pull/6703", "url": "https://github.com/grpc/grpc-go/pull/6703" }, { "title": "https://github.com/icing/mod_h2/blob/0a864782af0a942aa2ad4ed960a6b32cd35bcf0a/mod_http2/README.md?plain=1%23L239-L244", "url": "https://github.com/icing/mod_h2/blob/0a864782af0a942aa2ad4ed960a6b32cd35bcf0a/mod_http2/README.md?plain=1%23L239-L244" }, { "title": "https://github.com/nghttp2/nghttp2/releases/tag/v1.57.0", "url": "https://github.com/nghttp2/nghttp2/releases/tag/v1.57.0" }, { "title": "https://mailman.nginx.org/pipermail/nginx-devel/2023-October/S36Q5HBXR7CAIMPLLPRSSSYR4PCMWILK.html", "url": "https://mailman.nginx.org/pipermail/nginx-devel/2023-October/S36Q5HBXR7CAIMPLLPRSSSYR4PCMWILK.html" }, { "title": "https://my.f5.com/manage/s/article/K000137106", "url": "https://my.f5.com/manage/s/article/K000137106" }, { "title": "https://bugzilla.proxmox.com/show_bug.cgi?id=4988", "url": "https://bugzilla.proxmox.com/show_bug.cgi?id=4988" }, { "title": "https://cgit.freebsd.org/ports/commit/?id=c64c329c2c1752f46b73e3e6ce9f4329be6629f9", "url": "https://cgit.freebsd.org/ports/commit/?id=c64c329c2c1752f46b73e3e6ce9f4329be6629f9" }, { "title": "https://msrc.microsoft.com/blog/2023/10/microsoft-response-to-distributed-denial-of-service-ddos-attacks-against-http/2/", "url": "https://msrc.microsoft.com/blog/2023/10/microsoft-response-to-distributed-denial-of-service-ddos-attacks-against-http/2/" }, { "title": "https://edg.io/lp/blog/resets-leaks-ddos-and-the-tale-of-a-hidden-cve", "url": "https://edg.io/lp/blog/resets-leaks-ddos-and-the-tale-of-a-hidden-cve" }, { "title": "https://gist.github.com/adulau/7c2bfb8e9cdbe4b35a5e131c66a0c088", "url": "https://gist.github.com/adulau/7c2bfb8e9cdbe4b35a5e131c66a0c088" }, { "title": "https://github.com/advisories/GHSA-vx74-f528-fxqg", "url": "https://github.com/advisories/GHSA-vx74-f528-fxqg" }, { "title": "https://github.com/apache/trafficserver/pull/10564", "url": "https://github.com/apache/trafficserver/pull/10564" }, { "title": "https://github.com/dotnet/announcements/issues/277", "url": "https://github.com/dotnet/announcements/issues/277" }, { "title": "https://github.com/facebook/proxygen/pull/466", "url": "https://github.com/facebook/proxygen/pull/466" }, { "title": "https://github.com/golang/go/issues/63417", "url": "https://github.com/golang/go/issues/63417" }, { "title": "https://github.com/h2o/h2o/pull/3291", "url": "https://github.com/h2o/h2o/pull/3291" }, { "title": "https://github.com/h2o/h2o/security/advisories/GHSA-2m7v-gc89-fjqf", "url": "https://github.com/h2o/h2o/security/advisories/GHSA-2m7v-gc89-fjqf" }, { "title": "https://github.com/micrictor/http2-rst-stream", "url": "https://github.com/micrictor/http2-rst-stream" }, { "title": "https://github.com/microsoft/CBL-Mariner/pull/6381", "url": "https://github.com/microsoft/CBL-Mariner/pull/6381" }, { "title": "https://github.com/nodejs/node/pull/50121", "url": "https://github.com/nodejs/node/pull/50121" }, { "title": "https://groups.google.com/g/golang-announce/c/iNNxDTCjZvo", "url": "https://groups.google.com/g/golang-announce/c/iNNxDTCjZvo" }, { "title": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-44487", "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-44487" }, { "title": "https://openssf.org/blog/2023/10/10/http-2-rapid-reset-vulnerability-highlights-need-for-rapid-response/", "url": "https://openssf.org/blog/2023/10/10/http-2-rapid-reset-vulnerability-highlights-need-for-rapid-response/" }, { "title": "https://lists.apache.org/thread/5py8h42mxfsn8l1wy6o41xwhsjlsd87q", "url": "https://lists.apache.org/thread/5py8h42mxfsn8l1wy6o41xwhsjlsd87q" }, { "title": "https://seanmonstar.com/post/730794151136935936/hyper-http2-rapid-reset-unaffected", "url": "https://seanmonstar.com/post/730794151136935936/hyper-http2-rapid-reset-unaffected" }, { "title": "https://tomcat.apache.org/security-10.html%23Fixed_in_Apache_Tomcat_10.1.14", "url": "https://tomcat.apache.org/security-10.html%23Fixed_in_Apache_Tomcat_10.1.14" }, { "title": "https://www.openwall.com/lists/oss-security/2023/10/10/6", "url": "https://www.openwall.com/lists/oss-security/2023/10/10/6" }, { "title": "https://github.com/dotnet/core/blob/e4613450ea0da7fd2fc6b61dfb2c1c1dec1ce9ec/release-notes/6.0/6.0.23/6.0.23.md?plain=1%23L73", "url": "https://github.com/dotnet/core/blob/e4613450ea0da7fd2fc6b61dfb2c1c1dec1ce9ec/release-notes/6.0/6.0.23/6.0.23.md?plain=1%23L73" }, { "title": "https://github.com/advisories/GHSA-xpw8-rcwv-8f8p", "url": "https://github.com/advisories/GHSA-xpw8-rcwv-8f8p" }, { "title": "https://github.com/kubernetes/kubernetes/pull/121120", "url": "https://github.com/kubernetes/kubernetes/pull/121120" }, { "title": "https://github.com/opensearch-project/data-prepper/issues/3474", "url": "https://github.com/opensearch-project/data-prepper/issues/3474" }, { "title": "https://github.com/oqtane/oqtane.framework/discussions/3367", "url": "https://github.com/oqtane/oqtane.framework/discussions/3367" }, { "title": "https://netty.io/news/2023/10/10/4-1-100-Final.html", "url": "https://netty.io/news/2023/10/10/4-1-100-Final.html" }, { "title": "https://www.haproxy.com/blog/haproxy-is-not-affected-by-the-http-2-rapid-reset-attack-cve-2023-44487", "url": "https://www.haproxy.com/blog/haproxy-is-not-affected-by-the-http-2-rapid-reset-attack-cve-2023-44487" }, { "title": "https://blog.qualys.com/vulnerabilities-threat-research/2023/10/10/cve-2023-44487-http-2-rapid-reset-attack", "url": "https://blog.qualys.com/vulnerabilities-threat-research/2023/10/10/cve-2023-44487-http-2-rapid-reset-attack" }, { "title": "https://github.com/apache/httpd/blob/afcdbeebbff4b0c50ea26cdd16e178c0d1f24152/modules/http2/h2_mplx.c%23L1101-L1113", "url": "https://github.com/apache/httpd/blob/afcdbeebbff4b0c50ea26cdd16e178c0d1f24152/modules/http2/h2_mplx.c%23L1101-L1113" }, { "title": "https://github.com/kazu-yamamoto/http2/commit/f61d41a502bd0f60eb24e1ce14edc7b6df6722a1", "url": "https://github.com/kazu-yamamoto/http2/commit/f61d41a502bd0f60eb24e1ce14edc7b6df6722a1" }, { "title": "https://github.com/kazu-yamamoto/http2/issues/93", "url": "https://github.com/kazu-yamamoto/http2/issues/93" }, { "title": "https://martinthomson.github.io/h2-stream-limits/draft-thomson-httpbis-h2-stream-limits.html", "url": "https://martinthomson.github.io/h2-stream-limits/draft-thomson-httpbis-h2-stream-limits.html" }, { "title": "https://news.ycombinator.com/item?id=37837043", "url": "https://news.ycombinator.com/item?id=37837043" }, { "title": "https://www.cisa.gov/news-events/alerts/2023/10/10/http2-rapid-reset-vulnerability-cve-2023-44487", "url": "https://www.cisa.gov/news-events/alerts/2023/10/10/http2-rapid-reset-vulnerability-cve-2023-44487" }, { "title": "https://www.debian.org/security/2023/dsa-5521", "url": "https://www.debian.org/security/2023/dsa-5521" }, { "title": "https://www.debian.org/security/2023/dsa-5522", "url": "https://www.debian.org/security/2023/dsa-5522" }, { "title": "https://www.theregister.com/2023/10/10/http2_rapid_reset_zeroday/", "url": "https://www.theregister.com/2023/10/10/http2_rapid_reset_zeroday/" }, { "title": "https://access.redhat.com/security/cve/cve-2023-44487", "url": "https://access.redhat.com/security/cve/cve-2023-44487" }, { "title": "https://blog.vespa.ai/cve-2023-44487/", "url": "https://blog.vespa.ai/cve-2023-44487/" }, { "title": "https://bugzilla.redhat.com/show_bug.cgi?id=2242803", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2242803" }, { "title": "https://bugzilla.suse.com/show_bug.cgi?id=1216123", "url": "https://bugzilla.suse.com/show_bug.cgi?id=1216123" }, { "title": "https://community.traefik.io/t/is-traefik-vulnerable-to-cve-2023-44487/20125", "url": "https://community.traefik.io/t/is-traefik-vulnerable-to-cve-2023-44487/20125" }, { "title": "https://github.com/advisories/GHSA-qppj-fm5r-hxr3", "url": "https://github.com/advisories/GHSA-qppj-fm5r-hxr3" }, { "title": "https://github.com/etcd-io/etcd/issues/16740", "url": "https://github.com/etcd-io/etcd/issues/16740" }, { "title": "https://github.com/junkurihara/rust-rpxy/issues/97", "url": "https://github.com/junkurihara/rust-rpxy/issues/97" }, { "title": "https://github.com/ninenines/cowboy/issues/1615", "url": "https://github.com/ninenines/cowboy/issues/1615" }, { "title": "https://github.com/tempesta-tech/tempesta/issues/1986", "url": "https://github.com/tempesta-tech/tempesta/issues/1986" }, { "title": "https://github.com/varnishcache/varnish-cache/issues/3996", "url": "https://github.com/varnishcache/varnish-cache/issues/3996" }, { "title": "https://istio.io/latest/news/security/istio-security-2023-004/", "url": "https://istio.io/latest/news/security/istio-security-2023-004/" }, { "title": "https://ubuntu.com/security/CVE-2023-44487", "url": "https://ubuntu.com/security/CVE-2023-44487" }, { "title": "https://www.darkreading.com/cloud/internet-wide-zero-day-bug-fuels-largest-ever-ddos-event", "url": "https://www.darkreading.com/cloud/internet-wide-zero-day-bug-fuels-largest-ever-ddos-event" }, { "title": "https://github.com/apache/httpd-site/pull/10", "url": "https://github.com/apache/httpd-site/pull/10" }, { "title": "https://github.com/line/armeria/pull/5232", "url": "https://github.com/line/armeria/pull/5232" }, { "title": "https://github.com/linkerd/website/pull/1695/commits/4b9c6836471bc8270ab48aae6fd2181bc73fd632", "url": "https://github.com/linkerd/website/pull/1695/commits/4b9c6836471bc8270ab48aae6fd2181bc73fd632" }, { "title": "https://github.com/projectcontour/contour/pull/5826", "url": "https://github.com/projectcontour/contour/pull/5826" }, { "title": "https://blog.litespeedtech.com/2023/10/11/rapid-reset-http-2-vulnerablilty/", "url": "https://blog.litespeedtech.com/2023/10/11/rapid-reset-http-2-vulnerablilty/" }, { "title": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "relativeImportance": null, "semver": { "vulnerable": [ "<1.57.0-r0" ] }, "severity": "high", "severityWithCritical": "high", "socialTrendAlert": false, "title": "Resource Exhaustion", "upgradePath": [ false, "nghttp2/nghttp2-libs@1.57.0-r0" ], "version": "1.55.1-r0" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:H", "cpes": [], "creationTime": "2023-10-11T04:04:38.629011Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:H", "modificationTime": "2023-10-11T14:31:08.807516Z", "severity": "high" } ], "cvssScore": 7.5, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `nghttp2` package and not the `nghttp2` package as distributed by `Alpine`._\n_See `How to fix?` for `Alpine:3.18` relevant fixed versions and status._\n\nThe HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.\n## Remediation\nUpgrade `Alpine:3.18` `nghttp2` to version 1.57.0-r0 or higher.\n## References\n- [cve@mitre.org](https://aws.amazon.com/security/security-bulletins/AWS-2023-011/)\n- [cve@mitre.org](https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/)\n- [cve@mitre.org](https://blog.cloudflare.com/zero-day-rapid-reset-http2-record-breaking-ddos-attack/)\n- [cve@mitre.org](https://cloud.google.com/blog/products/identity-security/google-cloud-mitigated-largest-ddos-attack-peaking-above-398-million-rps/)\n- [cve@mitre.org](https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack)\n- [cve@mitre.org](https://news.ycombinator.com/item?id=37831062)\n- [cve@mitre.org](https://www.nginx.com/blog/http-2-rapid-reset-attack-impacting-f5-nginx-products/)\n- [cve@mitre.org](https://www.phoronix.com/news/HTTP2-Rapid-Reset-Attack)\n- [cve@mitre.org](https://chaos.social/@icing/111210915918780532)\n- [cve@mitre.org](https://forums.swift.org/t/swift-nio-http2-security-update-cve-2023-44487-http-2-dos/67764)\n- [cve@mitre.org](https://github.com/alibaba/tengine/issues/1872)\n- [cve@mitre.org](https://github.com/apache/tomcat/tree/main/java/org/apache/coyote/http2)\n- [cve@mitre.org](https://github.com/bcdannyboy/CVE-2023-44487)\n- [cve@mitre.org](https://github.com/caddyserver/caddy/issues/5877)\n- [cve@mitre.org](https://github.com/eclipse/jetty.project/issues/10679)\n- [cve@mitre.org](https://github.com/envoyproxy/envoy/pull/30055)\n- [cve@mitre.org](https://github.com/haproxy/haproxy/issues/2312)\n- [cve@mitre.org](https://github.com/hyperium/hyper/issues/3337)\n- [cve@mitre.org](https://github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61)\n- [cve@mitre.org](https://github.com/nghttp2/nghttp2/pull/1961)\n- [cve@mitre.org](https://news.ycombinator.com/item?id=37830987)\n- [cve@mitre.org](https://news.ycombinator.com/item?id=37830998)\n- [cve@mitre.org](https://www.bleepingcomputer.com/news/security/new-http-2-rapid-reset-zero-day-attack-breaks-ddos-records/)\n- [cve@mitre.org](https://github.com/grpc/grpc-go/pull/6703)\n- [cve@mitre.org](https://github.com/icing/mod_h2/blob/0a864782af0a942aa2ad4ed960a6b32cd35bcf0a/mod_http2/README.md?plain=1#L239-L244)\n- [cve@mitre.org](https://github.com/nghttp2/nghttp2/releases/tag/v1.57.0)\n- [cve@mitre.org](https://mailman.nginx.org/pipermail/nginx-devel/2023-October/S36Q5HBXR7CAIMPLLPRSSSYR4PCMWILK.html)\n- [cve@mitre.org](https://my.f5.com/manage/s/article/K000137106)\n- [cve@mitre.org](https://bugzilla.proxmox.com/show_bug.cgi?id=4988)\n- [cve@mitre.org](https://cgit.freebsd.org/ports/commit/?id=c64c329c2c1752f46b73e3e6ce9f4329be6629f9)\n- [cve@mitre.org](https://msrc.microsoft.com/blog/2023/10/microsoft-response-to-distributed-denial-of-service-ddos-attacks-against-http/2/)\n- [cve@mitre.org](https://edg.io/lp/blog/resets-leaks-ddos-and-the-tale-of-a-hidden-cve)\n- [cve@mitre.org](https://gist.github.com/adulau/7c2bfb8e9cdbe4b35a5e131c66a0c088)\n- [cve@mitre.org](https://github.com/advisories/GHSA-vx74-f528-fxqg)\n- [cve@mitre.org](https://github.com/apache/trafficserver/pull/10564)\n- [cve@mitre.org](https://github.com/dotnet/announcements/issues/277)\n- [cve@mitre.org](https://github.com/facebook/proxygen/pull/466)\n- [cve@mitre.org](https://github.com/golang/go/issues/63417)\n- [cve@mitre.org](https://github.com/h2o/h2o/pull/3291)\n- [cve@mitre.org](https://github.com/h2o/h2o/security/advisories/GHSA-2m7v-gc89-fjqf)\n- [cve@mitre.org](https://github.com/micrictor/http2-rst-stream)\n- [cve@mitre.org](https://github.com/microsoft/CBL-Mariner/pull/6381)\n- [cve@mitre.org](https://github.com/nodejs/node/pull/50121)\n- [cve@mitre.org](https://groups.google.com/g/golang-announce/c/iNNxDTCjZvo)\n- [cve@mitre.org](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-44487)\n- [cve@mitre.org](https://openssf.org/blog/2023/10/10/http-2-rapid-reset-vulnerability-highlights-need-for-rapid-response/)\n- [cve@mitre.org](https://lists.apache.org/thread/5py8h42mxfsn8l1wy6o41xwhsjlsd87q)\n- [cve@mitre.org](https://seanmonstar.com/post/730794151136935936/hyper-http2-rapid-reset-unaffected)\n- [cve@mitre.org](https://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.1.14)\n- [cve@mitre.org](https://www.openwall.com/lists/oss-security/2023/10/10/6)\n- [cve@mitre.org](https://github.com/dotnet/core/blob/e4613450ea0da7fd2fc6b61dfb2c1c1dec1ce9ec/release-notes/6.0/6.0.23/6.0.23.md?plain=1#L73)\n- [cve@mitre.org](https://github.com/advisories/GHSA-xpw8-rcwv-8f8p)\n- [cve@mitre.org](https://github.com/kubernetes/kubernetes/pull/121120)\n- [cve@mitre.org](https://github.com/opensearch-project/data-prepper/issues/3474)\n- [cve@mitre.org](https://github.com/oqtane/oqtane.framework/discussions/3367)\n- [cve@mitre.org](https://netty.io/news/2023/10/10/4-1-100-Final.html)\n- [cve@mitre.org](https://www.haproxy.com/blog/haproxy-is-not-affected-by-the-http-2-rapid-reset-attack-cve-2023-44487)\n- [cve@mitre.org](https://blog.qualys.com/vulnerabilities-threat-research/2023/10/10/cve-2023-44487-http-2-rapid-reset-attack)\n- [cve@mitre.org](https://github.com/apache/httpd/blob/afcdbeebbff4b0c50ea26cdd16e178c0d1f24152/modules/http2/h2_mplx.c#L1101-L1113)\n- [cve@mitre.org](https://github.com/kazu-yamamoto/http2/commit/f61d41a502bd0f60eb24e1ce14edc7b6df6722a1)\n- [cve@mitre.org](https://github.com/kazu-yamamoto/http2/issues/93)\n- [cve@mitre.org](https://martinthomson.github.io/h2-stream-limits/draft-thomson-httpbis-h2-stream-limits.html)\n- [cve@mitre.org](https://news.ycombinator.com/item?id=37837043)\n- [cve@mitre.org](https://www.cisa.gov/news-events/alerts/2023/10/10/http2-rapid-reset-vulnerability-cve-2023-44487)\n- [cve@mitre.org](https://www.debian.org/security/2023/dsa-5521)\n- [cve@mitre.org](https://www.debian.org/security/2023/dsa-5522)\n- [cve@mitre.org](https://www.theregister.com/2023/10/10/http2_rapid_reset_zeroday/)\n- [cve@mitre.org](https://access.redhat.com/security/cve/cve-2023-44487)\n- [cve@mitre.org](https://blog.vespa.ai/cve-2023-44487/)\n- [cve@mitre.org](https://bugzilla.redhat.com/show_bug.cgi?id=2242803)\n- [cve@mitre.org](https://bugzilla.suse.com/show_bug.cgi?id=1216123)\n- [cve@mitre.org](https://community.traefik.io/t/is-traefik-vulnerable-to-cve-2023-44487/20125)\n- [cve@mitre.org](https://github.com/advisories/GHSA-qppj-fm5r-hxr3)\n- [cve@mitre.org](https://github.com/etcd-io/etcd/issues/16740)\n- [cve@mitre.org](https://github.com/junkurihara/rust-rpxy/issues/97)\n- [cve@mitre.org](https://github.com/ninenines/cowboy/issues/1615)\n- [cve@mitre.org](https://github.com/tempesta-tech/tempesta/issues/1986)\n- [cve@mitre.org](https://github.com/varnishcache/varnish-cache/issues/3996)\n- [cve@mitre.org](https://istio.io/latest/news/security/istio-security-2023-004/)\n- [cve@mitre.org](https://ubuntu.com/security/CVE-2023-44487)\n- [cve@mitre.org](https://www.darkreading.com/cloud/internet-wide-zero-day-bug-fuels-largest-ever-ddos-event)\n- [cve@mitre.org](https://github.com/apache/httpd-site/pull/10)\n- [cve@mitre.org](https://github.com/line/armeria/pull/5232)\n- [cve@mitre.org](https://github.com/linkerd/website/pull/1695/commits/4b9c6836471bc8270ab48aae6fd2181bc73fd632)\n- [cve@mitre.org](https://github.com/projectcontour/contour/pull/5826)\n- [cve@mitre.org](https://blog.litespeedtech.com/2023/10/11/rapid-reset-http-2-vulnerablilty/)\n- [CISA - Known Exploited Vulnerabilities](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)\n", "disclosureTime": "2023-10-10T14:15:10.883000Z", "dockerBaseImage": "ruby:3.2.2-alpine3.18", "dockerfileInstruction": "apk add nodejs", "epssDetails": null, "exploit": "High", "fixedIn": [ "1.57.0-r0" ], "from": [ "docker-image|cyberdojo/shas@*", "nodejs/nodejs@18.17.1-r0", "nghttp2/nghttp2-libs@1.55.1-r0" ], "id": "SNYK-ALPINE318-NGHTTP2-5954768", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2023-44487" ], "CWE": [ "CWE-400" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "linux", "malicious": false, "modificationTime": "2023-10-12T01:11:09.035012Z", "name": "nghttp2/nghttp2-libs", "nearestFixedInVersion": "1.57.0-r0", "nvdSeverity": "high", "packageManager": "alpine:3.18", "packageName": "nghttp2", "patches": [], "publicationTime": "2023-10-11T04:04:38.608135Z", "references": [ { "title": "https://aws.amazon.com/security/security-bulletins/AWS-2023-011/", "url": "https://aws.amazon.com/security/security-bulletins/AWS-2023-011/" }, { "title": "https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/", "url": "https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/" }, { "title": "https://blog.cloudflare.com/zero-day-rapid-reset-http2-record-breaking-ddos-attack/", "url": "https://blog.cloudflare.com/zero-day-rapid-reset-http2-record-breaking-ddos-attack/" }, { "title": "https://cloud.google.com/blog/products/identity-security/google-cloud-mitigated-largest-ddos-attack-peaking-above-398-million-rps/", "url": "https://cloud.google.com/blog/products/identity-security/google-cloud-mitigated-largest-ddos-attack-peaking-above-398-million-rps/" }, { "title": "https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack", "url": "https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack" }, { "title": "https://news.ycombinator.com/item?id=37831062", "url": "https://news.ycombinator.com/item?id=37831062" }, { "title": "https://www.nginx.com/blog/http-2-rapid-reset-attack-impacting-f5-nginx-products/", "url": "https://www.nginx.com/blog/http-2-rapid-reset-attack-impacting-f5-nginx-products/" }, { "title": "https://www.phoronix.com/news/HTTP2-Rapid-Reset-Attack", "url": "https://www.phoronix.com/news/HTTP2-Rapid-Reset-Attack" }, { "title": "https://chaos.social/@icing/111210915918780532", "url": "https://chaos.social/@icing/111210915918780532" }, { "title": "https://forums.swift.org/t/swift-nio-http2-security-update-cve-2023-44487-http-2-dos/67764", "url": "https://forums.swift.org/t/swift-nio-http2-security-update-cve-2023-44487-http-2-dos/67764" }, { "title": "https://github.com/alibaba/tengine/issues/1872", "url": "https://github.com/alibaba/tengine/issues/1872" }, { "title": "https://github.com/apache/tomcat/tree/main/java/org/apache/coyote/http2", "url": "https://github.com/apache/tomcat/tree/main/java/org/apache/coyote/http2" }, { "title": "https://github.com/bcdannyboy/CVE-2023-44487", "url": "https://github.com/bcdannyboy/CVE-2023-44487" }, { "title": "https://github.com/caddyserver/caddy/issues/5877", "url": "https://github.com/caddyserver/caddy/issues/5877" }, { "title": "https://github.com/eclipse/jetty.project/issues/10679", "url": "https://github.com/eclipse/jetty.project/issues/10679" }, { "title": "https://github.com/envoyproxy/envoy/pull/30055", "url": "https://github.com/envoyproxy/envoy/pull/30055" }, { "title": "https://github.com/haproxy/haproxy/issues/2312", "url": "https://github.com/haproxy/haproxy/issues/2312" }, { "title": "https://github.com/hyperium/hyper/issues/3337", "url": "https://github.com/hyperium/hyper/issues/3337" }, { "title": "https://github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61", "url": "https://github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61" }, { "title": "https://github.com/nghttp2/nghttp2/pull/1961", "url": "https://github.com/nghttp2/nghttp2/pull/1961" }, { "title": "https://news.ycombinator.com/item?id=37830987", "url": "https://news.ycombinator.com/item?id=37830987" }, { "title": "https://news.ycombinator.com/item?id=37830998", "url": "https://news.ycombinator.com/item?id=37830998" }, { "title": "https://www.bleepingcomputer.com/news/security/new-http-2-rapid-reset-zero-day-attack-breaks-ddos-records/", "url": "https://www.bleepingcomputer.com/news/security/new-http-2-rapid-reset-zero-day-attack-breaks-ddos-records/" }, { "title": "https://github.com/grpc/grpc-go/pull/6703", "url": "https://github.com/grpc/grpc-go/pull/6703" }, { "title": "https://github.com/icing/mod_h2/blob/0a864782af0a942aa2ad4ed960a6b32cd35bcf0a/mod_http2/README.md?plain=1%23L239-L244", "url": "https://github.com/icing/mod_h2/blob/0a864782af0a942aa2ad4ed960a6b32cd35bcf0a/mod_http2/README.md?plain=1%23L239-L244" }, { "title": "https://github.com/nghttp2/nghttp2/releases/tag/v1.57.0", "url": "https://github.com/nghttp2/nghttp2/releases/tag/v1.57.0" }, { "title": "https://mailman.nginx.org/pipermail/nginx-devel/2023-October/S36Q5HBXR7CAIMPLLPRSSSYR4PCMWILK.html", "url": "https://mailman.nginx.org/pipermail/nginx-devel/2023-October/S36Q5HBXR7CAIMPLLPRSSSYR4PCMWILK.html" }, { "title": "https://my.f5.com/manage/s/article/K000137106", "url": "https://my.f5.com/manage/s/article/K000137106" }, { "title": "https://bugzilla.proxmox.com/show_bug.cgi?id=4988", "url": "https://bugzilla.proxmox.com/show_bug.cgi?id=4988" }, { "title": "https://cgit.freebsd.org/ports/commit/?id=c64c329c2c1752f46b73e3e6ce9f4329be6629f9", "url": "https://cgit.freebsd.org/ports/commit/?id=c64c329c2c1752f46b73e3e6ce9f4329be6629f9" }, { "title": "https://msrc.microsoft.com/blog/2023/10/microsoft-response-to-distributed-denial-of-service-ddos-attacks-against-http/2/", "url": "https://msrc.microsoft.com/blog/2023/10/microsoft-response-to-distributed-denial-of-service-ddos-attacks-against-http/2/" }, { "title": "https://edg.io/lp/blog/resets-leaks-ddos-and-the-tale-of-a-hidden-cve", "url": "https://edg.io/lp/blog/resets-leaks-ddos-and-the-tale-of-a-hidden-cve" }, { "title": "https://gist.github.com/adulau/7c2bfb8e9cdbe4b35a5e131c66a0c088", "url": "https://gist.github.com/adulau/7c2bfb8e9cdbe4b35a5e131c66a0c088" }, { "title": "https://github.com/advisories/GHSA-vx74-f528-fxqg", "url": "https://github.com/advisories/GHSA-vx74-f528-fxqg" }, { "title": "https://github.com/apache/trafficserver/pull/10564", "url": "https://github.com/apache/trafficserver/pull/10564" }, { "title": "https://github.com/dotnet/announcements/issues/277", "url": "https://github.com/dotnet/announcements/issues/277" }, { "title": "https://github.com/facebook/proxygen/pull/466", "url": "https://github.com/facebook/proxygen/pull/466" }, { "title": "https://github.com/golang/go/issues/63417", "url": "https://github.com/golang/go/issues/63417" }, { "title": "https://github.com/h2o/h2o/pull/3291", "url": "https://github.com/h2o/h2o/pull/3291" }, { "title": "https://github.com/h2o/h2o/security/advisories/GHSA-2m7v-gc89-fjqf", "url": "https://github.com/h2o/h2o/security/advisories/GHSA-2m7v-gc89-fjqf" }, { "title": "https://github.com/micrictor/http2-rst-stream", "url": "https://github.com/micrictor/http2-rst-stream" }, { "title": "https://github.com/microsoft/CBL-Mariner/pull/6381", "url": "https://github.com/microsoft/CBL-Mariner/pull/6381" }, { "title": "https://github.com/nodejs/node/pull/50121", "url": "https://github.com/nodejs/node/pull/50121" }, { "title": "https://groups.google.com/g/golang-announce/c/iNNxDTCjZvo", "url": "https://groups.google.com/g/golang-announce/c/iNNxDTCjZvo" }, { "title": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-44487", "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-44487" }, { "title": "https://openssf.org/blog/2023/10/10/http-2-rapid-reset-vulnerability-highlights-need-for-rapid-response/", "url": "https://openssf.org/blog/2023/10/10/http-2-rapid-reset-vulnerability-highlights-need-for-rapid-response/" }, { "title": "https://lists.apache.org/thread/5py8h42mxfsn8l1wy6o41xwhsjlsd87q", "url": "https://lists.apache.org/thread/5py8h42mxfsn8l1wy6o41xwhsjlsd87q" }, { "title": "https://seanmonstar.com/post/730794151136935936/hyper-http2-rapid-reset-unaffected", "url": "https://seanmonstar.com/post/730794151136935936/hyper-http2-rapid-reset-unaffected" }, { "title": "https://tomcat.apache.org/security-10.html%23Fixed_in_Apache_Tomcat_10.1.14", "url": "https://tomcat.apache.org/security-10.html%23Fixed_in_Apache_Tomcat_10.1.14" }, { "title": "https://www.openwall.com/lists/oss-security/2023/10/10/6", "url": "https://www.openwall.com/lists/oss-security/2023/10/10/6" }, { "title": "https://github.com/dotnet/core/blob/e4613450ea0da7fd2fc6b61dfb2c1c1dec1ce9ec/release-notes/6.0/6.0.23/6.0.23.md?plain=1%23L73", "url": "https://github.com/dotnet/core/blob/e4613450ea0da7fd2fc6b61dfb2c1c1dec1ce9ec/release-notes/6.0/6.0.23/6.0.23.md?plain=1%23L73" }, { "title": "https://github.com/advisories/GHSA-xpw8-rcwv-8f8p", "url": "https://github.com/advisories/GHSA-xpw8-rcwv-8f8p" }, { "title": "https://github.com/kubernetes/kubernetes/pull/121120", "url": "https://github.com/kubernetes/kubernetes/pull/121120" }, { "title": "https://github.com/opensearch-project/data-prepper/issues/3474", "url": "https://github.com/opensearch-project/data-prepper/issues/3474" }, { "title": "https://github.com/oqtane/oqtane.framework/discussions/3367", "url": "https://github.com/oqtane/oqtane.framework/discussions/3367" }, { "title": "https://netty.io/news/2023/10/10/4-1-100-Final.html", "url": "https://netty.io/news/2023/10/10/4-1-100-Final.html" }, { "title": "https://www.haproxy.com/blog/haproxy-is-not-affected-by-the-http-2-rapid-reset-attack-cve-2023-44487", "url": "https://www.haproxy.com/blog/haproxy-is-not-affected-by-the-http-2-rapid-reset-attack-cve-2023-44487" }, { "title": "https://blog.qualys.com/vulnerabilities-threat-research/2023/10/10/cve-2023-44487-http-2-rapid-reset-attack", "url": "https://blog.qualys.com/vulnerabilities-threat-research/2023/10/10/cve-2023-44487-http-2-rapid-reset-attack" }, { "title": "https://github.com/apache/httpd/blob/afcdbeebbff4b0c50ea26cdd16e178c0d1f24152/modules/http2/h2_mplx.c%23L1101-L1113", "url": "https://github.com/apache/httpd/blob/afcdbeebbff4b0c50ea26cdd16e178c0d1f24152/modules/http2/h2_mplx.c%23L1101-L1113" }, { "title": "https://github.com/kazu-yamamoto/http2/commit/f61d41a502bd0f60eb24e1ce14edc7b6df6722a1", "url": "https://github.com/kazu-yamamoto/http2/commit/f61d41a502bd0f60eb24e1ce14edc7b6df6722a1" }, { "title": "https://github.com/kazu-yamamoto/http2/issues/93", "url": "https://github.com/kazu-yamamoto/http2/issues/93" }, { "title": "https://martinthomson.github.io/h2-stream-limits/draft-thomson-httpbis-h2-stream-limits.html", "url": "https://martinthomson.github.io/h2-stream-limits/draft-thomson-httpbis-h2-stream-limits.html" }, { "title": "https://news.ycombinator.com/item?id=37837043", "url": "https://news.ycombinator.com/item?id=37837043" }, { "title": "https://www.cisa.gov/news-events/alerts/2023/10/10/http2-rapid-reset-vulnerability-cve-2023-44487", "url": "https://www.cisa.gov/news-events/alerts/2023/10/10/http2-rapid-reset-vulnerability-cve-2023-44487" }, { "title": "https://www.debian.org/security/2023/dsa-5521", "url": "https://www.debian.org/security/2023/dsa-5521" }, { "title": "https://www.debian.org/security/2023/dsa-5522", "url": "https://www.debian.org/security/2023/dsa-5522" }, { "title": "https://www.theregister.com/2023/10/10/http2_rapid_reset_zeroday/", "url": "https://www.theregister.com/2023/10/10/http2_rapid_reset_zeroday/" }, { "title": "https://access.redhat.com/security/cve/cve-2023-44487", "url": "https://access.redhat.com/security/cve/cve-2023-44487" }, { "title": "https://blog.vespa.ai/cve-2023-44487/", "url": "https://blog.vespa.ai/cve-2023-44487/" }, { "title": "https://bugzilla.redhat.com/show_bug.cgi?id=2242803", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2242803" }, { "title": "https://bugzilla.suse.com/show_bug.cgi?id=1216123", "url": "https://bugzilla.suse.com/show_bug.cgi?id=1216123" }, { "title": "https://community.traefik.io/t/is-traefik-vulnerable-to-cve-2023-44487/20125", "url": "https://community.traefik.io/t/is-traefik-vulnerable-to-cve-2023-44487/20125" }, { "title": "https://github.com/advisories/GHSA-qppj-fm5r-hxr3", "url": "https://github.com/advisories/GHSA-qppj-fm5r-hxr3" }, { "title": "https://github.com/etcd-io/etcd/issues/16740", "url": "https://github.com/etcd-io/etcd/issues/16740" }, { "title": "https://github.com/junkurihara/rust-rpxy/issues/97", "url": "https://github.com/junkurihara/rust-rpxy/issues/97" }, { "title": "https://github.com/ninenines/cowboy/issues/1615", "url": "https://github.com/ninenines/cowboy/issues/1615" }, { "title": "https://github.com/tempesta-tech/tempesta/issues/1986", "url": "https://github.com/tempesta-tech/tempesta/issues/1986" }, { "title": "https://github.com/varnishcache/varnish-cache/issues/3996", "url": "https://github.com/varnishcache/varnish-cache/issues/3996" }, { "title": "https://istio.io/latest/news/security/istio-security-2023-004/", "url": "https://istio.io/latest/news/security/istio-security-2023-004/" }, { "title": "https://ubuntu.com/security/CVE-2023-44487", "url": "https://ubuntu.com/security/CVE-2023-44487" }, { "title": "https://www.darkreading.com/cloud/internet-wide-zero-day-bug-fuels-largest-ever-ddos-event", "url": "https://www.darkreading.com/cloud/internet-wide-zero-day-bug-fuels-largest-ever-ddos-event" }, { "title": "https://github.com/apache/httpd-site/pull/10", "url": "https://github.com/apache/httpd-site/pull/10" }, { "title": "https://github.com/line/armeria/pull/5232", "url": "https://github.com/line/armeria/pull/5232" }, { "title": "https://github.com/linkerd/website/pull/1695/commits/4b9c6836471bc8270ab48aae6fd2181bc73fd632", "url": "https://github.com/linkerd/website/pull/1695/commits/4b9c6836471bc8270ab48aae6fd2181bc73fd632" }, { "title": "https://github.com/projectcontour/contour/pull/5826", "url": "https://github.com/projectcontour/contour/pull/5826" }, { "title": "https://blog.litespeedtech.com/2023/10/11/rapid-reset-http-2-vulnerablilty/", "url": "https://blog.litespeedtech.com/2023/10/11/rapid-reset-http-2-vulnerablilty/" }, { "title": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "relativeImportance": null, "semver": { "vulnerable": [ "<1.57.0-r0" ] }, "severity": "high", "severityWithCritical": "high", "socialTrendAlert": false, "title": "Resource Exhaustion", "upgradePath": [], "version": "1.55.1-r0" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:H", "cpes": [], "creationTime": "2023-10-11T04:04:38.629011Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:H", "modificationTime": "2023-10-11T14:31:08.807516Z", "severity": "high" } ], "cvssScore": 7.5, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `nghttp2` package and not the `nghttp2` package as distributed by `Alpine`._\n_See `How to fix?` for `Alpine:3.18` relevant fixed versions and status._\n\nThe HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.\n## Remediation\nUpgrade `Alpine:3.18` `nghttp2` to version 1.57.0-r0 or higher.\n## References\n- [cve@mitre.org](https://aws.amazon.com/security/security-bulletins/AWS-2023-011/)\n- [cve@mitre.org](https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/)\n- [cve@mitre.org](https://blog.cloudflare.com/zero-day-rapid-reset-http2-record-breaking-ddos-attack/)\n- [cve@mitre.org](https://cloud.google.com/blog/products/identity-security/google-cloud-mitigated-largest-ddos-attack-peaking-above-398-million-rps/)\n- [cve@mitre.org](https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack)\n- [cve@mitre.org](https://news.ycombinator.com/item?id=37831062)\n- [cve@mitre.org](https://www.nginx.com/blog/http-2-rapid-reset-attack-impacting-f5-nginx-products/)\n- [cve@mitre.org](https://www.phoronix.com/news/HTTP2-Rapid-Reset-Attack)\n- [cve@mitre.org](https://chaos.social/@icing/111210915918780532)\n- [cve@mitre.org](https://forums.swift.org/t/swift-nio-http2-security-update-cve-2023-44487-http-2-dos/67764)\n- [cve@mitre.org](https://github.com/alibaba/tengine/issues/1872)\n- [cve@mitre.org](https://github.com/apache/tomcat/tree/main/java/org/apache/coyote/http2)\n- [cve@mitre.org](https://github.com/bcdannyboy/CVE-2023-44487)\n- [cve@mitre.org](https://github.com/caddyserver/caddy/issues/5877)\n- [cve@mitre.org](https://github.com/eclipse/jetty.project/issues/10679)\n- [cve@mitre.org](https://github.com/envoyproxy/envoy/pull/30055)\n- [cve@mitre.org](https://github.com/haproxy/haproxy/issues/2312)\n- [cve@mitre.org](https://github.com/hyperium/hyper/issues/3337)\n- [cve@mitre.org](https://github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61)\n- [cve@mitre.org](https://github.com/nghttp2/nghttp2/pull/1961)\n- [cve@mitre.org](https://news.ycombinator.com/item?id=37830987)\n- [cve@mitre.org](https://news.ycombinator.com/item?id=37830998)\n- [cve@mitre.org](https://www.bleepingcomputer.com/news/security/new-http-2-rapid-reset-zero-day-attack-breaks-ddos-records/)\n- [cve@mitre.org](https://github.com/grpc/grpc-go/pull/6703)\n- [cve@mitre.org](https://github.com/icing/mod_h2/blob/0a864782af0a942aa2ad4ed960a6b32cd35bcf0a/mod_http2/README.md?plain=1#L239-L244)\n- [cve@mitre.org](https://github.com/nghttp2/nghttp2/releases/tag/v1.57.0)\n- [cve@mitre.org](https://mailman.nginx.org/pipermail/nginx-devel/2023-October/S36Q5HBXR7CAIMPLLPRSSSYR4PCMWILK.html)\n- [cve@mitre.org](https://my.f5.com/manage/s/article/K000137106)\n- [cve@mitre.org](https://bugzilla.proxmox.com/show_bug.cgi?id=4988)\n- [cve@mitre.org](https://cgit.freebsd.org/ports/commit/?id=c64c329c2c1752f46b73e3e6ce9f4329be6629f9)\n- [cve@mitre.org](https://msrc.microsoft.com/blog/2023/10/microsoft-response-to-distributed-denial-of-service-ddos-attacks-against-http/2/)\n- [cve@mitre.org](https://edg.io/lp/blog/resets-leaks-ddos-and-the-tale-of-a-hidden-cve)\n- [cve@mitre.org](https://gist.github.com/adulau/7c2bfb8e9cdbe4b35a5e131c66a0c088)\n- [cve@mitre.org](https://github.com/advisories/GHSA-vx74-f528-fxqg)\n- [cve@mitre.org](https://github.com/apache/trafficserver/pull/10564)\n- [cve@mitre.org](https://github.com/dotnet/announcements/issues/277)\n- [cve@mitre.org](https://github.com/facebook/proxygen/pull/466)\n- [cve@mitre.org](https://github.com/golang/go/issues/63417)\n- [cve@mitre.org](https://github.com/h2o/h2o/pull/3291)\n- [cve@mitre.org](https://github.com/h2o/h2o/security/advisories/GHSA-2m7v-gc89-fjqf)\n- [cve@mitre.org](https://github.com/micrictor/http2-rst-stream)\n- [cve@mitre.org](https://github.com/microsoft/CBL-Mariner/pull/6381)\n- [cve@mitre.org](https://github.com/nodejs/node/pull/50121)\n- [cve@mitre.org](https://groups.google.com/g/golang-announce/c/iNNxDTCjZvo)\n- [cve@mitre.org](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-44487)\n- [cve@mitre.org](https://openssf.org/blog/2023/10/10/http-2-rapid-reset-vulnerability-highlights-need-for-rapid-response/)\n- [cve@mitre.org](https://lists.apache.org/thread/5py8h42mxfsn8l1wy6o41xwhsjlsd87q)\n- [cve@mitre.org](https://seanmonstar.com/post/730794151136935936/hyper-http2-rapid-reset-unaffected)\n- [cve@mitre.org](https://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.1.14)\n- [cve@mitre.org](https://www.openwall.com/lists/oss-security/2023/10/10/6)\n- [cve@mitre.org](https://github.com/dotnet/core/blob/e4613450ea0da7fd2fc6b61dfb2c1c1dec1ce9ec/release-notes/6.0/6.0.23/6.0.23.md?plain=1#L73)\n- [cve@mitre.org](https://github.com/advisories/GHSA-xpw8-rcwv-8f8p)\n- [cve@mitre.org](https://github.com/kubernetes/kubernetes/pull/121120)\n- [cve@mitre.org](https://github.com/opensearch-project/data-prepper/issues/3474)\n- [cve@mitre.org](https://github.com/oqtane/oqtane.framework/discussions/3367)\n- [cve@mitre.org](https://netty.io/news/2023/10/10/4-1-100-Final.html)\n- [cve@mitre.org](https://www.haproxy.com/blog/haproxy-is-not-affected-by-the-http-2-rapid-reset-attack-cve-2023-44487)\n- [cve@mitre.org](https://blog.qualys.com/vulnerabilities-threat-research/2023/10/10/cve-2023-44487-http-2-rapid-reset-attack)\n- [cve@mitre.org](https://github.com/apache/httpd/blob/afcdbeebbff4b0c50ea26cdd16e178c0d1f24152/modules/http2/h2_mplx.c#L1101-L1113)\n- [cve@mitre.org](https://github.com/kazu-yamamoto/http2/commit/f61d41a502bd0f60eb24e1ce14edc7b6df6722a1)\n- [cve@mitre.org](https://github.com/kazu-yamamoto/http2/issues/93)\n- [cve@mitre.org](https://martinthomson.github.io/h2-stream-limits/draft-thomson-httpbis-h2-stream-limits.html)\n- [cve@mitre.org](https://news.ycombinator.com/item?id=37837043)\n- [cve@mitre.org](https://www.cisa.gov/news-events/alerts/2023/10/10/http2-rapid-reset-vulnerability-cve-2023-44487)\n- [cve@mitre.org](https://www.debian.org/security/2023/dsa-5521)\n- [cve@mitre.org](https://www.debian.org/security/2023/dsa-5522)\n- [cve@mitre.org](https://www.theregister.com/2023/10/10/http2_rapid_reset_zeroday/)\n- [cve@mitre.org](https://access.redhat.com/security/cve/cve-2023-44487)\n- [cve@mitre.org](https://blog.vespa.ai/cve-2023-44487/)\n- [cve@mitre.org](https://bugzilla.redhat.com/show_bug.cgi?id=2242803)\n- [cve@mitre.org](https://bugzilla.suse.com/show_bug.cgi?id=1216123)\n- [cve@mitre.org](https://community.traefik.io/t/is-traefik-vulnerable-to-cve-2023-44487/20125)\n- [cve@mitre.org](https://github.com/advisories/GHSA-qppj-fm5r-hxr3)\n- [cve@mitre.org](https://github.com/etcd-io/etcd/issues/16740)\n- [cve@mitre.org](https://github.com/junkurihara/rust-rpxy/issues/97)\n- [cve@mitre.org](https://github.com/ninenines/cowboy/issues/1615)\n- [cve@mitre.org](https://github.com/tempesta-tech/tempesta/issues/1986)\n- [cve@mitre.org](https://github.com/varnishcache/varnish-cache/issues/3996)\n- [cve@mitre.org](https://istio.io/latest/news/security/istio-security-2023-004/)\n- [cve@mitre.org](https://ubuntu.com/security/CVE-2023-44487)\n- [cve@mitre.org](https://www.darkreading.com/cloud/internet-wide-zero-day-bug-fuels-largest-ever-ddos-event)\n- [cve@mitre.org](https://github.com/apache/httpd-site/pull/10)\n- [cve@mitre.org](https://github.com/line/armeria/pull/5232)\n- [cve@mitre.org](https://github.com/linkerd/website/pull/1695/commits/4b9c6836471bc8270ab48aae6fd2181bc73fd632)\n- [cve@mitre.org](https://github.com/projectcontour/contour/pull/5826)\n- [cve@mitre.org](https://blog.litespeedtech.com/2023/10/11/rapid-reset-http-2-vulnerablilty/)\n- [CISA - Known Exploited Vulnerabilities](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)\n", "disclosureTime": "2023-10-10T14:15:10.883000Z", "dockerBaseImage": "ruby:3.2.2-alpine3.18", "dockerfileInstruction": "apk add nodejs", "epssDetails": null, "exploit": "High", "fixedIn": [ "1.57.0-r0" ], "from": [ "docker-image|cyberdojo/shas@*", "curl/curl@8.3.0-r0", "curl/libcurl@8.3.0-r0", "nghttp2/nghttp2-libs@1.55.1-r0" ], "id": "SNYK-ALPINE318-NGHTTP2-5954768", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2023-44487" ], "CWE": [ "CWE-400" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "linux", "malicious": false, "modificationTime": "2023-10-12T01:11:09.035012Z", "name": "nghttp2/nghttp2-libs", "nearestFixedInVersion": "1.57.0-r0", "nvdSeverity": "high", "packageManager": "alpine:3.18", "packageName": "nghttp2", "patches": [], "publicationTime": "2023-10-11T04:04:38.608135Z", "references": [ { "title": "https://aws.amazon.com/security/security-bulletins/AWS-2023-011/", "url": "https://aws.amazon.com/security/security-bulletins/AWS-2023-011/" }, { "title": "https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/", "url": "https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/" }, { "title": "https://blog.cloudflare.com/zero-day-rapid-reset-http2-record-breaking-ddos-attack/", "url": "https://blog.cloudflare.com/zero-day-rapid-reset-http2-record-breaking-ddos-attack/" }, { "title": "https://cloud.google.com/blog/products/identity-security/google-cloud-mitigated-largest-ddos-attack-peaking-above-398-million-rps/", "url": "https://cloud.google.com/blog/products/identity-security/google-cloud-mitigated-largest-ddos-attack-peaking-above-398-million-rps/" }, { "title": "https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack", "url": "https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack" }, { "title": "https://news.ycombinator.com/item?id=37831062", "url": "https://news.ycombinator.com/item?id=37831062" }, { "title": "https://www.nginx.com/blog/http-2-rapid-reset-attack-impacting-f5-nginx-products/", "url": "https://www.nginx.com/blog/http-2-rapid-reset-attack-impacting-f5-nginx-products/" }, { "title": "https://www.phoronix.com/news/HTTP2-Rapid-Reset-Attack", "url": "https://www.phoronix.com/news/HTTP2-Rapid-Reset-Attack" }, { "title": "https://chaos.social/@icing/111210915918780532", "url": "https://chaos.social/@icing/111210915918780532" }, { "title": "https://forums.swift.org/t/swift-nio-http2-security-update-cve-2023-44487-http-2-dos/67764", "url": "https://forums.swift.org/t/swift-nio-http2-security-update-cve-2023-44487-http-2-dos/67764" }, { "title": "https://github.com/alibaba/tengine/issues/1872", "url": "https://github.com/alibaba/tengine/issues/1872" }, { "title": "https://github.com/apache/tomcat/tree/main/java/org/apache/coyote/http2", "url": "https://github.com/apache/tomcat/tree/main/java/org/apache/coyote/http2" }, { "title": "https://github.com/bcdannyboy/CVE-2023-44487", "url": "https://github.com/bcdannyboy/CVE-2023-44487" }, { "title": "https://github.com/caddyserver/caddy/issues/5877", "url": "https://github.com/caddyserver/caddy/issues/5877" }, { "title": "https://github.com/eclipse/jetty.project/issues/10679", "url": "https://github.com/eclipse/jetty.project/issues/10679" }, { "title": "https://github.com/envoyproxy/envoy/pull/30055", "url": "https://github.com/envoyproxy/envoy/pull/30055" }, { "title": "https://github.com/haproxy/haproxy/issues/2312", "url": "https://github.com/haproxy/haproxy/issues/2312" }, { "title": "https://github.com/hyperium/hyper/issues/3337", "url": "https://github.com/hyperium/hyper/issues/3337" }, { "title": "https://github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61", "url": "https://github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61" }, { "title": "https://github.com/nghttp2/nghttp2/pull/1961", "url": "https://github.com/nghttp2/nghttp2/pull/1961" }, { "title": "https://news.ycombinator.com/item?id=37830987", "url": "https://news.ycombinator.com/item?id=37830987" }, { "title": "https://news.ycombinator.com/item?id=37830998", "url": "https://news.ycombinator.com/item?id=37830998" }, { "title": "https://www.bleepingcomputer.com/news/security/new-http-2-rapid-reset-zero-day-attack-breaks-ddos-records/", "url": "https://www.bleepingcomputer.com/news/security/new-http-2-rapid-reset-zero-day-attack-breaks-ddos-records/" }, { "title": "https://github.com/grpc/grpc-go/pull/6703", "url": "https://github.com/grpc/grpc-go/pull/6703" }, { "title": "https://github.com/icing/mod_h2/blob/0a864782af0a942aa2ad4ed960a6b32cd35bcf0a/mod_http2/README.md?plain=1%23L239-L244", "url": "https://github.com/icing/mod_h2/blob/0a864782af0a942aa2ad4ed960a6b32cd35bcf0a/mod_http2/README.md?plain=1%23L239-L244" }, { "title": "https://github.com/nghttp2/nghttp2/releases/tag/v1.57.0", "url": "https://github.com/nghttp2/nghttp2/releases/tag/v1.57.0" }, { "title": "https://mailman.nginx.org/pipermail/nginx-devel/2023-October/S36Q5HBXR7CAIMPLLPRSSSYR4PCMWILK.html", "url": "https://mailman.nginx.org/pipermail/nginx-devel/2023-October/S36Q5HBXR7CAIMPLLPRSSSYR4PCMWILK.html" }, { "title": "https://my.f5.com/manage/s/article/K000137106", "url": "https://my.f5.com/manage/s/article/K000137106" }, { "title": "https://bugzilla.proxmox.com/show_bug.cgi?id=4988", "url": "https://bugzilla.proxmox.com/show_bug.cgi?id=4988" }, { "title": "https://cgit.freebsd.org/ports/commit/?id=c64c329c2c1752f46b73e3e6ce9f4329be6629f9", "url": "https://cgit.freebsd.org/ports/commit/?id=c64c329c2c1752f46b73e3e6ce9f4329be6629f9" }, { "title": "https://msrc.microsoft.com/blog/2023/10/microsoft-response-to-distributed-denial-of-service-ddos-attacks-against-http/2/", "url": "https://msrc.microsoft.com/blog/2023/10/microsoft-response-to-distributed-denial-of-service-ddos-attacks-against-http/2/" }, { "title": "https://edg.io/lp/blog/resets-leaks-ddos-and-the-tale-of-a-hidden-cve", "url": "https://edg.io/lp/blog/resets-leaks-ddos-and-the-tale-of-a-hidden-cve" }, { "title": "https://gist.github.com/adulau/7c2bfb8e9cdbe4b35a5e131c66a0c088", "url": "https://gist.github.com/adulau/7c2bfb8e9cdbe4b35a5e131c66a0c088" }, { "title": "https://github.com/advisories/GHSA-vx74-f528-fxqg", "url": "https://github.com/advisories/GHSA-vx74-f528-fxqg" }, { "title": "https://github.com/apache/trafficserver/pull/10564", "url": "https://github.com/apache/trafficserver/pull/10564" }, { "title": "https://github.com/dotnet/announcements/issues/277", "url": "https://github.com/dotnet/announcements/issues/277" }, { "title": "https://github.com/facebook/proxygen/pull/466", "url": "https://github.com/facebook/proxygen/pull/466" }, { "title": "https://github.com/golang/go/issues/63417", "url": "https://github.com/golang/go/issues/63417" }, { "title": "https://github.com/h2o/h2o/pull/3291", "url": "https://github.com/h2o/h2o/pull/3291" }, { "title": "https://github.com/h2o/h2o/security/advisories/GHSA-2m7v-gc89-fjqf", "url": "https://github.com/h2o/h2o/security/advisories/GHSA-2m7v-gc89-fjqf" }, { "title": "https://github.com/micrictor/http2-rst-stream", "url": "https://github.com/micrictor/http2-rst-stream" }, { "title": "https://github.com/microsoft/CBL-Mariner/pull/6381", "url": "https://github.com/microsoft/CBL-Mariner/pull/6381" }, { "title": "https://github.com/nodejs/node/pull/50121", "url": "https://github.com/nodejs/node/pull/50121" }, { "title": "https://groups.google.com/g/golang-announce/c/iNNxDTCjZvo", "url": "https://groups.google.com/g/golang-announce/c/iNNxDTCjZvo" }, { "title": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-44487", "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-44487" }, { "title": "https://openssf.org/blog/2023/10/10/http-2-rapid-reset-vulnerability-highlights-need-for-rapid-response/", "url": "https://openssf.org/blog/2023/10/10/http-2-rapid-reset-vulnerability-highlights-need-for-rapid-response/" }, { "title": "https://lists.apache.org/thread/5py8h42mxfsn8l1wy6o41xwhsjlsd87q", "url": "https://lists.apache.org/thread/5py8h42mxfsn8l1wy6o41xwhsjlsd87q" }, { "title": "https://seanmonstar.com/post/730794151136935936/hyper-http2-rapid-reset-unaffected", "url": "https://seanmonstar.com/post/730794151136935936/hyper-http2-rapid-reset-unaffected" }, { "title": "https://tomcat.apache.org/security-10.html%23Fixed_in_Apache_Tomcat_10.1.14", "url": "https://tomcat.apache.org/security-10.html%23Fixed_in_Apache_Tomcat_10.1.14" }, { "title": "https://www.openwall.com/lists/oss-security/2023/10/10/6", "url": "https://www.openwall.com/lists/oss-security/2023/10/10/6" }, { "title": "https://github.com/dotnet/core/blob/e4613450ea0da7fd2fc6b61dfb2c1c1dec1ce9ec/release-notes/6.0/6.0.23/6.0.23.md?plain=1%23L73", "url": "https://github.com/dotnet/core/blob/e4613450ea0da7fd2fc6b61dfb2c1c1dec1ce9ec/release-notes/6.0/6.0.23/6.0.23.md?plain=1%23L73" }, { "title": "https://github.com/advisories/GHSA-xpw8-rcwv-8f8p", "url": "https://github.com/advisories/GHSA-xpw8-rcwv-8f8p" }, { "title": "https://github.com/kubernetes/kubernetes/pull/121120", "url": "https://github.com/kubernetes/kubernetes/pull/121120" }, { "title": "https://github.com/opensearch-project/data-prepper/issues/3474", "url": "https://github.com/opensearch-project/data-prepper/issues/3474" }, { "title": "https://github.com/oqtane/oqtane.framework/discussions/3367", "url": "https://github.com/oqtane/oqtane.framework/discussions/3367" }, { "title": "https://netty.io/news/2023/10/10/4-1-100-Final.html", "url": "https://netty.io/news/2023/10/10/4-1-100-Final.html" }, { "title": "https://www.haproxy.com/blog/haproxy-is-not-affected-by-the-http-2-rapid-reset-attack-cve-2023-44487", "url": "https://www.haproxy.com/blog/haproxy-is-not-affected-by-the-http-2-rapid-reset-attack-cve-2023-44487" }, { "title": "https://blog.qualys.com/vulnerabilities-threat-research/2023/10/10/cve-2023-44487-http-2-rapid-reset-attack", "url": "https://blog.qualys.com/vulnerabilities-threat-research/2023/10/10/cve-2023-44487-http-2-rapid-reset-attack" }, { "title": "https://github.com/apache/httpd/blob/afcdbeebbff4b0c50ea26cdd16e178c0d1f24152/modules/http2/h2_mplx.c%23L1101-L1113", "url": "https://github.com/apache/httpd/blob/afcdbeebbff4b0c50ea26cdd16e178c0d1f24152/modules/http2/h2_mplx.c%23L1101-L1113" }, { "title": "https://github.com/kazu-yamamoto/http2/commit/f61d41a502bd0f60eb24e1ce14edc7b6df6722a1", "url": "https://github.com/kazu-yamamoto/http2/commit/f61d41a502bd0f60eb24e1ce14edc7b6df6722a1" }, { "title": "https://github.com/kazu-yamamoto/http2/issues/93", "url": "https://github.com/kazu-yamamoto/http2/issues/93" }, { "title": "https://martinthomson.github.io/h2-stream-limits/draft-thomson-httpbis-h2-stream-limits.html", "url": "https://martinthomson.github.io/h2-stream-limits/draft-thomson-httpbis-h2-stream-limits.html" }, { "title": "https://news.ycombinator.com/item?id=37837043", "url": "https://news.ycombinator.com/item?id=37837043" }, { "title": "https://www.cisa.gov/news-events/alerts/2023/10/10/http2-rapid-reset-vulnerability-cve-2023-44487", "url": "https://www.cisa.gov/news-events/alerts/2023/10/10/http2-rapid-reset-vulnerability-cve-2023-44487" }, { "title": "https://www.debian.org/security/2023/dsa-5521", "url": "https://www.debian.org/security/2023/dsa-5521" }, { "title": "https://www.debian.org/security/2023/dsa-5522", "url": "https://www.debian.org/security/2023/dsa-5522" }, { "title": "https://www.theregister.com/2023/10/10/http2_rapid_reset_zeroday/", "url": "https://www.theregister.com/2023/10/10/http2_rapid_reset_zeroday/" }, { "title": "https://access.redhat.com/security/cve/cve-2023-44487", "url": "https://access.redhat.com/security/cve/cve-2023-44487" }, { "title": "https://blog.vespa.ai/cve-2023-44487/", "url": "https://blog.vespa.ai/cve-2023-44487/" }, { "title": "https://bugzilla.redhat.com/show_bug.cgi?id=2242803", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2242803" }, { "title": "https://bugzilla.suse.com/show_bug.cgi?id=1216123", "url": "https://bugzilla.suse.com/show_bug.cgi?id=1216123" }, { "title": "https://community.traefik.io/t/is-traefik-vulnerable-to-cve-2023-44487/20125", "url": "https://community.traefik.io/t/is-traefik-vulnerable-to-cve-2023-44487/20125" }, { "title": "https://github.com/advisories/GHSA-qppj-fm5r-hxr3", "url": "https://github.com/advisories/GHSA-qppj-fm5r-hxr3" }, { "title": "https://github.com/etcd-io/etcd/issues/16740", "url": "https://github.com/etcd-io/etcd/issues/16740" }, { "title": "https://github.com/junkurihara/rust-rpxy/issues/97", "url": "https://github.com/junkurihara/rust-rpxy/issues/97" }, { "title": "https://github.com/ninenines/cowboy/issues/1615", "url": "https://github.com/ninenines/cowboy/issues/1615" }, { "title": "https://github.com/tempesta-tech/tempesta/issues/1986", "url": "https://github.com/tempesta-tech/tempesta/issues/1986" }, { "title": "https://github.com/varnishcache/varnish-cache/issues/3996", "url": "https://github.com/varnishcache/varnish-cache/issues/3996" }, { "title": "https://istio.io/latest/news/security/istio-security-2023-004/", "url": "https://istio.io/latest/news/security/istio-security-2023-004/" }, { "title": "https://ubuntu.com/security/CVE-2023-44487", "url": "https://ubuntu.com/security/CVE-2023-44487" }, { "title": "https://www.darkreading.com/cloud/internet-wide-zero-day-bug-fuels-largest-ever-ddos-event", "url": "https://www.darkreading.com/cloud/internet-wide-zero-day-bug-fuels-largest-ever-ddos-event" }, { "title": "https://github.com/apache/httpd-site/pull/10", "url": "https://github.com/apache/httpd-site/pull/10" }, { "title": "https://github.com/line/armeria/pull/5232", "url": "https://github.com/line/armeria/pull/5232" }, { "title": "https://github.com/linkerd/website/pull/1695/commits/4b9c6836471bc8270ab48aae6fd2181bc73fd632", "url": "https://github.com/linkerd/website/pull/1695/commits/4b9c6836471bc8270ab48aae6fd2181bc73fd632" }, { "title": "https://github.com/projectcontour/contour/pull/5826", "url": "https://github.com/projectcontour/contour/pull/5826" }, { "title": "https://blog.litespeedtech.com/2023/10/11/rapid-reset-http-2-vulnerablilty/", "url": "https://blog.litespeedtech.com/2023/10/11/rapid-reset-http-2-vulnerablilty/" }, { "title": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "relativeImportance": null, "semver": { "vulnerable": [ "<1.57.0-r0" ] }, "severity": "high", "severityWithCritical": "high", "socialTrendAlert": false, "title": "Resource Exhaustion", "upgradePath": [], "version": "1.55.1-r0" } ] }, "created_at": 1697097977.7158828, "has_audit_package": true }