cyber-dojo
flows
shas-archived-at-1705491385
artifacts
eaa2885bdceaeb49372ec734bab19f5e3e2d1ce59661fe6f97ad2d10ee39a8b0
By signing up, you agree to the
Terms of Service.
For more information about Kosli’s privacy practices, see the Kosli’s
Privacy Policy.
We’ll occasionally send you account-related emails.
We’ll occasionally send you account-related emails.
shas-archived-at-1705491385
UX for git+image shas
cyberdojo/shas:81ab491
Non-compliant
Download Evidence Package
JSON
{ "created_at": 1696224032.592977, "fingerprint": "eaa2885bdceaeb49372ec734bab19f5e3e2d1ce59661fe6f97ad2d10ee39a8b0", "filename": "cyberdojo/shas:81ab491", "git_commit": "81ab49132e118a98b5c2e3f9e447a6bc3a472379", "build_url": "https://github.com/cyber-dojo/shas/actions/runs/6376298305", "commit_url": "https://github.com/cyber-dojo/shas/commit/81ab49132e118a98b5c2e3f9e447a6bc3a472379", "evidence": { "branch-coverage": { "evidence_type": "generic", "is_compliant": true, "build_url": "https://github.com/cyber-dojo/shas/actions/runs/6376298305", "description": "server & client branch-coverage reports", "user_data": { "client": { "command_name": "Minitest", "groups": { "app": { "branches": { "covered": 1, "missed": 1, "total": 2 }, "lines": { "covered": 52, "missed": 0, "total": 52 } }, "test": { "branches": { "covered": 0, "missed": 0, "total": 0 }, "lines": { "covered": 0, "missed": 0, "total": 0 } } }, "timestamp": 1696224014 }, "server": { "command_name": "Minitest", "groups": { "app": { "branches": { "covered": 0, "missed": 0, "total": 0 }, "lines": { "covered": 69, "missed": 0, "total": 69 } }, "test": { "branches": { "covered": 0, "missed": 0, "total": 0 }, "lines": { "covered": 0, "missed": 0, "total": 0 } } }, "timestamp": 1696224008 } }, "created_at": 1696224034.3924313, "has_audit_package": false }, "snyk-scan": { "evidence_type": "snyk", "is_compliant": false, "build_url": "https://github.com/cyber-dojo/snyk_scans/actions/runs/6492936605", "evidence_archive_fingerprint": "9d440cce891ab3a302ef52b100fb125529881041853192672140ccf73db597a9", "user_data": {}, "snyk_results": { "applications": [ { "dependencyCount": 0, "displayTargetFile": "/usr/local/bundle/gems/concurrent-ruby-1.2.2/lib/concurrent-ruby/concurrent", "docker": {}, "filesystemPolicy": true, "hasUnknownVersions": false, "ignoreSettings": { "adminOnly": false, "disregardFilesystemIgnores": false, "reasonRequired": false }, "isPrivate": true, "licensesPolicy": { "orgLicenseRules": { "AGPL-1.0": { "instructions": "", "licenseType": "AGPL-1.0", "severity": "high" }, "AGPL-3.0": { "instructions": "", "licenseType": "AGPL-3.0", "severity": "high" }, "Artistic-1.0": { "instructions": "", "licenseType": "Artistic-1.0", "severity": "medium" }, "Artistic-2.0": { "instructions": "", "licenseType": "Artistic-2.0", "severity": "medium" }, "CDDL-1.0": { "instructions": "", "licenseType": "CDDL-1.0", "severity": "medium" }, "CPOL-1.02": { "instructions": "", "licenseType": "CPOL-1.02", "severity": "high" }, "EPL-1.0": { "instructions": "", "licenseType": "EPL-1.0", "severity": "medium" }, "GPL-2.0": { "instructions": "", "licenseType": "GPL-2.0", "severity": "high" }, "GPL-3.0": { "instructions": "", "licenseType": "GPL-3.0", "severity": "high" }, "LGPL-2.0": { "instructions": "", "licenseType": "LGPL-2.0", "severity": "medium" }, "LGPL-2.1": { "instructions": "", "licenseType": "LGPL-2.1", "severity": "medium" }, "LGPL-3.0": { "instructions": "", "licenseType": "LGPL-3.0", "severity": "medium" }, "MPL-1.1": { "instructions": "", "licenseType": "MPL-1.1", "severity": "medium" }, "MPL-2.0": { "instructions": "", "licenseType": "MPL-2.0", "severity": "medium" }, "MS-RL": { "instructions": "", "licenseType": "MS-RL", "severity": "medium" }, "SimPL-2.0": { "instructions": "", "licenseType": "SimPL-2.0", "severity": "high" } }, "severities": {} }, "ok": true, "org": "jonjagger", "packageManager": "maven", "path": "cyberdojo/shas@sha256:eaa2885bdceaeb49372ec734bab19f5e3e2d1ce59661fe6f97ad2d10ee39a8b0/shas@sha256:eaa2885bdceaeb49372ec734bab19f5e3e2d1ce59661fe6f97ad2d10ee39a8b0:/usr/local/bundle/gems/concurrent-ruby-1.2.2/lib/concurrent-ruby/concurrent", "policy": "# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.\nversion: v1.25.1\nignore: {}\npatch: {}\n", "projectName": "cyberdojo/shas@sha256:eaa2885bdceaeb49372ec734bab19f5e3e2d1ce59661fe6f97ad2d10ee39a8b0:/usr/local/bundle/gems/concurrent-ruby-1.2.2/lib/concurrent-ruby/concurrent", "severityThreshold": "medium", "summary": "No medium or high or critical severity vulnerabilities", "targetFile": "/usr/local/bundle/gems/concurrent-ruby-1.2.2/lib/concurrent-ruby/concurrent", "uniqueCount": 0, "vulnerabilities": [] } ], "dependencyCount": 80, "docker": { "baseImage": "ruby:3.2.2-alpine3.18", "baseImageRemediation": { "advice": [ { "bold": true, "message": "According to our scan, you are currently using the most secure version of the selected base image" } ], "code": "NO_REMEDIATION_AVAILABLE" }, "binariesVulns": { "affectedPkgs": {}, "issuesData": {} } }, "filesystemPolicy": true, "filtered": { "ignore": [], "patch": [] }, "hasUnknownVersions": false, "ignoreSettings": { "adminOnly": false, "disregardFilesystemIgnores": false, "reasonRequired": false }, "isPrivate": true, "licensesPolicy": { "orgLicenseRules": { "AGPL-1.0": { "instructions": "", "licenseType": "AGPL-1.0", "severity": "high" }, "AGPL-3.0": { "instructions": "", "licenseType": "AGPL-3.0", "severity": "high" }, "Artistic-1.0": { "instructions": "", "licenseType": "Artistic-1.0", "severity": "medium" }, "Artistic-2.0": { "instructions": "", "licenseType": "Artistic-2.0", "severity": "medium" }, "CDDL-1.0": { "instructions": "", "licenseType": "CDDL-1.0", "severity": "medium" }, "CPOL-1.02": { "instructions": "", "licenseType": "CPOL-1.02", "severity": "high" }, "EPL-1.0": { "instructions": "", "licenseType": "EPL-1.0", "severity": "medium" }, "GPL-2.0": { "instructions": "", "licenseType": "GPL-2.0", "severity": "high" }, "GPL-3.0": { "instructions": "", "licenseType": "GPL-3.0", "severity": "high" }, "LGPL-2.0": { "instructions": "", "licenseType": "LGPL-2.0", "severity": "medium" }, "LGPL-2.1": { "instructions": "", "licenseType": "LGPL-2.1", "severity": "medium" }, "LGPL-3.0": { "instructions": "", "licenseType": "LGPL-3.0", "severity": "medium" }, "MPL-1.1": { "instructions": "", "licenseType": "MPL-1.1", "severity": "medium" }, "MPL-2.0": { "instructions": "", "licenseType": "MPL-2.0", "severity": "medium" }, "MS-RL": { "instructions": "", "licenseType": "MS-RL", "severity": "medium" }, "SimPL-2.0": { "instructions": "", "licenseType": "SimPL-2.0", "severity": "high" } }, "severities": {} }, "ok": false, "org": "jonjagger", "packageManager": "apk", "path": "cyberdojo/shas@sha256:eaa2885bdceaeb49372ec734bab19f5e3e2d1ce59661fe6f97ad2d10ee39a8b0/shas", "platform": "linux/amd64", "policy": "# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.\nversion: v1.25.1\nignore: {}\npatch: {}\n", "projectName": "docker-image|cyberdojo/shas", "severityThreshold": "medium", "summary": "6 medium or high or critical severity vulnerable dependency paths", "uniqueCount": 2, "vulnerabilities": [ { "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L/E:P", "cpes": [], "creationTime": "2023-10-11T11:45:04.817337Z", "credit": [], "cvssDetails": [], "cvssScore": 7.7, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `curl` package and not the `curl` package as distributed by `Alpine`._\n_See `How to fix?` for `Alpine:3.18` relevant fixed versions and status._\n\nin the `SOCKS5` proxy handshake process when the hostname is longer than the target buffer.\nThe local variable `socks5_resolve_local` could get the wrong value during a slow SOCKS5 handshake.\nSince the code wrongly thinks it should pass on the hostname, even though the hostname is too long to fit, the memory copy can overflow the allocated target buffer. \n\nThis is only exploitable if the SOCKS5 handshake is slow enough to trigger a local variable bug and the client uses a hostname longer than the download buffer.\n\nExploiting this vulnerability could allow an attacker to execute arbitrary code on the target system under certain conditions.\n\n\n**Note:**\n\nAn overflow is only possible in applications that don't set `CURLOPT_BUFFERSIZE` or set it smaller than 65541. \nSince the curl tool sets `CURLOPT_BUFFERSIZE` to 100kB by default, it is not vulnerable unless the user sets the rate limiting to a rate smaller than 65541 bytes/second.\n\nThe options that cause SOCKS5 with remote hostname to be used in `libcurl`:\n\n1) `CURLOPT_PROXYTYPE` set to type `CURLPROXY_SOCKS5_HOSTNAME`, or:\n`CURLOPT_PROXY` or `CURLOPT_PRE_PROXY` set to use the scheme `socks5h://`\n\n2) One of the proxy environment variables can be set to use the `socks5h://` scheme. For example, `http_proxy`, `HTTPS_PROXY` or `ALL_PROXY`.\n\n\nThe options that cause SOCKS5 with remote hostname to be used in the `curl` tool:\n\n1) `--socks5-hostname`, `--proxy` or `--preproxy` set to use the scheme `socks5h://`\n\n2) Environment variables as described in the libcurl section.\n\n\n\n**Changelog:**\n\n2023-10-04: Initial publication\n\n2023-10-11: Published updated information, including CWE, CVSS, official references and affected versions range.\n## Remediation\nUpgrade `Alpine:3.18` `curl` to version 8.4.0-r0 or higher.\n", "disclosureTime": null, "dockerBaseImage": "ruby:3.2.2-alpine3.18", "epssDetails": null, "exploit": "Proof of Concept", "fixedIn": [ "8.4.0-r0" ], "from": [ "docker-image|cyberdojo/shas@*", "curl/libcurl@8.3.0-r0" ], "id": "SNYK-ALPINE318-CURL-5958913", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2023-38545" ], "CWE": [ "CWE-122" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": true, "language": "linux", "malicious": false, "modificationTime": "2023-10-12T06:20:00.497141Z", "name": "curl/libcurl", "nearestFixedInVersion": "8.4.0-r0", "nvdSeverity": null, "packageManager": "alpine:3.18", "packageName": "curl", "patches": [], "publicationTime": "2023-10-11T11:43:48.209416Z", "references": [], "relativeImportance": null, "semver": { "vulnerable": [ "<8.4.0-r0" ] }, "severity": "high", "severityWithCritical": "high", "socialTrendAlert": false, "title": "Heap-based Buffer Overflow", "upgradePath": [ false, "curl/libcurl@8.4.0-r0" ], "version": "8.3.0-r0" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L/E:P", "cpes": [], "creationTime": "2023-10-11T11:45:04.817337Z", "credit": [], "cvssDetails": [], "cvssScore": 7.7, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `curl` package and not the `curl` package as distributed by `Alpine`._\n_See `How to fix?` for `Alpine:3.18` relevant fixed versions and status._\n\nin the `SOCKS5` proxy handshake process when the hostname is longer than the target buffer.\nThe local variable `socks5_resolve_local` could get the wrong value during a slow SOCKS5 handshake.\nSince the code wrongly thinks it should pass on the hostname, even though the hostname is too long to fit, the memory copy can overflow the allocated target buffer. \n\nThis is only exploitable if the SOCKS5 handshake is slow enough to trigger a local variable bug and the client uses a hostname longer than the download buffer.\n\nExploiting this vulnerability could allow an attacker to execute arbitrary code on the target system under certain conditions.\n\n\n**Note:**\n\nAn overflow is only possible in applications that don't set `CURLOPT_BUFFERSIZE` or set it smaller than 65541. \nSince the curl tool sets `CURLOPT_BUFFERSIZE` to 100kB by default, it is not vulnerable unless the user sets the rate limiting to a rate smaller than 65541 bytes/second.\n\nThe options that cause SOCKS5 with remote hostname to be used in `libcurl`:\n\n1) `CURLOPT_PROXYTYPE` set to type `CURLPROXY_SOCKS5_HOSTNAME`, or:\n`CURLOPT_PROXY` or `CURLOPT_PRE_PROXY` set to use the scheme `socks5h://`\n\n2) One of the proxy environment variables can be set to use the `socks5h://` scheme. For example, `http_proxy`, `HTTPS_PROXY` or `ALL_PROXY`.\n\n\nThe options that cause SOCKS5 with remote hostname to be used in the `curl` tool:\n\n1) `--socks5-hostname`, `--proxy` or `--preproxy` set to use the scheme `socks5h://`\n\n2) Environment variables as described in the libcurl section.\n\n\n\n**Changelog:**\n\n2023-10-04: Initial publication\n\n2023-10-11: Published updated information, including CWE, CVSS, official references and affected versions range.\n## Remediation\nUpgrade `Alpine:3.18` `curl` to version 8.4.0-r0 or higher.\n", "disclosureTime": null, "dockerBaseImage": "ruby:3.2.2-alpine3.18", "epssDetails": null, "exploit": "Proof of Concept", "fixedIn": [ "8.4.0-r0" ], "from": [ "docker-image|cyberdojo/shas@*", "curl/curl@8.3.0-r0", "curl/libcurl@8.3.0-r0" ], "id": "SNYK-ALPINE318-CURL-5958913", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2023-38545" ], "CWE": [ "CWE-122" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "linux", "malicious": false, "modificationTime": "2023-10-12T06:20:00.497141Z", "name": "curl/libcurl", "nearestFixedInVersion": "8.4.0-r0", "nvdSeverity": null, "packageManager": "alpine:3.18", "packageName": "curl", "patches": [], "publicationTime": "2023-10-11T11:43:48.209416Z", "references": [], "relativeImportance": null, "semver": { "vulnerable": [ "<8.4.0-r0" ] }, "severity": "high", "severityWithCritical": "high", "socialTrendAlert": false, "title": "Heap-based Buffer Overflow", "upgradePath": [], "version": "8.3.0-r0" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L/E:P", "cpes": [], "creationTime": "2023-10-11T11:45:04.817337Z", "credit": [], "cvssDetails": [], "cvssScore": 7.7, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `curl` package and not the `curl` package as distributed by `Alpine`._\n_See `How to fix?` for `Alpine:3.18` relevant fixed versions and status._\n\nin the `SOCKS5` proxy handshake process when the hostname is longer than the target buffer.\nThe local variable `socks5_resolve_local` could get the wrong value during a slow SOCKS5 handshake.\nSince the code wrongly thinks it should pass on the hostname, even though the hostname is too long to fit, the memory copy can overflow the allocated target buffer. \n\nThis is only exploitable if the SOCKS5 handshake is slow enough to trigger a local variable bug and the client uses a hostname longer than the download buffer.\n\nExploiting this vulnerability could allow an attacker to execute arbitrary code on the target system under certain conditions.\n\n\n**Note:**\n\nAn overflow is only possible in applications that don't set `CURLOPT_BUFFERSIZE` or set it smaller than 65541. \nSince the curl tool sets `CURLOPT_BUFFERSIZE` to 100kB by default, it is not vulnerable unless the user sets the rate limiting to a rate smaller than 65541 bytes/second.\n\nThe options that cause SOCKS5 with remote hostname to be used in `libcurl`:\n\n1) `CURLOPT_PROXYTYPE` set to type `CURLPROXY_SOCKS5_HOSTNAME`, or:\n`CURLOPT_PROXY` or `CURLOPT_PRE_PROXY` set to use the scheme `socks5h://`\n\n2) One of the proxy environment variables can be set to use the `socks5h://` scheme. For example, `http_proxy`, `HTTPS_PROXY` or `ALL_PROXY`.\n\n\nThe options that cause SOCKS5 with remote hostname to be used in the `curl` tool:\n\n1) `--socks5-hostname`, `--proxy` or `--preproxy` set to use the scheme `socks5h://`\n\n2) Environment variables as described in the libcurl section.\n\n\n\n**Changelog:**\n\n2023-10-04: Initial publication\n\n2023-10-11: Published updated information, including CWE, CVSS, official references and affected versions range.\n## Remediation\nUpgrade `Alpine:3.18` `curl` to version 8.4.0-r0 or higher.\n", "disclosureTime": null, "dockerBaseImage": "ruby:3.2.2-alpine3.18", "epssDetails": null, "exploit": "Proof of Concept", "fixedIn": [ "8.4.0-r0" ], "from": [ "docker-image|cyberdojo/shas@*", "curl/curl@8.3.0-r0" ], "id": "SNYK-ALPINE318-CURL-5958913", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2023-38545" ], "CWE": [ "CWE-122" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": true, "language": "linux", "malicious": false, "modificationTime": "2023-10-12T06:20:00.497141Z", "name": "curl/curl", "nearestFixedInVersion": "8.4.0-r0", "nvdSeverity": null, "packageManager": "alpine:3.18", "packageName": "curl", "patches": [], "publicationTime": "2023-10-11T11:43:48.209416Z", "references": [], "relativeImportance": null, "semver": { "vulnerable": [ "<8.4.0-r0" ] }, "severity": "high", "severityWithCritical": "high", "socialTrendAlert": false, "title": "Heap-based Buffer Overflow", "upgradePath": [ false, "curl/curl@8.4.0-r0" ], "version": "8.3.0-r0" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:H", "cpes": [], "creationTime": "2023-10-11T04:04:38.629011Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:H", "modificationTime": "2023-10-11T14:31:08.807516Z", "severity": "high" } ], "cvssScore": 7.5, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `nghttp2` package and not the `nghttp2` package as distributed by `Alpine`._\n_See `How to fix?` for `Alpine:3.18` relevant fixed versions and status._\n\nThe HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.\n## Remediation\nUpgrade `Alpine:3.18` `nghttp2` to version 1.57.0-r0 or higher.\n## References\n- [cve@mitre.org](https://aws.amazon.com/security/security-bulletins/AWS-2023-011/)\n- [cve@mitre.org](https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/)\n- [cve@mitre.org](https://blog.cloudflare.com/zero-day-rapid-reset-http2-record-breaking-ddos-attack/)\n- [cve@mitre.org](https://cloud.google.com/blog/products/identity-security/google-cloud-mitigated-largest-ddos-attack-peaking-above-398-million-rps/)\n- [cve@mitre.org](https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack)\n- [cve@mitre.org](https://news.ycombinator.com/item?id=37831062)\n- [cve@mitre.org](https://www.nginx.com/blog/http-2-rapid-reset-attack-impacting-f5-nginx-products/)\n- [cve@mitre.org](https://www.phoronix.com/news/HTTP2-Rapid-Reset-Attack)\n- [cve@mitre.org](https://chaos.social/@icing/111210915918780532)\n- [cve@mitre.org](https://forums.swift.org/t/swift-nio-http2-security-update-cve-2023-44487-http-2-dos/67764)\n- [cve@mitre.org](https://github.com/alibaba/tengine/issues/1872)\n- [cve@mitre.org](https://github.com/apache/tomcat/tree/main/java/org/apache/coyote/http2)\n- [cve@mitre.org](https://github.com/bcdannyboy/CVE-2023-44487)\n- [cve@mitre.org](https://github.com/caddyserver/caddy/issues/5877)\n- [cve@mitre.org](https://github.com/eclipse/jetty.project/issues/10679)\n- [cve@mitre.org](https://github.com/envoyproxy/envoy/pull/30055)\n- [cve@mitre.org](https://github.com/haproxy/haproxy/issues/2312)\n- [cve@mitre.org](https://github.com/hyperium/hyper/issues/3337)\n- [cve@mitre.org](https://github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61)\n- [cve@mitre.org](https://github.com/nghttp2/nghttp2/pull/1961)\n- [cve@mitre.org](https://news.ycombinator.com/item?id=37830987)\n- [cve@mitre.org](https://news.ycombinator.com/item?id=37830998)\n- [cve@mitre.org](https://www.bleepingcomputer.com/news/security/new-http-2-rapid-reset-zero-day-attack-breaks-ddos-records/)\n- [cve@mitre.org](https://github.com/grpc/grpc-go/pull/6703)\n- [cve@mitre.org](https://github.com/icing/mod_h2/blob/0a864782af0a942aa2ad4ed960a6b32cd35bcf0a/mod_http2/README.md?plain=1#L239-L244)\n- [cve@mitre.org](https://github.com/nghttp2/nghttp2/releases/tag/v1.57.0)\n- [cve@mitre.org](https://mailman.nginx.org/pipermail/nginx-devel/2023-October/S36Q5HBXR7CAIMPLLPRSSSYR4PCMWILK.html)\n- [cve@mitre.org](https://my.f5.com/manage/s/article/K000137106)\n- [cve@mitre.org](https://bugzilla.proxmox.com/show_bug.cgi?id=4988)\n- [cve@mitre.org](https://cgit.freebsd.org/ports/commit/?id=c64c329c2c1752f46b73e3e6ce9f4329be6629f9)\n- [cve@mitre.org](https://msrc.microsoft.com/blog/2023/10/microsoft-response-to-distributed-denial-of-service-ddos-attacks-against-http/2/)\n- [cve@mitre.org](https://edg.io/lp/blog/resets-leaks-ddos-and-the-tale-of-a-hidden-cve)\n- [cve@mitre.org](https://gist.github.com/adulau/7c2bfb8e9cdbe4b35a5e131c66a0c088)\n- [cve@mitre.org](https://github.com/advisories/GHSA-vx74-f528-fxqg)\n- [cve@mitre.org](https://github.com/apache/trafficserver/pull/10564)\n- [cve@mitre.org](https://github.com/dotnet/announcements/issues/277)\n- [cve@mitre.org](https://github.com/facebook/proxygen/pull/466)\n- [cve@mitre.org](https://github.com/golang/go/issues/63417)\n- [cve@mitre.org](https://github.com/h2o/h2o/pull/3291)\n- [cve@mitre.org](https://github.com/h2o/h2o/security/advisories/GHSA-2m7v-gc89-fjqf)\n- [cve@mitre.org](https://github.com/micrictor/http2-rst-stream)\n- [cve@mitre.org](https://github.com/microsoft/CBL-Mariner/pull/6381)\n- [cve@mitre.org](https://github.com/nodejs/node/pull/50121)\n- [cve@mitre.org](https://groups.google.com/g/golang-announce/c/iNNxDTCjZvo)\n- [cve@mitre.org](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-44487)\n- [cve@mitre.org](https://openssf.org/blog/2023/10/10/http-2-rapid-reset-vulnerability-highlights-need-for-rapid-response/)\n- [cve@mitre.org](https://lists.apache.org/thread/5py8h42mxfsn8l1wy6o41xwhsjlsd87q)\n- [cve@mitre.org](https://seanmonstar.com/post/730794151136935936/hyper-http2-rapid-reset-unaffected)\n- [cve@mitre.org](https://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.1.14)\n- [cve@mitre.org](https://www.openwall.com/lists/oss-security/2023/10/10/6)\n- [cve@mitre.org](https://github.com/dotnet/core/blob/e4613450ea0da7fd2fc6b61dfb2c1c1dec1ce9ec/release-notes/6.0/6.0.23/6.0.23.md?plain=1#L73)\n- [cve@mitre.org](https://github.com/advisories/GHSA-xpw8-rcwv-8f8p)\n- [cve@mitre.org](https://github.com/kubernetes/kubernetes/pull/121120)\n- [cve@mitre.org](https://github.com/opensearch-project/data-prepper/issues/3474)\n- [cve@mitre.org](https://github.com/oqtane/oqtane.framework/discussions/3367)\n- [cve@mitre.org](https://netty.io/news/2023/10/10/4-1-100-Final.html)\n- [cve@mitre.org](https://www.haproxy.com/blog/haproxy-is-not-affected-by-the-http-2-rapid-reset-attack-cve-2023-44487)\n- [cve@mitre.org](https://blog.qualys.com/vulnerabilities-threat-research/2023/10/10/cve-2023-44487-http-2-rapid-reset-attack)\n- [cve@mitre.org](https://github.com/apache/httpd/blob/afcdbeebbff4b0c50ea26cdd16e178c0d1f24152/modules/http2/h2_mplx.c#L1101-L1113)\n- [cve@mitre.org](https://github.com/kazu-yamamoto/http2/commit/f61d41a502bd0f60eb24e1ce14edc7b6df6722a1)\n- [cve@mitre.org](https://github.com/kazu-yamamoto/http2/issues/93)\n- [cve@mitre.org](https://martinthomson.github.io/h2-stream-limits/draft-thomson-httpbis-h2-stream-limits.html)\n- [cve@mitre.org](https://news.ycombinator.com/item?id=37837043)\n- [cve@mitre.org](https://www.cisa.gov/news-events/alerts/2023/10/10/http2-rapid-reset-vulnerability-cve-2023-44487)\n- [cve@mitre.org](https://www.debian.org/security/2023/dsa-5521)\n- [cve@mitre.org](https://www.debian.org/security/2023/dsa-5522)\n- [cve@mitre.org](https://www.theregister.com/2023/10/10/http2_rapid_reset_zeroday/)\n- [cve@mitre.org](https://access.redhat.com/security/cve/cve-2023-44487)\n- [cve@mitre.org](https://blog.vespa.ai/cve-2023-44487/)\n- [cve@mitre.org](https://bugzilla.redhat.com/show_bug.cgi?id=2242803)\n- [cve@mitre.org](https://bugzilla.suse.com/show_bug.cgi?id=1216123)\n- [cve@mitre.org](https://community.traefik.io/t/is-traefik-vulnerable-to-cve-2023-44487/20125)\n- [cve@mitre.org](https://github.com/advisories/GHSA-qppj-fm5r-hxr3)\n- [cve@mitre.org](https://github.com/etcd-io/etcd/issues/16740)\n- [cve@mitre.org](https://github.com/junkurihara/rust-rpxy/issues/97)\n- [cve@mitre.org](https://github.com/ninenines/cowboy/issues/1615)\n- [cve@mitre.org](https://github.com/tempesta-tech/tempesta/issues/1986)\n- [cve@mitre.org](https://github.com/varnishcache/varnish-cache/issues/3996)\n- [cve@mitre.org](https://istio.io/latest/news/security/istio-security-2023-004/)\n- [cve@mitre.org](https://ubuntu.com/security/CVE-2023-44487)\n- [cve@mitre.org](https://www.darkreading.com/cloud/internet-wide-zero-day-bug-fuels-largest-ever-ddos-event)\n- [cve@mitre.org](https://github.com/apache/httpd-site/pull/10)\n- [cve@mitre.org](https://github.com/line/armeria/pull/5232)\n- [cve@mitre.org](https://github.com/linkerd/website/pull/1695/commits/4b9c6836471bc8270ab48aae6fd2181bc73fd632)\n- [cve@mitre.org](https://github.com/projectcontour/contour/pull/5826)\n- [cve@mitre.org](https://blog.litespeedtech.com/2023/10/11/rapid-reset-http-2-vulnerablilty/)\n- [CISA - Known Exploited Vulnerabilities](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)\n", "disclosureTime": "2023-10-10T14:15:10.883000Z", "dockerBaseImage": "ruby:3.2.2-alpine3.18", "dockerfileInstruction": "apk add nodejs", "epssDetails": null, "exploit": "High", "fixedIn": [ "1.57.0-r0" ], "from": [ "docker-image|cyberdojo/shas@*", "nghttp2/nghttp2-libs@1.55.1-r0" ], "id": "SNYK-ALPINE318-NGHTTP2-5954768", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2023-44487" ], "CWE": [ "CWE-400" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": true, "language": "linux", "malicious": false, "modificationTime": "2023-10-12T01:11:09.035012Z", "name": "nghttp2/nghttp2-libs", "nearestFixedInVersion": "1.57.0-r0", "nvdSeverity": "high", "packageManager": "alpine:3.18", "packageName": "nghttp2", "patches": [], "publicationTime": "2023-10-11T04:04:38.608135Z", "references": [ { "title": "https://aws.amazon.com/security/security-bulletins/AWS-2023-011/", "url": "https://aws.amazon.com/security/security-bulletins/AWS-2023-011/" }, { "title": "https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/", "url": "https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/" }, { "title": "https://blog.cloudflare.com/zero-day-rapid-reset-http2-record-breaking-ddos-attack/", "url": "https://blog.cloudflare.com/zero-day-rapid-reset-http2-record-breaking-ddos-attack/" }, { "title": "https://cloud.google.com/blog/products/identity-security/google-cloud-mitigated-largest-ddos-attack-peaking-above-398-million-rps/", "url": "https://cloud.google.com/blog/products/identity-security/google-cloud-mitigated-largest-ddos-attack-peaking-above-398-million-rps/" }, { "title": "https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack", "url": "https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack" }, { "title": "https://news.ycombinator.com/item?id=37831062", "url": "https://news.ycombinator.com/item?id=37831062" }, { "title": "https://www.nginx.com/blog/http-2-rapid-reset-attack-impacting-f5-nginx-products/", "url": "https://www.nginx.com/blog/http-2-rapid-reset-attack-impacting-f5-nginx-products/" }, { "title": "https://www.phoronix.com/news/HTTP2-Rapid-Reset-Attack", "url": "https://www.phoronix.com/news/HTTP2-Rapid-Reset-Attack" }, { "title": "https://chaos.social/@icing/111210915918780532", "url": "https://chaos.social/@icing/111210915918780532" }, { "title": "https://forums.swift.org/t/swift-nio-http2-security-update-cve-2023-44487-http-2-dos/67764", "url": "https://forums.swift.org/t/swift-nio-http2-security-update-cve-2023-44487-http-2-dos/67764" }, { "title": "https://github.com/alibaba/tengine/issues/1872", "url": "https://github.com/alibaba/tengine/issues/1872" }, { "title": "https://github.com/apache/tomcat/tree/main/java/org/apache/coyote/http2", "url": "https://github.com/apache/tomcat/tree/main/java/org/apache/coyote/http2" }, { "title": "https://github.com/bcdannyboy/CVE-2023-44487", "url": "https://github.com/bcdannyboy/CVE-2023-44487" }, { "title": "https://github.com/caddyserver/caddy/issues/5877", "url": "https://github.com/caddyserver/caddy/issues/5877" }, { "title": "https://github.com/eclipse/jetty.project/issues/10679", "url": "https://github.com/eclipse/jetty.project/issues/10679" }, { "title": "https://github.com/envoyproxy/envoy/pull/30055", "url": "https://github.com/envoyproxy/envoy/pull/30055" }, { "title": "https://github.com/haproxy/haproxy/issues/2312", "url": "https://github.com/haproxy/haproxy/issues/2312" }, { "title": "https://github.com/hyperium/hyper/issues/3337", "url": "https://github.com/hyperium/hyper/issues/3337" }, { "title": "https://github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61", "url": "https://github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61" }, { "title": "https://github.com/nghttp2/nghttp2/pull/1961", "url": "https://github.com/nghttp2/nghttp2/pull/1961" }, { "title": "https://news.ycombinator.com/item?id=37830987", "url": "https://news.ycombinator.com/item?id=37830987" }, { "title": "https://news.ycombinator.com/item?id=37830998", "url": "https://news.ycombinator.com/item?id=37830998" }, { "title": "https://www.bleepingcomputer.com/news/security/new-http-2-rapid-reset-zero-day-attack-breaks-ddos-records/", "url": "https://www.bleepingcomputer.com/news/security/new-http-2-rapid-reset-zero-day-attack-breaks-ddos-records/" }, { "title": "https://github.com/grpc/grpc-go/pull/6703", "url": "https://github.com/grpc/grpc-go/pull/6703" }, { "title": "https://github.com/icing/mod_h2/blob/0a864782af0a942aa2ad4ed960a6b32cd35bcf0a/mod_http2/README.md?plain=1%23L239-L244", "url": "https://github.com/icing/mod_h2/blob/0a864782af0a942aa2ad4ed960a6b32cd35bcf0a/mod_http2/README.md?plain=1%23L239-L244" }, { "title": "https://github.com/nghttp2/nghttp2/releases/tag/v1.57.0", "url": "https://github.com/nghttp2/nghttp2/releases/tag/v1.57.0" }, { "title": "https://mailman.nginx.org/pipermail/nginx-devel/2023-October/S36Q5HBXR7CAIMPLLPRSSSYR4PCMWILK.html", "url": "https://mailman.nginx.org/pipermail/nginx-devel/2023-October/S36Q5HBXR7CAIMPLLPRSSSYR4PCMWILK.html" }, { "title": "https://my.f5.com/manage/s/article/K000137106", "url": "https://my.f5.com/manage/s/article/K000137106" }, { "title": "https://bugzilla.proxmox.com/show_bug.cgi?id=4988", "url": "https://bugzilla.proxmox.com/show_bug.cgi?id=4988" }, { "title": "https://cgit.freebsd.org/ports/commit/?id=c64c329c2c1752f46b73e3e6ce9f4329be6629f9", "url": "https://cgit.freebsd.org/ports/commit/?id=c64c329c2c1752f46b73e3e6ce9f4329be6629f9" }, { "title": "https://msrc.microsoft.com/blog/2023/10/microsoft-response-to-distributed-denial-of-service-ddos-attacks-against-http/2/", "url": "https://msrc.microsoft.com/blog/2023/10/microsoft-response-to-distributed-denial-of-service-ddos-attacks-against-http/2/" }, { "title": "https://edg.io/lp/blog/resets-leaks-ddos-and-the-tale-of-a-hidden-cve", "url": "https://edg.io/lp/blog/resets-leaks-ddos-and-the-tale-of-a-hidden-cve" }, { "title": "https://gist.github.com/adulau/7c2bfb8e9cdbe4b35a5e131c66a0c088", "url": "https://gist.github.com/adulau/7c2bfb8e9cdbe4b35a5e131c66a0c088" }, { "title": "https://github.com/advisories/GHSA-vx74-f528-fxqg", "url": "https://github.com/advisories/GHSA-vx74-f528-fxqg" }, { "title": "https://github.com/apache/trafficserver/pull/10564", "url": "https://github.com/apache/trafficserver/pull/10564" }, { "title": "https://github.com/dotnet/announcements/issues/277", "url": "https://github.com/dotnet/announcements/issues/277" }, { "title": "https://github.com/facebook/proxygen/pull/466", "url": "https://github.com/facebook/proxygen/pull/466" }, { "title": "https://github.com/golang/go/issues/63417", "url": "https://github.com/golang/go/issues/63417" }, { "title": "https://github.com/h2o/h2o/pull/3291", "url": "https://github.com/h2o/h2o/pull/3291" }, { "title": "https://github.com/h2o/h2o/security/advisories/GHSA-2m7v-gc89-fjqf", "url": "https://github.com/h2o/h2o/security/advisories/GHSA-2m7v-gc89-fjqf" }, { "title": "https://github.com/micrictor/http2-rst-stream", "url": "https://github.com/micrictor/http2-rst-stream" }, { "title": "https://github.com/microsoft/CBL-Mariner/pull/6381", "url": "https://github.com/microsoft/CBL-Mariner/pull/6381" }, { "title": "https://github.com/nodejs/node/pull/50121", "url": "https://github.com/nodejs/node/pull/50121" }, { "title": "https://groups.google.com/g/golang-announce/c/iNNxDTCjZvo", "url": "https://groups.google.com/g/golang-announce/c/iNNxDTCjZvo" }, { "title": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-44487", "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-44487" }, { "title": "https://openssf.org/blog/2023/10/10/http-2-rapid-reset-vulnerability-highlights-need-for-rapid-response/", "url": "https://openssf.org/blog/2023/10/10/http-2-rapid-reset-vulnerability-highlights-need-for-rapid-response/" }, { "title": "https://lists.apache.org/thread/5py8h42mxfsn8l1wy6o41xwhsjlsd87q", "url": "https://lists.apache.org/thread/5py8h42mxfsn8l1wy6o41xwhsjlsd87q" }, { "title": "https://seanmonstar.com/post/730794151136935936/hyper-http2-rapid-reset-unaffected", "url": "https://seanmonstar.com/post/730794151136935936/hyper-http2-rapid-reset-unaffected" }, { "title": "https://tomcat.apache.org/security-10.html%23Fixed_in_Apache_Tomcat_10.1.14", "url": "https://tomcat.apache.org/security-10.html%23Fixed_in_Apache_Tomcat_10.1.14" }, { "title": "https://www.openwall.com/lists/oss-security/2023/10/10/6", "url": "https://www.openwall.com/lists/oss-security/2023/10/10/6" }, { "title": "https://github.com/dotnet/core/blob/e4613450ea0da7fd2fc6b61dfb2c1c1dec1ce9ec/release-notes/6.0/6.0.23/6.0.23.md?plain=1%23L73", "url": "https://github.com/dotnet/core/blob/e4613450ea0da7fd2fc6b61dfb2c1c1dec1ce9ec/release-notes/6.0/6.0.23/6.0.23.md?plain=1%23L73" }, { "title": "https://github.com/advisories/GHSA-xpw8-rcwv-8f8p", "url": "https://github.com/advisories/GHSA-xpw8-rcwv-8f8p" }, { "title": "https://github.com/kubernetes/kubernetes/pull/121120", "url": "https://github.com/kubernetes/kubernetes/pull/121120" }, { "title": "https://github.com/opensearch-project/data-prepper/issues/3474", "url": "https://github.com/opensearch-project/data-prepper/issues/3474" }, { "title": "https://github.com/oqtane/oqtane.framework/discussions/3367", "url": "https://github.com/oqtane/oqtane.framework/discussions/3367" }, { "title": "https://netty.io/news/2023/10/10/4-1-100-Final.html", "url": "https://netty.io/news/2023/10/10/4-1-100-Final.html" }, { "title": "https://www.haproxy.com/blog/haproxy-is-not-affected-by-the-http-2-rapid-reset-attack-cve-2023-44487", "url": "https://www.haproxy.com/blog/haproxy-is-not-affected-by-the-http-2-rapid-reset-attack-cve-2023-44487" }, { "title": "https://blog.qualys.com/vulnerabilities-threat-research/2023/10/10/cve-2023-44487-http-2-rapid-reset-attack", "url": "https://blog.qualys.com/vulnerabilities-threat-research/2023/10/10/cve-2023-44487-http-2-rapid-reset-attack" }, { "title": "https://github.com/apache/httpd/blob/afcdbeebbff4b0c50ea26cdd16e178c0d1f24152/modules/http2/h2_mplx.c%23L1101-L1113", "url": "https://github.com/apache/httpd/blob/afcdbeebbff4b0c50ea26cdd16e178c0d1f24152/modules/http2/h2_mplx.c%23L1101-L1113" }, { "title": "https://github.com/kazu-yamamoto/http2/commit/f61d41a502bd0f60eb24e1ce14edc7b6df6722a1", "url": "https://github.com/kazu-yamamoto/http2/commit/f61d41a502bd0f60eb24e1ce14edc7b6df6722a1" }, { "title": "https://github.com/kazu-yamamoto/http2/issues/93", "url": "https://github.com/kazu-yamamoto/http2/issues/93" }, { "title": "https://martinthomson.github.io/h2-stream-limits/draft-thomson-httpbis-h2-stream-limits.html", "url": "https://martinthomson.github.io/h2-stream-limits/draft-thomson-httpbis-h2-stream-limits.html" }, { "title": "https://news.ycombinator.com/item?id=37837043", "url": "https://news.ycombinator.com/item?id=37837043" }, { "title": "https://www.cisa.gov/news-events/alerts/2023/10/10/http2-rapid-reset-vulnerability-cve-2023-44487", "url": "https://www.cisa.gov/news-events/alerts/2023/10/10/http2-rapid-reset-vulnerability-cve-2023-44487" }, { "title": "https://www.debian.org/security/2023/dsa-5521", "url": "https://www.debian.org/security/2023/dsa-5521" }, { "title": "https://www.debian.org/security/2023/dsa-5522", "url": "https://www.debian.org/security/2023/dsa-5522" }, { "title": "https://www.theregister.com/2023/10/10/http2_rapid_reset_zeroday/", "url": "https://www.theregister.com/2023/10/10/http2_rapid_reset_zeroday/" }, { "title": "https://access.redhat.com/security/cve/cve-2023-44487", "url": "https://access.redhat.com/security/cve/cve-2023-44487" }, { "title": "https://blog.vespa.ai/cve-2023-44487/", "url": "https://blog.vespa.ai/cve-2023-44487/" }, { "title": "https://bugzilla.redhat.com/show_bug.cgi?id=2242803", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2242803" }, { "title": "https://bugzilla.suse.com/show_bug.cgi?id=1216123", "url": "https://bugzilla.suse.com/show_bug.cgi?id=1216123" }, { "title": "https://community.traefik.io/t/is-traefik-vulnerable-to-cve-2023-44487/20125", "url": "https://community.traefik.io/t/is-traefik-vulnerable-to-cve-2023-44487/20125" }, { "title": "https://github.com/advisories/GHSA-qppj-fm5r-hxr3", "url": "https://github.com/advisories/GHSA-qppj-fm5r-hxr3" }, { "title": "https://github.com/etcd-io/etcd/issues/16740", "url": "https://github.com/etcd-io/etcd/issues/16740" }, { "title": "https://github.com/junkurihara/rust-rpxy/issues/97", "url": "https://github.com/junkurihara/rust-rpxy/issues/97" }, { "title": "https://github.com/ninenines/cowboy/issues/1615", "url": "https://github.com/ninenines/cowboy/issues/1615" }, { "title": "https://github.com/tempesta-tech/tempesta/issues/1986", "url": "https://github.com/tempesta-tech/tempesta/issues/1986" }, { "title": "https://github.com/varnishcache/varnish-cache/issues/3996", "url": "https://github.com/varnishcache/varnish-cache/issues/3996" }, { "title": "https://istio.io/latest/news/security/istio-security-2023-004/", "url": "https://istio.io/latest/news/security/istio-security-2023-004/" }, { "title": "https://ubuntu.com/security/CVE-2023-44487", "url": "https://ubuntu.com/security/CVE-2023-44487" }, { "title": "https://www.darkreading.com/cloud/internet-wide-zero-day-bug-fuels-largest-ever-ddos-event", "url": "https://www.darkreading.com/cloud/internet-wide-zero-day-bug-fuels-largest-ever-ddos-event" }, { "title": "https://github.com/apache/httpd-site/pull/10", "url": "https://github.com/apache/httpd-site/pull/10" }, { "title": "https://github.com/line/armeria/pull/5232", "url": "https://github.com/line/armeria/pull/5232" }, { "title": "https://github.com/linkerd/website/pull/1695/commits/4b9c6836471bc8270ab48aae6fd2181bc73fd632", "url": "https://github.com/linkerd/website/pull/1695/commits/4b9c6836471bc8270ab48aae6fd2181bc73fd632" }, { "title": "https://github.com/projectcontour/contour/pull/5826", "url": "https://github.com/projectcontour/contour/pull/5826" }, { "title": "https://blog.litespeedtech.com/2023/10/11/rapid-reset-http-2-vulnerablilty/", "url": "https://blog.litespeedtech.com/2023/10/11/rapid-reset-http-2-vulnerablilty/" }, { "title": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "relativeImportance": null, "semver": { "vulnerable": [ "<1.57.0-r0" ] }, "severity": "high", "severityWithCritical": "high", "socialTrendAlert": false, "title": "Resource Exhaustion", "upgradePath": [ false, "nghttp2/nghttp2-libs@1.57.0-r0" ], "version": "1.55.1-r0" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:H", "cpes": [], "creationTime": "2023-10-11T04:04:38.629011Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:H", "modificationTime": "2023-10-11T14:31:08.807516Z", "severity": "high" } ], "cvssScore": 7.5, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `nghttp2` package and not the `nghttp2` package as distributed by `Alpine`._\n_See `How to fix?` for `Alpine:3.18` relevant fixed versions and status._\n\nThe HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.\n## Remediation\nUpgrade `Alpine:3.18` `nghttp2` to version 1.57.0-r0 or higher.\n## References\n- [cve@mitre.org](https://aws.amazon.com/security/security-bulletins/AWS-2023-011/)\n- [cve@mitre.org](https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/)\n- [cve@mitre.org](https://blog.cloudflare.com/zero-day-rapid-reset-http2-record-breaking-ddos-attack/)\n- [cve@mitre.org](https://cloud.google.com/blog/products/identity-security/google-cloud-mitigated-largest-ddos-attack-peaking-above-398-million-rps/)\n- [cve@mitre.org](https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack)\n- [cve@mitre.org](https://news.ycombinator.com/item?id=37831062)\n- [cve@mitre.org](https://www.nginx.com/blog/http-2-rapid-reset-attack-impacting-f5-nginx-products/)\n- [cve@mitre.org](https://www.phoronix.com/news/HTTP2-Rapid-Reset-Attack)\n- [cve@mitre.org](https://chaos.social/@icing/111210915918780532)\n- [cve@mitre.org](https://forums.swift.org/t/swift-nio-http2-security-update-cve-2023-44487-http-2-dos/67764)\n- [cve@mitre.org](https://github.com/alibaba/tengine/issues/1872)\n- [cve@mitre.org](https://github.com/apache/tomcat/tree/main/java/org/apache/coyote/http2)\n- [cve@mitre.org](https://github.com/bcdannyboy/CVE-2023-44487)\n- [cve@mitre.org](https://github.com/caddyserver/caddy/issues/5877)\n- [cve@mitre.org](https://github.com/eclipse/jetty.project/issues/10679)\n- [cve@mitre.org](https://github.com/envoyproxy/envoy/pull/30055)\n- [cve@mitre.org](https://github.com/haproxy/haproxy/issues/2312)\n- [cve@mitre.org](https://github.com/hyperium/hyper/issues/3337)\n- [cve@mitre.org](https://github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61)\n- [cve@mitre.org](https://github.com/nghttp2/nghttp2/pull/1961)\n- [cve@mitre.org](https://news.ycombinator.com/item?id=37830987)\n- [cve@mitre.org](https://news.ycombinator.com/item?id=37830998)\n- [cve@mitre.org](https://www.bleepingcomputer.com/news/security/new-http-2-rapid-reset-zero-day-attack-breaks-ddos-records/)\n- [cve@mitre.org](https://github.com/grpc/grpc-go/pull/6703)\n- [cve@mitre.org](https://github.com/icing/mod_h2/blob/0a864782af0a942aa2ad4ed960a6b32cd35bcf0a/mod_http2/README.md?plain=1#L239-L244)\n- [cve@mitre.org](https://github.com/nghttp2/nghttp2/releases/tag/v1.57.0)\n- [cve@mitre.org](https://mailman.nginx.org/pipermail/nginx-devel/2023-October/S36Q5HBXR7CAIMPLLPRSSSYR4PCMWILK.html)\n- [cve@mitre.org](https://my.f5.com/manage/s/article/K000137106)\n- [cve@mitre.org](https://bugzilla.proxmox.com/show_bug.cgi?id=4988)\n- [cve@mitre.org](https://cgit.freebsd.org/ports/commit/?id=c64c329c2c1752f46b73e3e6ce9f4329be6629f9)\n- [cve@mitre.org](https://msrc.microsoft.com/blog/2023/10/microsoft-response-to-distributed-denial-of-service-ddos-attacks-against-http/2/)\n- [cve@mitre.org](https://edg.io/lp/blog/resets-leaks-ddos-and-the-tale-of-a-hidden-cve)\n- [cve@mitre.org](https://gist.github.com/adulau/7c2bfb8e9cdbe4b35a5e131c66a0c088)\n- [cve@mitre.org](https://github.com/advisories/GHSA-vx74-f528-fxqg)\n- [cve@mitre.org](https://github.com/apache/trafficserver/pull/10564)\n- [cve@mitre.org](https://github.com/dotnet/announcements/issues/277)\n- [cve@mitre.org](https://github.com/facebook/proxygen/pull/466)\n- [cve@mitre.org](https://github.com/golang/go/issues/63417)\n- [cve@mitre.org](https://github.com/h2o/h2o/pull/3291)\n- [cve@mitre.org](https://github.com/h2o/h2o/security/advisories/GHSA-2m7v-gc89-fjqf)\n- [cve@mitre.org](https://github.com/micrictor/http2-rst-stream)\n- [cve@mitre.org](https://github.com/microsoft/CBL-Mariner/pull/6381)\n- [cve@mitre.org](https://github.com/nodejs/node/pull/50121)\n- [cve@mitre.org](https://groups.google.com/g/golang-announce/c/iNNxDTCjZvo)\n- [cve@mitre.org](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-44487)\n- [cve@mitre.org](https://openssf.org/blog/2023/10/10/http-2-rapid-reset-vulnerability-highlights-need-for-rapid-response/)\n- [cve@mitre.org](https://lists.apache.org/thread/5py8h42mxfsn8l1wy6o41xwhsjlsd87q)\n- [cve@mitre.org](https://seanmonstar.com/post/730794151136935936/hyper-http2-rapid-reset-unaffected)\n- [cve@mitre.org](https://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.1.14)\n- [cve@mitre.org](https://www.openwall.com/lists/oss-security/2023/10/10/6)\n- [cve@mitre.org](https://github.com/dotnet/core/blob/e4613450ea0da7fd2fc6b61dfb2c1c1dec1ce9ec/release-notes/6.0/6.0.23/6.0.23.md?plain=1#L73)\n- [cve@mitre.org](https://github.com/advisories/GHSA-xpw8-rcwv-8f8p)\n- [cve@mitre.org](https://github.com/kubernetes/kubernetes/pull/121120)\n- [cve@mitre.org](https://github.com/opensearch-project/data-prepper/issues/3474)\n- [cve@mitre.org](https://github.com/oqtane/oqtane.framework/discussions/3367)\n- [cve@mitre.org](https://netty.io/news/2023/10/10/4-1-100-Final.html)\n- [cve@mitre.org](https://www.haproxy.com/blog/haproxy-is-not-affected-by-the-http-2-rapid-reset-attack-cve-2023-44487)\n- [cve@mitre.org](https://blog.qualys.com/vulnerabilities-threat-research/2023/10/10/cve-2023-44487-http-2-rapid-reset-attack)\n- [cve@mitre.org](https://github.com/apache/httpd/blob/afcdbeebbff4b0c50ea26cdd16e178c0d1f24152/modules/http2/h2_mplx.c#L1101-L1113)\n- [cve@mitre.org](https://github.com/kazu-yamamoto/http2/commit/f61d41a502bd0f60eb24e1ce14edc7b6df6722a1)\n- [cve@mitre.org](https://github.com/kazu-yamamoto/http2/issues/93)\n- [cve@mitre.org](https://martinthomson.github.io/h2-stream-limits/draft-thomson-httpbis-h2-stream-limits.html)\n- [cve@mitre.org](https://news.ycombinator.com/item?id=37837043)\n- [cve@mitre.org](https://www.cisa.gov/news-events/alerts/2023/10/10/http2-rapid-reset-vulnerability-cve-2023-44487)\n- [cve@mitre.org](https://www.debian.org/security/2023/dsa-5521)\n- [cve@mitre.org](https://www.debian.org/security/2023/dsa-5522)\n- [cve@mitre.org](https://www.theregister.com/2023/10/10/http2_rapid_reset_zeroday/)\n- [cve@mitre.org](https://access.redhat.com/security/cve/cve-2023-44487)\n- [cve@mitre.org](https://blog.vespa.ai/cve-2023-44487/)\n- [cve@mitre.org](https://bugzilla.redhat.com/show_bug.cgi?id=2242803)\n- [cve@mitre.org](https://bugzilla.suse.com/show_bug.cgi?id=1216123)\n- [cve@mitre.org](https://community.traefik.io/t/is-traefik-vulnerable-to-cve-2023-44487/20125)\n- [cve@mitre.org](https://github.com/advisories/GHSA-qppj-fm5r-hxr3)\n- [cve@mitre.org](https://github.com/etcd-io/etcd/issues/16740)\n- [cve@mitre.org](https://github.com/junkurihara/rust-rpxy/issues/97)\n- [cve@mitre.org](https://github.com/ninenines/cowboy/issues/1615)\n- [cve@mitre.org](https://github.com/tempesta-tech/tempesta/issues/1986)\n- [cve@mitre.org](https://github.com/varnishcache/varnish-cache/issues/3996)\n- [cve@mitre.org](https://istio.io/latest/news/security/istio-security-2023-004/)\n- [cve@mitre.org](https://ubuntu.com/security/CVE-2023-44487)\n- [cve@mitre.org](https://www.darkreading.com/cloud/internet-wide-zero-day-bug-fuels-largest-ever-ddos-event)\n- [cve@mitre.org](https://github.com/apache/httpd-site/pull/10)\n- [cve@mitre.org](https://github.com/line/armeria/pull/5232)\n- [cve@mitre.org](https://github.com/linkerd/website/pull/1695/commits/4b9c6836471bc8270ab48aae6fd2181bc73fd632)\n- [cve@mitre.org](https://github.com/projectcontour/contour/pull/5826)\n- [cve@mitre.org](https://blog.litespeedtech.com/2023/10/11/rapid-reset-http-2-vulnerablilty/)\n- [CISA - Known Exploited Vulnerabilities](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)\n", "disclosureTime": "2023-10-10T14:15:10.883000Z", "dockerBaseImage": "ruby:3.2.2-alpine3.18", "dockerfileInstruction": "apk add nodejs", "epssDetails": null, "exploit": "High", "fixedIn": [ "1.57.0-r0" ], "from": [ "docker-image|cyberdojo/shas@*", "nodejs/nodejs@18.17.1-r0", "nghttp2/nghttp2-libs@1.55.1-r0" ], "id": "SNYK-ALPINE318-NGHTTP2-5954768", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2023-44487" ], "CWE": [ "CWE-400" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "linux", "malicious": false, "modificationTime": "2023-10-12T01:11:09.035012Z", "name": "nghttp2/nghttp2-libs", "nearestFixedInVersion": "1.57.0-r0", "nvdSeverity": "high", "packageManager": "alpine:3.18", "packageName": "nghttp2", "patches": [], "publicationTime": "2023-10-11T04:04:38.608135Z", "references": [ { "title": "https://aws.amazon.com/security/security-bulletins/AWS-2023-011/", "url": "https://aws.amazon.com/security/security-bulletins/AWS-2023-011/" }, { "title": "https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/", "url": "https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/" }, { "title": "https://blog.cloudflare.com/zero-day-rapid-reset-http2-record-breaking-ddos-attack/", "url": "https://blog.cloudflare.com/zero-day-rapid-reset-http2-record-breaking-ddos-attack/" }, { "title": "https://cloud.google.com/blog/products/identity-security/google-cloud-mitigated-largest-ddos-attack-peaking-above-398-million-rps/", "url": "https://cloud.google.com/blog/products/identity-security/google-cloud-mitigated-largest-ddos-attack-peaking-above-398-million-rps/" }, { "title": "https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack", "url": "https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack" }, { "title": "https://news.ycombinator.com/item?id=37831062", "url": "https://news.ycombinator.com/item?id=37831062" }, { "title": "https://www.nginx.com/blog/http-2-rapid-reset-attack-impacting-f5-nginx-products/", "url": "https://www.nginx.com/blog/http-2-rapid-reset-attack-impacting-f5-nginx-products/" }, { "title": "https://www.phoronix.com/news/HTTP2-Rapid-Reset-Attack", "url": "https://www.phoronix.com/news/HTTP2-Rapid-Reset-Attack" }, { "title": "https://chaos.social/@icing/111210915918780532", "url": "https://chaos.social/@icing/111210915918780532" }, { "title": "https://forums.swift.org/t/swift-nio-http2-security-update-cve-2023-44487-http-2-dos/67764", "url": "https://forums.swift.org/t/swift-nio-http2-security-update-cve-2023-44487-http-2-dos/67764" }, { "title": "https://github.com/alibaba/tengine/issues/1872", "url": "https://github.com/alibaba/tengine/issues/1872" }, { "title": "https://github.com/apache/tomcat/tree/main/java/org/apache/coyote/http2", "url": "https://github.com/apache/tomcat/tree/main/java/org/apache/coyote/http2" }, { "title": "https://github.com/bcdannyboy/CVE-2023-44487", "url": "https://github.com/bcdannyboy/CVE-2023-44487" }, { "title": "https://github.com/caddyserver/caddy/issues/5877", "url": "https://github.com/caddyserver/caddy/issues/5877" }, { "title": "https://github.com/eclipse/jetty.project/issues/10679", "url": "https://github.com/eclipse/jetty.project/issues/10679" }, { "title": "https://github.com/envoyproxy/envoy/pull/30055", "url": "https://github.com/envoyproxy/envoy/pull/30055" }, { "title": "https://github.com/haproxy/haproxy/issues/2312", "url": "https://github.com/haproxy/haproxy/issues/2312" }, { "title": "https://github.com/hyperium/hyper/issues/3337", "url": "https://github.com/hyperium/hyper/issues/3337" }, { "title": "https://github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61", "url": "https://github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61" }, { "title": "https://github.com/nghttp2/nghttp2/pull/1961", "url": "https://github.com/nghttp2/nghttp2/pull/1961" }, { "title": "https://news.ycombinator.com/item?id=37830987", "url": "https://news.ycombinator.com/item?id=37830987" }, { "title": "https://news.ycombinator.com/item?id=37830998", "url": "https://news.ycombinator.com/item?id=37830998" }, { "title": "https://www.bleepingcomputer.com/news/security/new-http-2-rapid-reset-zero-day-attack-breaks-ddos-records/", "url": "https://www.bleepingcomputer.com/news/security/new-http-2-rapid-reset-zero-day-attack-breaks-ddos-records/" }, { "title": "https://github.com/grpc/grpc-go/pull/6703", "url": "https://github.com/grpc/grpc-go/pull/6703" }, { "title": "https://github.com/icing/mod_h2/blob/0a864782af0a942aa2ad4ed960a6b32cd35bcf0a/mod_http2/README.md?plain=1%23L239-L244", "url": "https://github.com/icing/mod_h2/blob/0a864782af0a942aa2ad4ed960a6b32cd35bcf0a/mod_http2/README.md?plain=1%23L239-L244" }, { "title": "https://github.com/nghttp2/nghttp2/releases/tag/v1.57.0", "url": "https://github.com/nghttp2/nghttp2/releases/tag/v1.57.0" }, { "title": "https://mailman.nginx.org/pipermail/nginx-devel/2023-October/S36Q5HBXR7CAIMPLLPRSSSYR4PCMWILK.html", "url": "https://mailman.nginx.org/pipermail/nginx-devel/2023-October/S36Q5HBXR7CAIMPLLPRSSSYR4PCMWILK.html" }, { "title": "https://my.f5.com/manage/s/article/K000137106", "url": "https://my.f5.com/manage/s/article/K000137106" }, { "title": "https://bugzilla.proxmox.com/show_bug.cgi?id=4988", "url": "https://bugzilla.proxmox.com/show_bug.cgi?id=4988" }, { "title": "https://cgit.freebsd.org/ports/commit/?id=c64c329c2c1752f46b73e3e6ce9f4329be6629f9", "url": "https://cgit.freebsd.org/ports/commit/?id=c64c329c2c1752f46b73e3e6ce9f4329be6629f9" }, { "title": "https://msrc.microsoft.com/blog/2023/10/microsoft-response-to-distributed-denial-of-service-ddos-attacks-against-http/2/", "url": "https://msrc.microsoft.com/blog/2023/10/microsoft-response-to-distributed-denial-of-service-ddos-attacks-against-http/2/" }, { "title": "https://edg.io/lp/blog/resets-leaks-ddos-and-the-tale-of-a-hidden-cve", "url": "https://edg.io/lp/blog/resets-leaks-ddos-and-the-tale-of-a-hidden-cve" }, { "title": "https://gist.github.com/adulau/7c2bfb8e9cdbe4b35a5e131c66a0c088", "url": "https://gist.github.com/adulau/7c2bfb8e9cdbe4b35a5e131c66a0c088" }, { "title": "https://github.com/advisories/GHSA-vx74-f528-fxqg", "url": "https://github.com/advisories/GHSA-vx74-f528-fxqg" }, { "title": "https://github.com/apache/trafficserver/pull/10564", "url": "https://github.com/apache/trafficserver/pull/10564" }, { "title": "https://github.com/dotnet/announcements/issues/277", "url": "https://github.com/dotnet/announcements/issues/277" }, { "title": "https://github.com/facebook/proxygen/pull/466", "url": "https://github.com/facebook/proxygen/pull/466" }, { "title": "https://github.com/golang/go/issues/63417", "url": "https://github.com/golang/go/issues/63417" }, { "title": "https://github.com/h2o/h2o/pull/3291", "url": "https://github.com/h2o/h2o/pull/3291" }, { "title": "https://github.com/h2o/h2o/security/advisories/GHSA-2m7v-gc89-fjqf", "url": "https://github.com/h2o/h2o/security/advisories/GHSA-2m7v-gc89-fjqf" }, { "title": "https://github.com/micrictor/http2-rst-stream", "url": "https://github.com/micrictor/http2-rst-stream" }, { "title": "https://github.com/microsoft/CBL-Mariner/pull/6381", "url": "https://github.com/microsoft/CBL-Mariner/pull/6381" }, { "title": "https://github.com/nodejs/node/pull/50121", "url": "https://github.com/nodejs/node/pull/50121" }, { "title": "https://groups.google.com/g/golang-announce/c/iNNxDTCjZvo", "url": "https://groups.google.com/g/golang-announce/c/iNNxDTCjZvo" }, { "title": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-44487", "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-44487" }, { "title": "https://openssf.org/blog/2023/10/10/http-2-rapid-reset-vulnerability-highlights-need-for-rapid-response/", "url": "https://openssf.org/blog/2023/10/10/http-2-rapid-reset-vulnerability-highlights-need-for-rapid-response/" }, { "title": "https://lists.apache.org/thread/5py8h42mxfsn8l1wy6o41xwhsjlsd87q", "url": "https://lists.apache.org/thread/5py8h42mxfsn8l1wy6o41xwhsjlsd87q" }, { "title": "https://seanmonstar.com/post/730794151136935936/hyper-http2-rapid-reset-unaffected", "url": "https://seanmonstar.com/post/730794151136935936/hyper-http2-rapid-reset-unaffected" }, { "title": "https://tomcat.apache.org/security-10.html%23Fixed_in_Apache_Tomcat_10.1.14", "url": "https://tomcat.apache.org/security-10.html%23Fixed_in_Apache_Tomcat_10.1.14" }, { "title": "https://www.openwall.com/lists/oss-security/2023/10/10/6", "url": "https://www.openwall.com/lists/oss-security/2023/10/10/6" }, { "title": "https://github.com/dotnet/core/blob/e4613450ea0da7fd2fc6b61dfb2c1c1dec1ce9ec/release-notes/6.0/6.0.23/6.0.23.md?plain=1%23L73", "url": "https://github.com/dotnet/core/blob/e4613450ea0da7fd2fc6b61dfb2c1c1dec1ce9ec/release-notes/6.0/6.0.23/6.0.23.md?plain=1%23L73" }, { "title": "https://github.com/advisories/GHSA-xpw8-rcwv-8f8p", "url": "https://github.com/advisories/GHSA-xpw8-rcwv-8f8p" }, { "title": "https://github.com/kubernetes/kubernetes/pull/121120", "url": "https://github.com/kubernetes/kubernetes/pull/121120" }, { "title": "https://github.com/opensearch-project/data-prepper/issues/3474", "url": "https://github.com/opensearch-project/data-prepper/issues/3474" }, { "title": "https://github.com/oqtane/oqtane.framework/discussions/3367", "url": "https://github.com/oqtane/oqtane.framework/discussions/3367" }, { "title": "https://netty.io/news/2023/10/10/4-1-100-Final.html", "url": "https://netty.io/news/2023/10/10/4-1-100-Final.html" }, { "title": "https://www.haproxy.com/blog/haproxy-is-not-affected-by-the-http-2-rapid-reset-attack-cve-2023-44487", "url": "https://www.haproxy.com/blog/haproxy-is-not-affected-by-the-http-2-rapid-reset-attack-cve-2023-44487" }, { "title": "https://blog.qualys.com/vulnerabilities-threat-research/2023/10/10/cve-2023-44487-http-2-rapid-reset-attack", "url": "https://blog.qualys.com/vulnerabilities-threat-research/2023/10/10/cve-2023-44487-http-2-rapid-reset-attack" }, { "title": "https://github.com/apache/httpd/blob/afcdbeebbff4b0c50ea26cdd16e178c0d1f24152/modules/http2/h2_mplx.c%23L1101-L1113", "url": "https://github.com/apache/httpd/blob/afcdbeebbff4b0c50ea26cdd16e178c0d1f24152/modules/http2/h2_mplx.c%23L1101-L1113" }, { "title": "https://github.com/kazu-yamamoto/http2/commit/f61d41a502bd0f60eb24e1ce14edc7b6df6722a1", "url": "https://github.com/kazu-yamamoto/http2/commit/f61d41a502bd0f60eb24e1ce14edc7b6df6722a1" }, { "title": "https://github.com/kazu-yamamoto/http2/issues/93", "url": "https://github.com/kazu-yamamoto/http2/issues/93" }, { "title": "https://martinthomson.github.io/h2-stream-limits/draft-thomson-httpbis-h2-stream-limits.html", "url": "https://martinthomson.github.io/h2-stream-limits/draft-thomson-httpbis-h2-stream-limits.html" }, { "title": "https://news.ycombinator.com/item?id=37837043", "url": "https://news.ycombinator.com/item?id=37837043" }, { "title": "https://www.cisa.gov/news-events/alerts/2023/10/10/http2-rapid-reset-vulnerability-cve-2023-44487", "url": "https://www.cisa.gov/news-events/alerts/2023/10/10/http2-rapid-reset-vulnerability-cve-2023-44487" }, { "title": "https://www.debian.org/security/2023/dsa-5521", "url": "https://www.debian.org/security/2023/dsa-5521" }, { "title": "https://www.debian.org/security/2023/dsa-5522", "url": "https://www.debian.org/security/2023/dsa-5522" }, { "title": "https://www.theregister.com/2023/10/10/http2_rapid_reset_zeroday/", "url": "https://www.theregister.com/2023/10/10/http2_rapid_reset_zeroday/" }, { "title": "https://access.redhat.com/security/cve/cve-2023-44487", "url": "https://access.redhat.com/security/cve/cve-2023-44487" }, { "title": "https://blog.vespa.ai/cve-2023-44487/", "url": "https://blog.vespa.ai/cve-2023-44487/" }, { "title": "https://bugzilla.redhat.com/show_bug.cgi?id=2242803", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2242803" }, { "title": "https://bugzilla.suse.com/show_bug.cgi?id=1216123", "url": "https://bugzilla.suse.com/show_bug.cgi?id=1216123" }, { "title": "https://community.traefik.io/t/is-traefik-vulnerable-to-cve-2023-44487/20125", "url": "https://community.traefik.io/t/is-traefik-vulnerable-to-cve-2023-44487/20125" }, { "title": "https://github.com/advisories/GHSA-qppj-fm5r-hxr3", "url": "https://github.com/advisories/GHSA-qppj-fm5r-hxr3" }, { "title": "https://github.com/etcd-io/etcd/issues/16740", "url": "https://github.com/etcd-io/etcd/issues/16740" }, { "title": "https://github.com/junkurihara/rust-rpxy/issues/97", "url": "https://github.com/junkurihara/rust-rpxy/issues/97" }, { "title": "https://github.com/ninenines/cowboy/issues/1615", "url": "https://github.com/ninenines/cowboy/issues/1615" }, { "title": "https://github.com/tempesta-tech/tempesta/issues/1986", "url": "https://github.com/tempesta-tech/tempesta/issues/1986" }, { "title": "https://github.com/varnishcache/varnish-cache/issues/3996", "url": "https://github.com/varnishcache/varnish-cache/issues/3996" }, { "title": "https://istio.io/latest/news/security/istio-security-2023-004/", "url": "https://istio.io/latest/news/security/istio-security-2023-004/" }, { "title": "https://ubuntu.com/security/CVE-2023-44487", "url": "https://ubuntu.com/security/CVE-2023-44487" }, { "title": "https://www.darkreading.com/cloud/internet-wide-zero-day-bug-fuels-largest-ever-ddos-event", "url": "https://www.darkreading.com/cloud/internet-wide-zero-day-bug-fuels-largest-ever-ddos-event" }, { "title": "https://github.com/apache/httpd-site/pull/10", "url": "https://github.com/apache/httpd-site/pull/10" }, { "title": "https://github.com/line/armeria/pull/5232", "url": "https://github.com/line/armeria/pull/5232" }, { "title": "https://github.com/linkerd/website/pull/1695/commits/4b9c6836471bc8270ab48aae6fd2181bc73fd632", "url": "https://github.com/linkerd/website/pull/1695/commits/4b9c6836471bc8270ab48aae6fd2181bc73fd632" }, { "title": "https://github.com/projectcontour/contour/pull/5826", "url": "https://github.com/projectcontour/contour/pull/5826" }, { "title": "https://blog.litespeedtech.com/2023/10/11/rapid-reset-http-2-vulnerablilty/", "url": "https://blog.litespeedtech.com/2023/10/11/rapid-reset-http-2-vulnerablilty/" }, { "title": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "relativeImportance": null, "semver": { "vulnerable": [ "<1.57.0-r0" ] }, "severity": "high", "severityWithCritical": "high", "socialTrendAlert": false, "title": "Resource Exhaustion", "upgradePath": [], "version": "1.55.1-r0" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:H", "cpes": [], "creationTime": "2023-10-11T04:04:38.629011Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:H", "modificationTime": "2023-10-11T14:31:08.807516Z", "severity": "high" } ], "cvssScore": 7.5, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `nghttp2` package and not the `nghttp2` package as distributed by `Alpine`._\n_See `How to fix?` for `Alpine:3.18` relevant fixed versions and status._\n\nThe HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.\n## Remediation\nUpgrade `Alpine:3.18` `nghttp2` to version 1.57.0-r0 or higher.\n## References\n- [cve@mitre.org](https://aws.amazon.com/security/security-bulletins/AWS-2023-011/)\n- [cve@mitre.org](https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/)\n- [cve@mitre.org](https://blog.cloudflare.com/zero-day-rapid-reset-http2-record-breaking-ddos-attack/)\n- [cve@mitre.org](https://cloud.google.com/blog/products/identity-security/google-cloud-mitigated-largest-ddos-attack-peaking-above-398-million-rps/)\n- [cve@mitre.org](https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack)\n- [cve@mitre.org](https://news.ycombinator.com/item?id=37831062)\n- [cve@mitre.org](https://www.nginx.com/blog/http-2-rapid-reset-attack-impacting-f5-nginx-products/)\n- [cve@mitre.org](https://www.phoronix.com/news/HTTP2-Rapid-Reset-Attack)\n- [cve@mitre.org](https://chaos.social/@icing/111210915918780532)\n- [cve@mitre.org](https://forums.swift.org/t/swift-nio-http2-security-update-cve-2023-44487-http-2-dos/67764)\n- [cve@mitre.org](https://github.com/alibaba/tengine/issues/1872)\n- [cve@mitre.org](https://github.com/apache/tomcat/tree/main/java/org/apache/coyote/http2)\n- [cve@mitre.org](https://github.com/bcdannyboy/CVE-2023-44487)\n- [cve@mitre.org](https://github.com/caddyserver/caddy/issues/5877)\n- [cve@mitre.org](https://github.com/eclipse/jetty.project/issues/10679)\n- [cve@mitre.org](https://github.com/envoyproxy/envoy/pull/30055)\n- [cve@mitre.org](https://github.com/haproxy/haproxy/issues/2312)\n- [cve@mitre.org](https://github.com/hyperium/hyper/issues/3337)\n- [cve@mitre.org](https://github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61)\n- [cve@mitre.org](https://github.com/nghttp2/nghttp2/pull/1961)\n- [cve@mitre.org](https://news.ycombinator.com/item?id=37830987)\n- [cve@mitre.org](https://news.ycombinator.com/item?id=37830998)\n- [cve@mitre.org](https://www.bleepingcomputer.com/news/security/new-http-2-rapid-reset-zero-day-attack-breaks-ddos-records/)\n- [cve@mitre.org](https://github.com/grpc/grpc-go/pull/6703)\n- [cve@mitre.org](https://github.com/icing/mod_h2/blob/0a864782af0a942aa2ad4ed960a6b32cd35bcf0a/mod_http2/README.md?plain=1#L239-L244)\n- [cve@mitre.org](https://github.com/nghttp2/nghttp2/releases/tag/v1.57.0)\n- [cve@mitre.org](https://mailman.nginx.org/pipermail/nginx-devel/2023-October/S36Q5HBXR7CAIMPLLPRSSSYR4PCMWILK.html)\n- [cve@mitre.org](https://my.f5.com/manage/s/article/K000137106)\n- [cve@mitre.org](https://bugzilla.proxmox.com/show_bug.cgi?id=4988)\n- [cve@mitre.org](https://cgit.freebsd.org/ports/commit/?id=c64c329c2c1752f46b73e3e6ce9f4329be6629f9)\n- [cve@mitre.org](https://msrc.microsoft.com/blog/2023/10/microsoft-response-to-distributed-denial-of-service-ddos-attacks-against-http/2/)\n- [cve@mitre.org](https://edg.io/lp/blog/resets-leaks-ddos-and-the-tale-of-a-hidden-cve)\n- [cve@mitre.org](https://gist.github.com/adulau/7c2bfb8e9cdbe4b35a5e131c66a0c088)\n- [cve@mitre.org](https://github.com/advisories/GHSA-vx74-f528-fxqg)\n- [cve@mitre.org](https://github.com/apache/trafficserver/pull/10564)\n- [cve@mitre.org](https://github.com/dotnet/announcements/issues/277)\n- [cve@mitre.org](https://github.com/facebook/proxygen/pull/466)\n- [cve@mitre.org](https://github.com/golang/go/issues/63417)\n- [cve@mitre.org](https://github.com/h2o/h2o/pull/3291)\n- [cve@mitre.org](https://github.com/h2o/h2o/security/advisories/GHSA-2m7v-gc89-fjqf)\n- [cve@mitre.org](https://github.com/micrictor/http2-rst-stream)\n- [cve@mitre.org](https://github.com/microsoft/CBL-Mariner/pull/6381)\n- [cve@mitre.org](https://github.com/nodejs/node/pull/50121)\n- [cve@mitre.org](https://groups.google.com/g/golang-announce/c/iNNxDTCjZvo)\n- [cve@mitre.org](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-44487)\n- [cve@mitre.org](https://openssf.org/blog/2023/10/10/http-2-rapid-reset-vulnerability-highlights-need-for-rapid-response/)\n- [cve@mitre.org](https://lists.apache.org/thread/5py8h42mxfsn8l1wy6o41xwhsjlsd87q)\n- [cve@mitre.org](https://seanmonstar.com/post/730794151136935936/hyper-http2-rapid-reset-unaffected)\n- [cve@mitre.org](https://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.1.14)\n- [cve@mitre.org](https://www.openwall.com/lists/oss-security/2023/10/10/6)\n- [cve@mitre.org](https://github.com/dotnet/core/blob/e4613450ea0da7fd2fc6b61dfb2c1c1dec1ce9ec/release-notes/6.0/6.0.23/6.0.23.md?plain=1#L73)\n- [cve@mitre.org](https://github.com/advisories/GHSA-xpw8-rcwv-8f8p)\n- [cve@mitre.org](https://github.com/kubernetes/kubernetes/pull/121120)\n- [cve@mitre.org](https://github.com/opensearch-project/data-prepper/issues/3474)\n- [cve@mitre.org](https://github.com/oqtane/oqtane.framework/discussions/3367)\n- [cve@mitre.org](https://netty.io/news/2023/10/10/4-1-100-Final.html)\n- [cve@mitre.org](https://www.haproxy.com/blog/haproxy-is-not-affected-by-the-http-2-rapid-reset-attack-cve-2023-44487)\n- [cve@mitre.org](https://blog.qualys.com/vulnerabilities-threat-research/2023/10/10/cve-2023-44487-http-2-rapid-reset-attack)\n- [cve@mitre.org](https://github.com/apache/httpd/blob/afcdbeebbff4b0c50ea26cdd16e178c0d1f24152/modules/http2/h2_mplx.c#L1101-L1113)\n- [cve@mitre.org](https://github.com/kazu-yamamoto/http2/commit/f61d41a502bd0f60eb24e1ce14edc7b6df6722a1)\n- [cve@mitre.org](https://github.com/kazu-yamamoto/http2/issues/93)\n- [cve@mitre.org](https://martinthomson.github.io/h2-stream-limits/draft-thomson-httpbis-h2-stream-limits.html)\n- [cve@mitre.org](https://news.ycombinator.com/item?id=37837043)\n- [cve@mitre.org](https://www.cisa.gov/news-events/alerts/2023/10/10/http2-rapid-reset-vulnerability-cve-2023-44487)\n- [cve@mitre.org](https://www.debian.org/security/2023/dsa-5521)\n- [cve@mitre.org](https://www.debian.org/security/2023/dsa-5522)\n- [cve@mitre.org](https://www.theregister.com/2023/10/10/http2_rapid_reset_zeroday/)\n- [cve@mitre.org](https://access.redhat.com/security/cve/cve-2023-44487)\n- [cve@mitre.org](https://blog.vespa.ai/cve-2023-44487/)\n- [cve@mitre.org](https://bugzilla.redhat.com/show_bug.cgi?id=2242803)\n- [cve@mitre.org](https://bugzilla.suse.com/show_bug.cgi?id=1216123)\n- [cve@mitre.org](https://community.traefik.io/t/is-traefik-vulnerable-to-cve-2023-44487/20125)\n- [cve@mitre.org](https://github.com/advisories/GHSA-qppj-fm5r-hxr3)\n- [cve@mitre.org](https://github.com/etcd-io/etcd/issues/16740)\n- [cve@mitre.org](https://github.com/junkurihara/rust-rpxy/issues/97)\n- [cve@mitre.org](https://github.com/ninenines/cowboy/issues/1615)\n- [cve@mitre.org](https://github.com/tempesta-tech/tempesta/issues/1986)\n- [cve@mitre.org](https://github.com/varnishcache/varnish-cache/issues/3996)\n- [cve@mitre.org](https://istio.io/latest/news/security/istio-security-2023-004/)\n- [cve@mitre.org](https://ubuntu.com/security/CVE-2023-44487)\n- [cve@mitre.org](https://www.darkreading.com/cloud/internet-wide-zero-day-bug-fuels-largest-ever-ddos-event)\n- [cve@mitre.org](https://github.com/apache/httpd-site/pull/10)\n- [cve@mitre.org](https://github.com/line/armeria/pull/5232)\n- [cve@mitre.org](https://github.com/linkerd/website/pull/1695/commits/4b9c6836471bc8270ab48aae6fd2181bc73fd632)\n- [cve@mitre.org](https://github.com/projectcontour/contour/pull/5826)\n- [cve@mitre.org](https://blog.litespeedtech.com/2023/10/11/rapid-reset-http-2-vulnerablilty/)\n- [CISA - Known Exploited Vulnerabilities](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)\n", "disclosureTime": "2023-10-10T14:15:10.883000Z", "dockerBaseImage": "ruby:3.2.2-alpine3.18", "dockerfileInstruction": "apk add nodejs", "epssDetails": null, "exploit": "High", "fixedIn": [ "1.57.0-r0" ], "from": [ "docker-image|cyberdojo/shas@*", "curl/curl@8.3.0-r0", "curl/libcurl@8.3.0-r0", "nghttp2/nghttp2-libs@1.55.1-r0" ], "id": "SNYK-ALPINE318-NGHTTP2-5954768", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2023-44487" ], "CWE": [ "CWE-400" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "linux", "malicious": false, "modificationTime": "2023-10-12T01:11:09.035012Z", "name": "nghttp2/nghttp2-libs", "nearestFixedInVersion": "1.57.0-r0", "nvdSeverity": "high", "packageManager": "alpine:3.18", "packageName": "nghttp2", "patches": [], "publicationTime": "2023-10-11T04:04:38.608135Z", "references": [ { "title": "https://aws.amazon.com/security/security-bulletins/AWS-2023-011/", "url": "https://aws.amazon.com/security/security-bulletins/AWS-2023-011/" }, { "title": "https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/", "url": "https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/" }, { "title": "https://blog.cloudflare.com/zero-day-rapid-reset-http2-record-breaking-ddos-attack/", "url": "https://blog.cloudflare.com/zero-day-rapid-reset-http2-record-breaking-ddos-attack/" }, { "title": "https://cloud.google.com/blog/products/identity-security/google-cloud-mitigated-largest-ddos-attack-peaking-above-398-million-rps/", "url": "https://cloud.google.com/blog/products/identity-security/google-cloud-mitigated-largest-ddos-attack-peaking-above-398-million-rps/" }, { "title": "https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack", "url": "https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack" }, { "title": "https://news.ycombinator.com/item?id=37831062", "url": "https://news.ycombinator.com/item?id=37831062" }, { "title": "https://www.nginx.com/blog/http-2-rapid-reset-attack-impacting-f5-nginx-products/", "url": "https://www.nginx.com/blog/http-2-rapid-reset-attack-impacting-f5-nginx-products/" }, { "title": "https://www.phoronix.com/news/HTTP2-Rapid-Reset-Attack", "url": "https://www.phoronix.com/news/HTTP2-Rapid-Reset-Attack" }, { "title": "https://chaos.social/@icing/111210915918780532", "url": "https://chaos.social/@icing/111210915918780532" }, { "title": "https://forums.swift.org/t/swift-nio-http2-security-update-cve-2023-44487-http-2-dos/67764", "url": "https://forums.swift.org/t/swift-nio-http2-security-update-cve-2023-44487-http-2-dos/67764" }, { "title": "https://github.com/alibaba/tengine/issues/1872", "url": "https://github.com/alibaba/tengine/issues/1872" }, { "title": "https://github.com/apache/tomcat/tree/main/java/org/apache/coyote/http2", "url": "https://github.com/apache/tomcat/tree/main/java/org/apache/coyote/http2" }, { "title": "https://github.com/bcdannyboy/CVE-2023-44487", "url": "https://github.com/bcdannyboy/CVE-2023-44487" }, { "title": "https://github.com/caddyserver/caddy/issues/5877", "url": "https://github.com/caddyserver/caddy/issues/5877" }, { "title": "https://github.com/eclipse/jetty.project/issues/10679", "url": "https://github.com/eclipse/jetty.project/issues/10679" }, { "title": "https://github.com/envoyproxy/envoy/pull/30055", "url": "https://github.com/envoyproxy/envoy/pull/30055" }, { "title": "https://github.com/haproxy/haproxy/issues/2312", "url": "https://github.com/haproxy/haproxy/issues/2312" }, { "title": "https://github.com/hyperium/hyper/issues/3337", "url": "https://github.com/hyperium/hyper/issues/3337" }, { "title": "https://github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61", "url": "https://github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61" }, { "title": "https://github.com/nghttp2/nghttp2/pull/1961", "url": "https://github.com/nghttp2/nghttp2/pull/1961" }, { "title": "https://news.ycombinator.com/item?id=37830987", "url": "https://news.ycombinator.com/item?id=37830987" }, { "title": "https://news.ycombinator.com/item?id=37830998", "url": "https://news.ycombinator.com/item?id=37830998" }, { "title": "https://www.bleepingcomputer.com/news/security/new-http-2-rapid-reset-zero-day-attack-breaks-ddos-records/", "url": "https://www.bleepingcomputer.com/news/security/new-http-2-rapid-reset-zero-day-attack-breaks-ddos-records/" }, { "title": "https://github.com/grpc/grpc-go/pull/6703", "url": "https://github.com/grpc/grpc-go/pull/6703" }, { "title": "https://github.com/icing/mod_h2/blob/0a864782af0a942aa2ad4ed960a6b32cd35bcf0a/mod_http2/README.md?plain=1%23L239-L244", "url": "https://github.com/icing/mod_h2/blob/0a864782af0a942aa2ad4ed960a6b32cd35bcf0a/mod_http2/README.md?plain=1%23L239-L244" }, { "title": "https://github.com/nghttp2/nghttp2/releases/tag/v1.57.0", "url": "https://github.com/nghttp2/nghttp2/releases/tag/v1.57.0" }, { "title": "https://mailman.nginx.org/pipermail/nginx-devel/2023-October/S36Q5HBXR7CAIMPLLPRSSSYR4PCMWILK.html", "url": "https://mailman.nginx.org/pipermail/nginx-devel/2023-October/S36Q5HBXR7CAIMPLLPRSSSYR4PCMWILK.html" }, { "title": "https://my.f5.com/manage/s/article/K000137106", "url": "https://my.f5.com/manage/s/article/K000137106" }, { "title": "https://bugzilla.proxmox.com/show_bug.cgi?id=4988", "url": "https://bugzilla.proxmox.com/show_bug.cgi?id=4988" }, { "title": "https://cgit.freebsd.org/ports/commit/?id=c64c329c2c1752f46b73e3e6ce9f4329be6629f9", "url": "https://cgit.freebsd.org/ports/commit/?id=c64c329c2c1752f46b73e3e6ce9f4329be6629f9" }, { "title": "https://msrc.microsoft.com/blog/2023/10/microsoft-response-to-distributed-denial-of-service-ddos-attacks-against-http/2/", "url": "https://msrc.microsoft.com/blog/2023/10/microsoft-response-to-distributed-denial-of-service-ddos-attacks-against-http/2/" }, { "title": "https://edg.io/lp/blog/resets-leaks-ddos-and-the-tale-of-a-hidden-cve", "url": "https://edg.io/lp/blog/resets-leaks-ddos-and-the-tale-of-a-hidden-cve" }, { "title": "https://gist.github.com/adulau/7c2bfb8e9cdbe4b35a5e131c66a0c088", "url": "https://gist.github.com/adulau/7c2bfb8e9cdbe4b35a5e131c66a0c088" }, { "title": "https://github.com/advisories/GHSA-vx74-f528-fxqg", "url": "https://github.com/advisories/GHSA-vx74-f528-fxqg" }, { "title": "https://github.com/apache/trafficserver/pull/10564", "url": "https://github.com/apache/trafficserver/pull/10564" }, { "title": "https://github.com/dotnet/announcements/issues/277", "url": "https://github.com/dotnet/announcements/issues/277" }, { "title": "https://github.com/facebook/proxygen/pull/466", "url": "https://github.com/facebook/proxygen/pull/466" }, { "title": "https://github.com/golang/go/issues/63417", "url": "https://github.com/golang/go/issues/63417" }, { "title": "https://github.com/h2o/h2o/pull/3291", "url": "https://github.com/h2o/h2o/pull/3291" }, { "title": "https://github.com/h2o/h2o/security/advisories/GHSA-2m7v-gc89-fjqf", "url": "https://github.com/h2o/h2o/security/advisories/GHSA-2m7v-gc89-fjqf" }, { "title": "https://github.com/micrictor/http2-rst-stream", "url": "https://github.com/micrictor/http2-rst-stream" }, { "title": "https://github.com/microsoft/CBL-Mariner/pull/6381", "url": "https://github.com/microsoft/CBL-Mariner/pull/6381" }, { "title": "https://github.com/nodejs/node/pull/50121", "url": "https://github.com/nodejs/node/pull/50121" }, { "title": "https://groups.google.com/g/golang-announce/c/iNNxDTCjZvo", "url": "https://groups.google.com/g/golang-announce/c/iNNxDTCjZvo" }, { "title": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-44487", "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-44487" }, { "title": "https://openssf.org/blog/2023/10/10/http-2-rapid-reset-vulnerability-highlights-need-for-rapid-response/", "url": "https://openssf.org/blog/2023/10/10/http-2-rapid-reset-vulnerability-highlights-need-for-rapid-response/" }, { "title": "https://lists.apache.org/thread/5py8h42mxfsn8l1wy6o41xwhsjlsd87q", "url": "https://lists.apache.org/thread/5py8h42mxfsn8l1wy6o41xwhsjlsd87q" }, { "title": "https://seanmonstar.com/post/730794151136935936/hyper-http2-rapid-reset-unaffected", "url": "https://seanmonstar.com/post/730794151136935936/hyper-http2-rapid-reset-unaffected" }, { "title": "https://tomcat.apache.org/security-10.html%23Fixed_in_Apache_Tomcat_10.1.14", "url": "https://tomcat.apache.org/security-10.html%23Fixed_in_Apache_Tomcat_10.1.14" }, { "title": "https://www.openwall.com/lists/oss-security/2023/10/10/6", "url": "https://www.openwall.com/lists/oss-security/2023/10/10/6" }, { "title": "https://github.com/dotnet/core/blob/e4613450ea0da7fd2fc6b61dfb2c1c1dec1ce9ec/release-notes/6.0/6.0.23/6.0.23.md?plain=1%23L73", "url": "https://github.com/dotnet/core/blob/e4613450ea0da7fd2fc6b61dfb2c1c1dec1ce9ec/release-notes/6.0/6.0.23/6.0.23.md?plain=1%23L73" }, { "title": "https://github.com/advisories/GHSA-xpw8-rcwv-8f8p", "url": "https://github.com/advisories/GHSA-xpw8-rcwv-8f8p" }, { "title": "https://github.com/kubernetes/kubernetes/pull/121120", "url": "https://github.com/kubernetes/kubernetes/pull/121120" }, { "title": "https://github.com/opensearch-project/data-prepper/issues/3474", "url": "https://github.com/opensearch-project/data-prepper/issues/3474" }, { "title": "https://github.com/oqtane/oqtane.framework/discussions/3367", "url": "https://github.com/oqtane/oqtane.framework/discussions/3367" }, { "title": "https://netty.io/news/2023/10/10/4-1-100-Final.html", "url": "https://netty.io/news/2023/10/10/4-1-100-Final.html" }, { "title": "https://www.haproxy.com/blog/haproxy-is-not-affected-by-the-http-2-rapid-reset-attack-cve-2023-44487", "url": "https://www.haproxy.com/blog/haproxy-is-not-affected-by-the-http-2-rapid-reset-attack-cve-2023-44487" }, { "title": "https://blog.qualys.com/vulnerabilities-threat-research/2023/10/10/cve-2023-44487-http-2-rapid-reset-attack", "url": "https://blog.qualys.com/vulnerabilities-threat-research/2023/10/10/cve-2023-44487-http-2-rapid-reset-attack" }, { "title": "https://github.com/apache/httpd/blob/afcdbeebbff4b0c50ea26cdd16e178c0d1f24152/modules/http2/h2_mplx.c%23L1101-L1113", "url": "https://github.com/apache/httpd/blob/afcdbeebbff4b0c50ea26cdd16e178c0d1f24152/modules/http2/h2_mplx.c%23L1101-L1113" }, { "title": "https://github.com/kazu-yamamoto/http2/commit/f61d41a502bd0f60eb24e1ce14edc7b6df6722a1", "url": "https://github.com/kazu-yamamoto/http2/commit/f61d41a502bd0f60eb24e1ce14edc7b6df6722a1" }, { "title": "https://github.com/kazu-yamamoto/http2/issues/93", "url": "https://github.com/kazu-yamamoto/http2/issues/93" }, { "title": "https://martinthomson.github.io/h2-stream-limits/draft-thomson-httpbis-h2-stream-limits.html", "url": "https://martinthomson.github.io/h2-stream-limits/draft-thomson-httpbis-h2-stream-limits.html" }, { "title": "https://news.ycombinator.com/item?id=37837043", "url": "https://news.ycombinator.com/item?id=37837043" }, { "title": "https://www.cisa.gov/news-events/alerts/2023/10/10/http2-rapid-reset-vulnerability-cve-2023-44487", "url": "https://www.cisa.gov/news-events/alerts/2023/10/10/http2-rapid-reset-vulnerability-cve-2023-44487" }, { "title": "https://www.debian.org/security/2023/dsa-5521", "url": "https://www.debian.org/security/2023/dsa-5521" }, { "title": "https://www.debian.org/security/2023/dsa-5522", "url": "https://www.debian.org/security/2023/dsa-5522" }, { "title": "https://www.theregister.com/2023/10/10/http2_rapid_reset_zeroday/", "url": "https://www.theregister.com/2023/10/10/http2_rapid_reset_zeroday/" }, { "title": "https://access.redhat.com/security/cve/cve-2023-44487", "url": "https://access.redhat.com/security/cve/cve-2023-44487" }, { "title": "https://blog.vespa.ai/cve-2023-44487/", "url": "https://blog.vespa.ai/cve-2023-44487/" }, { "title": "https://bugzilla.redhat.com/show_bug.cgi?id=2242803", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2242803" }, { "title": "https://bugzilla.suse.com/show_bug.cgi?id=1216123", "url": "https://bugzilla.suse.com/show_bug.cgi?id=1216123" }, { "title": "https://community.traefik.io/t/is-traefik-vulnerable-to-cve-2023-44487/20125", "url": "https://community.traefik.io/t/is-traefik-vulnerable-to-cve-2023-44487/20125" }, { "title": "https://github.com/advisories/GHSA-qppj-fm5r-hxr3", "url": "https://github.com/advisories/GHSA-qppj-fm5r-hxr3" }, { "title": "https://github.com/etcd-io/etcd/issues/16740", "url": "https://github.com/etcd-io/etcd/issues/16740" }, { "title": "https://github.com/junkurihara/rust-rpxy/issues/97", "url": "https://github.com/junkurihara/rust-rpxy/issues/97" }, { "title": "https://github.com/ninenines/cowboy/issues/1615", "url": "https://github.com/ninenines/cowboy/issues/1615" }, { "title": "https://github.com/tempesta-tech/tempesta/issues/1986", "url": "https://github.com/tempesta-tech/tempesta/issues/1986" }, { "title": "https://github.com/varnishcache/varnish-cache/issues/3996", "url": "https://github.com/varnishcache/varnish-cache/issues/3996" }, { "title": "https://istio.io/latest/news/security/istio-security-2023-004/", "url": "https://istio.io/latest/news/security/istio-security-2023-004/" }, { "title": "https://ubuntu.com/security/CVE-2023-44487", "url": "https://ubuntu.com/security/CVE-2023-44487" }, { "title": "https://www.darkreading.com/cloud/internet-wide-zero-day-bug-fuels-largest-ever-ddos-event", "url": "https://www.darkreading.com/cloud/internet-wide-zero-day-bug-fuels-largest-ever-ddos-event" }, { "title": "https://github.com/apache/httpd-site/pull/10", "url": "https://github.com/apache/httpd-site/pull/10" }, { "title": "https://github.com/line/armeria/pull/5232", "url": "https://github.com/line/armeria/pull/5232" }, { "title": "https://github.com/linkerd/website/pull/1695/commits/4b9c6836471bc8270ab48aae6fd2181bc73fd632", "url": "https://github.com/linkerd/website/pull/1695/commits/4b9c6836471bc8270ab48aae6fd2181bc73fd632" }, { "title": "https://github.com/projectcontour/contour/pull/5826", "url": "https://github.com/projectcontour/contour/pull/5826" }, { "title": "https://blog.litespeedtech.com/2023/10/11/rapid-reset-http-2-vulnerablilty/", "url": "https://blog.litespeedtech.com/2023/10/11/rapid-reset-http-2-vulnerablilty/" }, { "title": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "relativeImportance": null, "semver": { "vulnerable": [ "<1.57.0-r0" ] }, "severity": "high", "severityWithCritical": "high", "socialTrendAlert": false, "title": "Resource Exhaustion", "upgradePath": [], "version": "1.55.1-r0" } ] }, "created_at": 1697097977.7158828, "has_audit_package": true } }, "repo_url": "https://github.com/cyber-dojo/shas", "template": [ "artifact", "branch-coverage", "snyk-scan" ], "last_modified_at": 1697097977.7158828, "deployments": [ 60, 59 ], "state": "NON-COMPLIANT", "html_url": "https://app.kosli.com/cyber-dojo/flows/shas-archived-at-1705491385/artifacts/eaa2885bdceaeb49372ec734bab19f5e3e2d1ce59661fe6f97ad2d10ee39a8b0", "api_url": "https://app.kosli.com/api/v2/artifacts/cyber-dojo/shas-archived-at-1705491385/fingerprint/eaa2885bdceaeb49372ec734bab19f5e3e2d1ce59661fe6f97ad2d10ee39a8b0" }
Artifact Information |
|
Name | cyberdojo/shas:81ab491 |
Fingerprint | eaa2885bdceaeb49372ec734bab19f5e3e2d1ce59661fe6f97ad2d10ee39a8b0 |
Git commit | 81ab491 |
CI Build | https://github.com/cyber-dojo/shas/actions/runs/6376298305 |
Running | - |
Exited | aws-beta#1870 aws-prod#1142 |
Last modified | 1697097977.7158828 • 6 months ago |
Approvals
None |
Evidence
Evidence for 'branch-coverage'
{ "evidence_type": "generic", "name": "branch-coverage", "is_compliant": true, "build_url": "https://github.com/cyber-dojo/shas/actions/runs/6376298305", "description": "server & client branch-coverage reports", "user_data": { "client": { "command_name": "Minitest", "groups": { "app": { "branches": { "covered": 1, "missed": 1, "total": 2 }, "lines": { "covered": 52, "missed": 0, "total": 52 } }, "test": { "branches": { "covered": 0, "missed": 0, "total": 0 }, "lines": { "covered": 0, "missed": 0, "total": 0 } } }, "timestamp": 1696224014 }, "server": { "command_name": "Minitest", "groups": { "app": { "branches": { "covered": 0, "missed": 0, "total": 0 }, "lines": { "covered": 69, "missed": 0, "total": 69 } }, "test": { "branches": { "covered": 0, "missed": 0, "total": 0 }, "lines": { "covered": 0, "missed": 0, "total": 0 } } }, "timestamp": 1696224008 } }, "created_at": 1696224034.3924313, "has_audit_package": false }
Evidence for 'snyk-scan'
{ "evidence_type": "snyk", "name": "snyk-scan", "is_compliant": false, "build_url": "https://github.com/cyber-dojo/snyk_scans/actions/runs/6492936605", "evidence_archive_fingerprint": "9d440cce891ab3a302ef52b100fb125529881041853192672140ccf73db597a9", "user_data": {}, "snyk_results": { "applications": [ { "dependencyCount": 0, "displayTargetFile": "/usr/local/bundle/gems/concurrent-ruby-1.2.2/lib/concurrent-ruby/concurrent", "docker": {}, "filesystemPolicy": true, "hasUnknownVersions": false, "ignoreSettings": { "adminOnly": false, "disregardFilesystemIgnores": false, "reasonRequired": false }, "isPrivate": true, "licensesPolicy": { "orgLicenseRules": { "AGPL-1.0": { "instructions": "", "licenseType": "AGPL-1.0", "severity": "high" }, "AGPL-3.0": { "instructions": "", "licenseType": "AGPL-3.0", "severity": "high" }, "Artistic-1.0": { "instructions": "", "licenseType": "Artistic-1.0", "severity": "medium" }, "Artistic-2.0": { "instructions": "", "licenseType": "Artistic-2.0", "severity": "medium" }, "CDDL-1.0": { "instructions": "", "licenseType": "CDDL-1.0", "severity": "medium" }, "CPOL-1.02": { "instructions": "", "licenseType": "CPOL-1.02", "severity": "high" }, "EPL-1.0": { "instructions": "", "licenseType": "EPL-1.0", "severity": "medium" }, "GPL-2.0": { "instructions": "", "licenseType": "GPL-2.0", "severity": "high" }, "GPL-3.0": { "instructions": "", "licenseType": "GPL-3.0", "severity": "high" }, "LGPL-2.0": { "instructions": "", "licenseType": "LGPL-2.0", "severity": "medium" }, "LGPL-2.1": { "instructions": "", "licenseType": "LGPL-2.1", "severity": "medium" }, "LGPL-3.0": { "instructions": "", "licenseType": "LGPL-3.0", "severity": "medium" }, "MPL-1.1": { "instructions": "", "licenseType": "MPL-1.1", "severity": "medium" }, "MPL-2.0": { "instructions": "", "licenseType": "MPL-2.0", "severity": "medium" }, "MS-RL": { "instructions": "", "licenseType": "MS-RL", "severity": "medium" }, "SimPL-2.0": { "instructions": "", "licenseType": "SimPL-2.0", "severity": "high" } }, "severities": {} }, "ok": true, "org": "jonjagger", "packageManager": "maven", "path": "cyberdojo/shas@sha256:eaa2885bdceaeb49372ec734bab19f5e3e2d1ce59661fe6f97ad2d10ee39a8b0/shas@sha256:eaa2885bdceaeb49372ec734bab19f5e3e2d1ce59661fe6f97ad2d10ee39a8b0:/usr/local/bundle/gems/concurrent-ruby-1.2.2/lib/concurrent-ruby/concurrent", "policy": "# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.\nversion: v1.25.1\nignore: {}\npatch: {}\n", "projectName": "cyberdojo/shas@sha256:eaa2885bdceaeb49372ec734bab19f5e3e2d1ce59661fe6f97ad2d10ee39a8b0:/usr/local/bundle/gems/concurrent-ruby-1.2.2/lib/concurrent-ruby/concurrent", "severityThreshold": "medium", "summary": "No medium or high or critical severity vulnerabilities", "targetFile": "/usr/local/bundle/gems/concurrent-ruby-1.2.2/lib/concurrent-ruby/concurrent", "uniqueCount": 0, "vulnerabilities": [] } ], "dependencyCount": 80, "docker": { "baseImage": "ruby:3.2.2-alpine3.18", "baseImageRemediation": { "advice": [ { "bold": true, "message": "According to our scan, you are currently using the most secure version of the selected base image" } ], "code": "NO_REMEDIATION_AVAILABLE" }, "binariesVulns": { "affectedPkgs": {}, "issuesData": {} } }, "filesystemPolicy": true, "filtered": { "ignore": [], "patch": [] }, "hasUnknownVersions": false, "ignoreSettings": { "adminOnly": false, "disregardFilesystemIgnores": false, "reasonRequired": false }, "isPrivate": true, "licensesPolicy": { "orgLicenseRules": { "AGPL-1.0": { "instructions": "", "licenseType": "AGPL-1.0", "severity": "high" }, "AGPL-3.0": { "instructions": "", "licenseType": "AGPL-3.0", "severity": "high" }, "Artistic-1.0": { "instructions": "", "licenseType": "Artistic-1.0", "severity": "medium" }, "Artistic-2.0": { "instructions": "", "licenseType": "Artistic-2.0", "severity": "medium" }, "CDDL-1.0": { "instructions": "", "licenseType": "CDDL-1.0", "severity": "medium" }, "CPOL-1.02": { "instructions": "", "licenseType": "CPOL-1.02", "severity": "high" }, "EPL-1.0": { "instructions": "", "licenseType": "EPL-1.0", "severity": "medium" }, "GPL-2.0": { "instructions": "", "licenseType": "GPL-2.0", "severity": "high" }, "GPL-3.0": { "instructions": "", "licenseType": "GPL-3.0", "severity": "high" }, "LGPL-2.0": { "instructions": "", "licenseType": "LGPL-2.0", "severity": "medium" }, "LGPL-2.1": { "instructions": "", "licenseType": "LGPL-2.1", "severity": "medium" }, "LGPL-3.0": { "instructions": "", "licenseType": "LGPL-3.0", "severity": "medium" }, "MPL-1.1": { "instructions": "", "licenseType": "MPL-1.1", "severity": "medium" }, "MPL-2.0": { "instructions": "", "licenseType": "MPL-2.0", "severity": "medium" }, "MS-RL": { "instructions": "", "licenseType": "MS-RL", "severity": "medium" }, "SimPL-2.0": { "instructions": "", "licenseType": "SimPL-2.0", "severity": "high" } }, "severities": {} }, "ok": false, "org": "jonjagger", "packageManager": "apk", "path": "cyberdojo/shas@sha256:eaa2885bdceaeb49372ec734bab19f5e3e2d1ce59661fe6f97ad2d10ee39a8b0/shas", "platform": "linux/amd64", "policy": "# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.\nversion: v1.25.1\nignore: {}\npatch: {}\n", "projectName": "docker-image|cyberdojo/shas", "severityThreshold": "medium", "summary": "6 medium or high or critical severity vulnerable dependency paths", "uniqueCount": 2, "vulnerabilities": [ { "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L/E:P", "cpes": [], "creationTime": "2023-10-11T11:45:04.817337Z", "credit": [], "cvssDetails": [], "cvssScore": 7.7, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `curl` package and not the `curl` package as distributed by `Alpine`._\n_See `How to fix?` for `Alpine:3.18` relevant fixed versions and status._\n\nin the `SOCKS5` proxy handshake process when the hostname is longer than the target buffer.\nThe local variable `socks5_resolve_local` could get the wrong value during a slow SOCKS5 handshake.\nSince the code wrongly thinks it should pass on the hostname, even though the hostname is too long to fit, the memory copy can overflow the allocated target buffer. \n\nThis is only exploitable if the SOCKS5 handshake is slow enough to trigger a local variable bug and the client uses a hostname longer than the download buffer.\n\nExploiting this vulnerability could allow an attacker to execute arbitrary code on the target system under certain conditions.\n\n\n**Note:**\n\nAn overflow is only possible in applications that don't set `CURLOPT_BUFFERSIZE` or set it smaller than 65541. \nSince the curl tool sets `CURLOPT_BUFFERSIZE` to 100kB by default, it is not vulnerable unless the user sets the rate limiting to a rate smaller than 65541 bytes/second.\n\nThe options that cause SOCKS5 with remote hostname to be used in `libcurl`:\n\n1) `CURLOPT_PROXYTYPE` set to type `CURLPROXY_SOCKS5_HOSTNAME`, or:\n`CURLOPT_PROXY` or `CURLOPT_PRE_PROXY` set to use the scheme `socks5h://`\n\n2) One of the proxy environment variables can be set to use the `socks5h://` scheme. For example, `http_proxy`, `HTTPS_PROXY` or `ALL_PROXY`.\n\n\nThe options that cause SOCKS5 with remote hostname to be used in the `curl` tool:\n\n1) `--socks5-hostname`, `--proxy` or `--preproxy` set to use the scheme `socks5h://`\n\n2) Environment variables as described in the libcurl section.\n\n\n\n**Changelog:**\n\n2023-10-04: Initial publication\n\n2023-10-11: Published updated information, including CWE, CVSS, official references and affected versions range.\n## Remediation\nUpgrade `Alpine:3.18` `curl` to version 8.4.0-r0 or higher.\n", "disclosureTime": null, "dockerBaseImage": "ruby:3.2.2-alpine3.18", "epssDetails": null, "exploit": "Proof of Concept", "fixedIn": [ "8.4.0-r0" ], "from": [ "docker-image|cyberdojo/shas@*", "curl/libcurl@8.3.0-r0" ], "id": "SNYK-ALPINE318-CURL-5958913", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2023-38545" ], "CWE": [ "CWE-122" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": true, "language": "linux", "malicious": false, "modificationTime": "2023-10-12T06:20:00.497141Z", "name": "curl/libcurl", "nearestFixedInVersion": "8.4.0-r0", "nvdSeverity": null, "packageManager": "alpine:3.18", "packageName": "curl", "patches": [], "publicationTime": "2023-10-11T11:43:48.209416Z", "references": [], "relativeImportance": null, "semver": { "vulnerable": [ "<8.4.0-r0" ] }, "severity": "high", "severityWithCritical": "high", "socialTrendAlert": false, "title": "Heap-based Buffer Overflow", "upgradePath": [ false, "curl/libcurl@8.4.0-r0" ], "version": "8.3.0-r0" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L/E:P", "cpes": [], "creationTime": "2023-10-11T11:45:04.817337Z", "credit": [], "cvssDetails": [], "cvssScore": 7.7, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `curl` package and not the `curl` package as distributed by `Alpine`._\n_See `How to fix?` for `Alpine:3.18` relevant fixed versions and status._\n\nin the `SOCKS5` proxy handshake process when the hostname is longer than the target buffer.\nThe local variable `socks5_resolve_local` could get the wrong value during a slow SOCKS5 handshake.\nSince the code wrongly thinks it should pass on the hostname, even though the hostname is too long to fit, the memory copy can overflow the allocated target buffer. \n\nThis is only exploitable if the SOCKS5 handshake is slow enough to trigger a local variable bug and the client uses a hostname longer than the download buffer.\n\nExploiting this vulnerability could allow an attacker to execute arbitrary code on the target system under certain conditions.\n\n\n**Note:**\n\nAn overflow is only possible in applications that don't set `CURLOPT_BUFFERSIZE` or set it smaller than 65541. \nSince the curl tool sets `CURLOPT_BUFFERSIZE` to 100kB by default, it is not vulnerable unless the user sets the rate limiting to a rate smaller than 65541 bytes/second.\n\nThe options that cause SOCKS5 with remote hostname to be used in `libcurl`:\n\n1) `CURLOPT_PROXYTYPE` set to type `CURLPROXY_SOCKS5_HOSTNAME`, or:\n`CURLOPT_PROXY` or `CURLOPT_PRE_PROXY` set to use the scheme `socks5h://`\n\n2) One of the proxy environment variables can be set to use the `socks5h://` scheme. For example, `http_proxy`, `HTTPS_PROXY` or `ALL_PROXY`.\n\n\nThe options that cause SOCKS5 with remote hostname to be used in the `curl` tool:\n\n1) `--socks5-hostname`, `--proxy` or `--preproxy` set to use the scheme `socks5h://`\n\n2) Environment variables as described in the libcurl section.\n\n\n\n**Changelog:**\n\n2023-10-04: Initial publication\n\n2023-10-11: Published updated information, including CWE, CVSS, official references and affected versions range.\n## Remediation\nUpgrade `Alpine:3.18` `curl` to version 8.4.0-r0 or higher.\n", "disclosureTime": null, "dockerBaseImage": "ruby:3.2.2-alpine3.18", "epssDetails": null, "exploit": "Proof of Concept", "fixedIn": [ "8.4.0-r0" ], "from": [ "docker-image|cyberdojo/shas@*", "curl/curl@8.3.0-r0", "curl/libcurl@8.3.0-r0" ], "id": "SNYK-ALPINE318-CURL-5958913", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2023-38545" ], "CWE": [ "CWE-122" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "linux", "malicious": false, "modificationTime": "2023-10-12T06:20:00.497141Z", "name": "curl/libcurl", "nearestFixedInVersion": "8.4.0-r0", "nvdSeverity": null, "packageManager": "alpine:3.18", "packageName": "curl", "patches": [], "publicationTime": "2023-10-11T11:43:48.209416Z", "references": [], "relativeImportance": null, "semver": { "vulnerable": [ "<8.4.0-r0" ] }, "severity": "high", "severityWithCritical": "high", "socialTrendAlert": false, "title": "Heap-based Buffer Overflow", "upgradePath": [], "version": "8.3.0-r0" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L/E:P", "cpes": [], "creationTime": "2023-10-11T11:45:04.817337Z", "credit": [], "cvssDetails": [], "cvssScore": 7.7, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `curl` package and not the `curl` package as distributed by `Alpine`._\n_See `How to fix?` for `Alpine:3.18` relevant fixed versions and status._\n\nin the `SOCKS5` proxy handshake process when the hostname is longer than the target buffer.\nThe local variable `socks5_resolve_local` could get the wrong value during a slow SOCKS5 handshake.\nSince the code wrongly thinks it should pass on the hostname, even though the hostname is too long to fit, the memory copy can overflow the allocated target buffer. \n\nThis is only exploitable if the SOCKS5 handshake is slow enough to trigger a local variable bug and the client uses a hostname longer than the download buffer.\n\nExploiting this vulnerability could allow an attacker to execute arbitrary code on the target system under certain conditions.\n\n\n**Note:**\n\nAn overflow is only possible in applications that don't set `CURLOPT_BUFFERSIZE` or set it smaller than 65541. \nSince the curl tool sets `CURLOPT_BUFFERSIZE` to 100kB by default, it is not vulnerable unless the user sets the rate limiting to a rate smaller than 65541 bytes/second.\n\nThe options that cause SOCKS5 with remote hostname to be used in `libcurl`:\n\n1) `CURLOPT_PROXYTYPE` set to type `CURLPROXY_SOCKS5_HOSTNAME`, or:\n`CURLOPT_PROXY` or `CURLOPT_PRE_PROXY` set to use the scheme `socks5h://`\n\n2) One of the proxy environment variables can be set to use the `socks5h://` scheme. For example, `http_proxy`, `HTTPS_PROXY` or `ALL_PROXY`.\n\n\nThe options that cause SOCKS5 with remote hostname to be used in the `curl` tool:\n\n1) `--socks5-hostname`, `--proxy` or `--preproxy` set to use the scheme `socks5h://`\n\n2) Environment variables as described in the libcurl section.\n\n\n\n**Changelog:**\n\n2023-10-04: Initial publication\n\n2023-10-11: Published updated information, including CWE, CVSS, official references and affected versions range.\n## Remediation\nUpgrade `Alpine:3.18` `curl` to version 8.4.0-r0 or higher.\n", "disclosureTime": null, "dockerBaseImage": "ruby:3.2.2-alpine3.18", "epssDetails": null, "exploit": "Proof of Concept", "fixedIn": [ "8.4.0-r0" ], "from": [ "docker-image|cyberdojo/shas@*", "curl/curl@8.3.0-r0" ], "id": "SNYK-ALPINE318-CURL-5958913", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2023-38545" ], "CWE": [ "CWE-122" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": true, "language": "linux", "malicious": false, "modificationTime": "2023-10-12T06:20:00.497141Z", "name": "curl/curl", "nearestFixedInVersion": "8.4.0-r0", "nvdSeverity": null, "packageManager": "alpine:3.18", "packageName": "curl", "patches": [], "publicationTime": "2023-10-11T11:43:48.209416Z", "references": [], "relativeImportance": null, "semver": { "vulnerable": [ "<8.4.0-r0" ] }, "severity": "high", "severityWithCritical": "high", "socialTrendAlert": false, "title": "Heap-based Buffer Overflow", "upgradePath": [ false, "curl/curl@8.4.0-r0" ], "version": "8.3.0-r0" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:H", "cpes": [], "creationTime": "2023-10-11T04:04:38.629011Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:H", "modificationTime": "2023-10-11T14:31:08.807516Z", "severity": "high" } ], "cvssScore": 7.5, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `nghttp2` package and not the `nghttp2` package as distributed by `Alpine`._\n_See `How to fix?` for `Alpine:3.18` relevant fixed versions and status._\n\nThe HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.\n## Remediation\nUpgrade `Alpine:3.18` `nghttp2` to version 1.57.0-r0 or higher.\n## References\n- [cve@mitre.org](https://aws.amazon.com/security/security-bulletins/AWS-2023-011/)\n- [cve@mitre.org](https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/)\n- [cve@mitre.org](https://blog.cloudflare.com/zero-day-rapid-reset-http2-record-breaking-ddos-attack/)\n- [cve@mitre.org](https://cloud.google.com/blog/products/identity-security/google-cloud-mitigated-largest-ddos-attack-peaking-above-398-million-rps/)\n- [cve@mitre.org](https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack)\n- [cve@mitre.org](https://news.ycombinator.com/item?id=37831062)\n- [cve@mitre.org](https://www.nginx.com/blog/http-2-rapid-reset-attack-impacting-f5-nginx-products/)\n- [cve@mitre.org](https://www.phoronix.com/news/HTTP2-Rapid-Reset-Attack)\n- [cve@mitre.org](https://chaos.social/@icing/111210915918780532)\n- [cve@mitre.org](https://forums.swift.org/t/swift-nio-http2-security-update-cve-2023-44487-http-2-dos/67764)\n- [cve@mitre.org](https://github.com/alibaba/tengine/issues/1872)\n- [cve@mitre.org](https://github.com/apache/tomcat/tree/main/java/org/apache/coyote/http2)\n- [cve@mitre.org](https://github.com/bcdannyboy/CVE-2023-44487)\n- [cve@mitre.org](https://github.com/caddyserver/caddy/issues/5877)\n- [cve@mitre.org](https://github.com/eclipse/jetty.project/issues/10679)\n- [cve@mitre.org](https://github.com/envoyproxy/envoy/pull/30055)\n- [cve@mitre.org](https://github.com/haproxy/haproxy/issues/2312)\n- [cve@mitre.org](https://github.com/hyperium/hyper/issues/3337)\n- [cve@mitre.org](https://github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61)\n- [cve@mitre.org](https://github.com/nghttp2/nghttp2/pull/1961)\n- [cve@mitre.org](https://news.ycombinator.com/item?id=37830987)\n- [cve@mitre.org](https://news.ycombinator.com/item?id=37830998)\n- [cve@mitre.org](https://www.bleepingcomputer.com/news/security/new-http-2-rapid-reset-zero-day-attack-breaks-ddos-records/)\n- [cve@mitre.org](https://github.com/grpc/grpc-go/pull/6703)\n- [cve@mitre.org](https://github.com/icing/mod_h2/blob/0a864782af0a942aa2ad4ed960a6b32cd35bcf0a/mod_http2/README.md?plain=1#L239-L244)\n- [cve@mitre.org](https://github.com/nghttp2/nghttp2/releases/tag/v1.57.0)\n- [cve@mitre.org](https://mailman.nginx.org/pipermail/nginx-devel/2023-October/S36Q5HBXR7CAIMPLLPRSSSYR4PCMWILK.html)\n- [cve@mitre.org](https://my.f5.com/manage/s/article/K000137106)\n- [cve@mitre.org](https://bugzilla.proxmox.com/show_bug.cgi?id=4988)\n- [cve@mitre.org](https://cgit.freebsd.org/ports/commit/?id=c64c329c2c1752f46b73e3e6ce9f4329be6629f9)\n- [cve@mitre.org](https://msrc.microsoft.com/blog/2023/10/microsoft-response-to-distributed-denial-of-service-ddos-attacks-against-http/2/)\n- [cve@mitre.org](https://edg.io/lp/blog/resets-leaks-ddos-and-the-tale-of-a-hidden-cve)\n- [cve@mitre.org](https://gist.github.com/adulau/7c2bfb8e9cdbe4b35a5e131c66a0c088)\n- [cve@mitre.org](https://github.com/advisories/GHSA-vx74-f528-fxqg)\n- [cve@mitre.org](https://github.com/apache/trafficserver/pull/10564)\n- [cve@mitre.org](https://github.com/dotnet/announcements/issues/277)\n- [cve@mitre.org](https://github.com/facebook/proxygen/pull/466)\n- [cve@mitre.org](https://github.com/golang/go/issues/63417)\n- [cve@mitre.org](https://github.com/h2o/h2o/pull/3291)\n- [cve@mitre.org](https://github.com/h2o/h2o/security/advisories/GHSA-2m7v-gc89-fjqf)\n- [cve@mitre.org](https://github.com/micrictor/http2-rst-stream)\n- [cve@mitre.org](https://github.com/microsoft/CBL-Mariner/pull/6381)\n- [cve@mitre.org](https://github.com/nodejs/node/pull/50121)\n- [cve@mitre.org](https://groups.google.com/g/golang-announce/c/iNNxDTCjZvo)\n- [cve@mitre.org](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-44487)\n- [cve@mitre.org](https://openssf.org/blog/2023/10/10/http-2-rapid-reset-vulnerability-highlights-need-for-rapid-response/)\n- [cve@mitre.org](https://lists.apache.org/thread/5py8h42mxfsn8l1wy6o41xwhsjlsd87q)\n- [cve@mitre.org](https://seanmonstar.com/post/730794151136935936/hyper-http2-rapid-reset-unaffected)\n- [cve@mitre.org](https://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.1.14)\n- [cve@mitre.org](https://www.openwall.com/lists/oss-security/2023/10/10/6)\n- [cve@mitre.org](https://github.com/dotnet/core/blob/e4613450ea0da7fd2fc6b61dfb2c1c1dec1ce9ec/release-notes/6.0/6.0.23/6.0.23.md?plain=1#L73)\n- [cve@mitre.org](https://github.com/advisories/GHSA-xpw8-rcwv-8f8p)\n- [cve@mitre.org](https://github.com/kubernetes/kubernetes/pull/121120)\n- [cve@mitre.org](https://github.com/opensearch-project/data-prepper/issues/3474)\n- [cve@mitre.org](https://github.com/oqtane/oqtane.framework/discussions/3367)\n- [cve@mitre.org](https://netty.io/news/2023/10/10/4-1-100-Final.html)\n- [cve@mitre.org](https://www.haproxy.com/blog/haproxy-is-not-affected-by-the-http-2-rapid-reset-attack-cve-2023-44487)\n- [cve@mitre.org](https://blog.qualys.com/vulnerabilities-threat-research/2023/10/10/cve-2023-44487-http-2-rapid-reset-attack)\n- [cve@mitre.org](https://github.com/apache/httpd/blob/afcdbeebbff4b0c50ea26cdd16e178c0d1f24152/modules/http2/h2_mplx.c#L1101-L1113)\n- [cve@mitre.org](https://github.com/kazu-yamamoto/http2/commit/f61d41a502bd0f60eb24e1ce14edc7b6df6722a1)\n- [cve@mitre.org](https://github.com/kazu-yamamoto/http2/issues/93)\n- [cve@mitre.org](https://martinthomson.github.io/h2-stream-limits/draft-thomson-httpbis-h2-stream-limits.html)\n- [cve@mitre.org](https://news.ycombinator.com/item?id=37837043)\n- [cve@mitre.org](https://www.cisa.gov/news-events/alerts/2023/10/10/http2-rapid-reset-vulnerability-cve-2023-44487)\n- [cve@mitre.org](https://www.debian.org/security/2023/dsa-5521)\n- [cve@mitre.org](https://www.debian.org/security/2023/dsa-5522)\n- [cve@mitre.org](https://www.theregister.com/2023/10/10/http2_rapid_reset_zeroday/)\n- [cve@mitre.org](https://access.redhat.com/security/cve/cve-2023-44487)\n- [cve@mitre.org](https://blog.vespa.ai/cve-2023-44487/)\n- [cve@mitre.org](https://bugzilla.redhat.com/show_bug.cgi?id=2242803)\n- [cve@mitre.org](https://bugzilla.suse.com/show_bug.cgi?id=1216123)\n- [cve@mitre.org](https://community.traefik.io/t/is-traefik-vulnerable-to-cve-2023-44487/20125)\n- [cve@mitre.org](https://github.com/advisories/GHSA-qppj-fm5r-hxr3)\n- [cve@mitre.org](https://github.com/etcd-io/etcd/issues/16740)\n- [cve@mitre.org](https://github.com/junkurihara/rust-rpxy/issues/97)\n- [cve@mitre.org](https://github.com/ninenines/cowboy/issues/1615)\n- [cve@mitre.org](https://github.com/tempesta-tech/tempesta/issues/1986)\n- [cve@mitre.org](https://github.com/varnishcache/varnish-cache/issues/3996)\n- [cve@mitre.org](https://istio.io/latest/news/security/istio-security-2023-004/)\n- [cve@mitre.org](https://ubuntu.com/security/CVE-2023-44487)\n- [cve@mitre.org](https://www.darkreading.com/cloud/internet-wide-zero-day-bug-fuels-largest-ever-ddos-event)\n- [cve@mitre.org](https://github.com/apache/httpd-site/pull/10)\n- [cve@mitre.org](https://github.com/line/armeria/pull/5232)\n- [cve@mitre.org](https://github.com/linkerd/website/pull/1695/commits/4b9c6836471bc8270ab48aae6fd2181bc73fd632)\n- [cve@mitre.org](https://github.com/projectcontour/contour/pull/5826)\n- [cve@mitre.org](https://blog.litespeedtech.com/2023/10/11/rapid-reset-http-2-vulnerablilty/)\n- [CISA - Known Exploited Vulnerabilities](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)\n", "disclosureTime": "2023-10-10T14:15:10.883000Z", "dockerBaseImage": "ruby:3.2.2-alpine3.18", "dockerfileInstruction": "apk add nodejs", "epssDetails": null, "exploit": "High", "fixedIn": [ "1.57.0-r0" ], "from": [ "docker-image|cyberdojo/shas@*", "nghttp2/nghttp2-libs@1.55.1-r0" ], "id": "SNYK-ALPINE318-NGHTTP2-5954768", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2023-44487" ], "CWE": [ "CWE-400" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": true, "language": "linux", "malicious": false, "modificationTime": "2023-10-12T01:11:09.035012Z", "name": "nghttp2/nghttp2-libs", "nearestFixedInVersion": "1.57.0-r0", "nvdSeverity": "high", "packageManager": "alpine:3.18", "packageName": "nghttp2", "patches": [], "publicationTime": "2023-10-11T04:04:38.608135Z", "references": [ { "title": "https://aws.amazon.com/security/security-bulletins/AWS-2023-011/", "url": "https://aws.amazon.com/security/security-bulletins/AWS-2023-011/" }, { "title": "https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/", "url": "https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/" }, { "title": "https://blog.cloudflare.com/zero-day-rapid-reset-http2-record-breaking-ddos-attack/", "url": "https://blog.cloudflare.com/zero-day-rapid-reset-http2-record-breaking-ddos-attack/" }, { "title": "https://cloud.google.com/blog/products/identity-security/google-cloud-mitigated-largest-ddos-attack-peaking-above-398-million-rps/", "url": "https://cloud.google.com/blog/products/identity-security/google-cloud-mitigated-largest-ddos-attack-peaking-above-398-million-rps/" }, { "title": "https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack", "url": "https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack" }, { "title": "https://news.ycombinator.com/item?id=37831062", "url": "https://news.ycombinator.com/item?id=37831062" }, { "title": "https://www.nginx.com/blog/http-2-rapid-reset-attack-impacting-f5-nginx-products/", "url": "https://www.nginx.com/blog/http-2-rapid-reset-attack-impacting-f5-nginx-products/" }, { "title": "https://www.phoronix.com/news/HTTP2-Rapid-Reset-Attack", "url": "https://www.phoronix.com/news/HTTP2-Rapid-Reset-Attack" }, { "title": "https://chaos.social/@icing/111210915918780532", "url": "https://chaos.social/@icing/111210915918780532" }, { "title": "https://forums.swift.org/t/swift-nio-http2-security-update-cve-2023-44487-http-2-dos/67764", "url": "https://forums.swift.org/t/swift-nio-http2-security-update-cve-2023-44487-http-2-dos/67764" }, { "title": "https://github.com/alibaba/tengine/issues/1872", "url": "https://github.com/alibaba/tengine/issues/1872" }, { "title": "https://github.com/apache/tomcat/tree/main/java/org/apache/coyote/http2", "url": "https://github.com/apache/tomcat/tree/main/java/org/apache/coyote/http2" }, { "title": "https://github.com/bcdannyboy/CVE-2023-44487", "url": "https://github.com/bcdannyboy/CVE-2023-44487" }, { "title": "https://github.com/caddyserver/caddy/issues/5877", "url": "https://github.com/caddyserver/caddy/issues/5877" }, { "title": "https://github.com/eclipse/jetty.project/issues/10679", "url": "https://github.com/eclipse/jetty.project/issues/10679" }, { "title": "https://github.com/envoyproxy/envoy/pull/30055", "url": "https://github.com/envoyproxy/envoy/pull/30055" }, { "title": "https://github.com/haproxy/haproxy/issues/2312", "url": "https://github.com/haproxy/haproxy/issues/2312" }, { "title": "https://github.com/hyperium/hyper/issues/3337", "url": "https://github.com/hyperium/hyper/issues/3337" }, { "title": "https://github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61", "url": "https://github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61" }, { "title": "https://github.com/nghttp2/nghttp2/pull/1961", "url": "https://github.com/nghttp2/nghttp2/pull/1961" }, { "title": "https://news.ycombinator.com/item?id=37830987", "url": "https://news.ycombinator.com/item?id=37830987" }, { "title": "https://news.ycombinator.com/item?id=37830998", "url": "https://news.ycombinator.com/item?id=37830998" }, { "title": "https://www.bleepingcomputer.com/news/security/new-http-2-rapid-reset-zero-day-attack-breaks-ddos-records/", "url": "https://www.bleepingcomputer.com/news/security/new-http-2-rapid-reset-zero-day-attack-breaks-ddos-records/" }, { "title": "https://github.com/grpc/grpc-go/pull/6703", "url": "https://github.com/grpc/grpc-go/pull/6703" }, { "title": "https://github.com/icing/mod_h2/blob/0a864782af0a942aa2ad4ed960a6b32cd35bcf0a/mod_http2/README.md?plain=1%23L239-L244", "url": "https://github.com/icing/mod_h2/blob/0a864782af0a942aa2ad4ed960a6b32cd35bcf0a/mod_http2/README.md?plain=1%23L239-L244" }, { "title": "https://github.com/nghttp2/nghttp2/releases/tag/v1.57.0", "url": "https://github.com/nghttp2/nghttp2/releases/tag/v1.57.0" }, { "title": "https://mailman.nginx.org/pipermail/nginx-devel/2023-October/S36Q5HBXR7CAIMPLLPRSSSYR4PCMWILK.html", "url": "https://mailman.nginx.org/pipermail/nginx-devel/2023-October/S36Q5HBXR7CAIMPLLPRSSSYR4PCMWILK.html" }, { "title": "https://my.f5.com/manage/s/article/K000137106", "url": "https://my.f5.com/manage/s/article/K000137106" }, { "title": "https://bugzilla.proxmox.com/show_bug.cgi?id=4988", "url": "https://bugzilla.proxmox.com/show_bug.cgi?id=4988" }, { "title": "https://cgit.freebsd.org/ports/commit/?id=c64c329c2c1752f46b73e3e6ce9f4329be6629f9", "url": "https://cgit.freebsd.org/ports/commit/?id=c64c329c2c1752f46b73e3e6ce9f4329be6629f9" }, { "title": "https://msrc.microsoft.com/blog/2023/10/microsoft-response-to-distributed-denial-of-service-ddos-attacks-against-http/2/", "url": "https://msrc.microsoft.com/blog/2023/10/microsoft-response-to-distributed-denial-of-service-ddos-attacks-against-http/2/" }, { "title": "https://edg.io/lp/blog/resets-leaks-ddos-and-the-tale-of-a-hidden-cve", "url": "https://edg.io/lp/blog/resets-leaks-ddos-and-the-tale-of-a-hidden-cve" }, { "title": "https://gist.github.com/adulau/7c2bfb8e9cdbe4b35a5e131c66a0c088", "url": "https://gist.github.com/adulau/7c2bfb8e9cdbe4b35a5e131c66a0c088" }, { "title": "https://github.com/advisories/GHSA-vx74-f528-fxqg", "url": "https://github.com/advisories/GHSA-vx74-f528-fxqg" }, { "title": "https://github.com/apache/trafficserver/pull/10564", "url": "https://github.com/apache/trafficserver/pull/10564" }, { "title": "https://github.com/dotnet/announcements/issues/277", "url": "https://github.com/dotnet/announcements/issues/277" }, { "title": "https://github.com/facebook/proxygen/pull/466", "url": "https://github.com/facebook/proxygen/pull/466" }, { "title": "https://github.com/golang/go/issues/63417", "url": "https://github.com/golang/go/issues/63417" }, { "title": "https://github.com/h2o/h2o/pull/3291", "url": "https://github.com/h2o/h2o/pull/3291" }, { "title": "https://github.com/h2o/h2o/security/advisories/GHSA-2m7v-gc89-fjqf", "url": "https://github.com/h2o/h2o/security/advisories/GHSA-2m7v-gc89-fjqf" }, { "title": "https://github.com/micrictor/http2-rst-stream", "url": "https://github.com/micrictor/http2-rst-stream" }, { "title": "https://github.com/microsoft/CBL-Mariner/pull/6381", "url": "https://github.com/microsoft/CBL-Mariner/pull/6381" }, { "title": "https://github.com/nodejs/node/pull/50121", "url": "https://github.com/nodejs/node/pull/50121" }, { "title": "https://groups.google.com/g/golang-announce/c/iNNxDTCjZvo", "url": "https://groups.google.com/g/golang-announce/c/iNNxDTCjZvo" }, { "title": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-44487", "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-44487" }, { "title": "https://openssf.org/blog/2023/10/10/http-2-rapid-reset-vulnerability-highlights-need-for-rapid-response/", "url": "https://openssf.org/blog/2023/10/10/http-2-rapid-reset-vulnerability-highlights-need-for-rapid-response/" }, { "title": "https://lists.apache.org/thread/5py8h42mxfsn8l1wy6o41xwhsjlsd87q", "url": "https://lists.apache.org/thread/5py8h42mxfsn8l1wy6o41xwhsjlsd87q" }, { "title": "https://seanmonstar.com/post/730794151136935936/hyper-http2-rapid-reset-unaffected", "url": "https://seanmonstar.com/post/730794151136935936/hyper-http2-rapid-reset-unaffected" }, { "title": "https://tomcat.apache.org/security-10.html%23Fixed_in_Apache_Tomcat_10.1.14", "url": "https://tomcat.apache.org/security-10.html%23Fixed_in_Apache_Tomcat_10.1.14" }, { "title": "https://www.openwall.com/lists/oss-security/2023/10/10/6", "url": "https://www.openwall.com/lists/oss-security/2023/10/10/6" }, { "title": "https://github.com/dotnet/core/blob/e4613450ea0da7fd2fc6b61dfb2c1c1dec1ce9ec/release-notes/6.0/6.0.23/6.0.23.md?plain=1%23L73", "url": "https://github.com/dotnet/core/blob/e4613450ea0da7fd2fc6b61dfb2c1c1dec1ce9ec/release-notes/6.0/6.0.23/6.0.23.md?plain=1%23L73" }, { "title": "https://github.com/advisories/GHSA-xpw8-rcwv-8f8p", "url": "https://github.com/advisories/GHSA-xpw8-rcwv-8f8p" }, { "title": "https://github.com/kubernetes/kubernetes/pull/121120", "url": "https://github.com/kubernetes/kubernetes/pull/121120" }, { "title": "https://github.com/opensearch-project/data-prepper/issues/3474", "url": "https://github.com/opensearch-project/data-prepper/issues/3474" }, { "title": "https://github.com/oqtane/oqtane.framework/discussions/3367", "url": "https://github.com/oqtane/oqtane.framework/discussions/3367" }, { "title": "https://netty.io/news/2023/10/10/4-1-100-Final.html", "url": "https://netty.io/news/2023/10/10/4-1-100-Final.html" }, { "title": "https://www.haproxy.com/blog/haproxy-is-not-affected-by-the-http-2-rapid-reset-attack-cve-2023-44487", "url": "https://www.haproxy.com/blog/haproxy-is-not-affected-by-the-http-2-rapid-reset-attack-cve-2023-44487" }, { "title": "https://blog.qualys.com/vulnerabilities-threat-research/2023/10/10/cve-2023-44487-http-2-rapid-reset-attack", "url": "https://blog.qualys.com/vulnerabilities-threat-research/2023/10/10/cve-2023-44487-http-2-rapid-reset-attack" }, { "title": "https://github.com/apache/httpd/blob/afcdbeebbff4b0c50ea26cdd16e178c0d1f24152/modules/http2/h2_mplx.c%23L1101-L1113", "url": "https://github.com/apache/httpd/blob/afcdbeebbff4b0c50ea26cdd16e178c0d1f24152/modules/http2/h2_mplx.c%23L1101-L1113" }, { "title": "https://github.com/kazu-yamamoto/http2/commit/f61d41a502bd0f60eb24e1ce14edc7b6df6722a1", "url": "https://github.com/kazu-yamamoto/http2/commit/f61d41a502bd0f60eb24e1ce14edc7b6df6722a1" }, { "title": "https://github.com/kazu-yamamoto/http2/issues/93", "url": "https://github.com/kazu-yamamoto/http2/issues/93" }, { "title": "https://martinthomson.github.io/h2-stream-limits/draft-thomson-httpbis-h2-stream-limits.html", "url": "https://martinthomson.github.io/h2-stream-limits/draft-thomson-httpbis-h2-stream-limits.html" }, { "title": "https://news.ycombinator.com/item?id=37837043", "url": "https://news.ycombinator.com/item?id=37837043" }, { "title": "https://www.cisa.gov/news-events/alerts/2023/10/10/http2-rapid-reset-vulnerability-cve-2023-44487", "url": "https://www.cisa.gov/news-events/alerts/2023/10/10/http2-rapid-reset-vulnerability-cve-2023-44487" }, { "title": "https://www.debian.org/security/2023/dsa-5521", "url": "https://www.debian.org/security/2023/dsa-5521" }, { "title": "https://www.debian.org/security/2023/dsa-5522", "url": "https://www.debian.org/security/2023/dsa-5522" }, { "title": "https://www.theregister.com/2023/10/10/http2_rapid_reset_zeroday/", "url": "https://www.theregister.com/2023/10/10/http2_rapid_reset_zeroday/" }, { "title": "https://access.redhat.com/security/cve/cve-2023-44487", "url": "https://access.redhat.com/security/cve/cve-2023-44487" }, { "title": "https://blog.vespa.ai/cve-2023-44487/", "url": "https://blog.vespa.ai/cve-2023-44487/" }, { "title": "https://bugzilla.redhat.com/show_bug.cgi?id=2242803", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2242803" }, { "title": "https://bugzilla.suse.com/show_bug.cgi?id=1216123", "url": "https://bugzilla.suse.com/show_bug.cgi?id=1216123" }, { "title": "https://community.traefik.io/t/is-traefik-vulnerable-to-cve-2023-44487/20125", "url": "https://community.traefik.io/t/is-traefik-vulnerable-to-cve-2023-44487/20125" }, { "title": "https://github.com/advisories/GHSA-qppj-fm5r-hxr3", "url": "https://github.com/advisories/GHSA-qppj-fm5r-hxr3" }, { "title": "https://github.com/etcd-io/etcd/issues/16740", "url": "https://github.com/etcd-io/etcd/issues/16740" }, { "title": "https://github.com/junkurihara/rust-rpxy/issues/97", "url": "https://github.com/junkurihara/rust-rpxy/issues/97" }, { "title": "https://github.com/ninenines/cowboy/issues/1615", "url": "https://github.com/ninenines/cowboy/issues/1615" }, { "title": "https://github.com/tempesta-tech/tempesta/issues/1986", "url": "https://github.com/tempesta-tech/tempesta/issues/1986" }, { "title": "https://github.com/varnishcache/varnish-cache/issues/3996", "url": "https://github.com/varnishcache/varnish-cache/issues/3996" }, { "title": "https://istio.io/latest/news/security/istio-security-2023-004/", "url": "https://istio.io/latest/news/security/istio-security-2023-004/" }, { "title": "https://ubuntu.com/security/CVE-2023-44487", "url": "https://ubuntu.com/security/CVE-2023-44487" }, { "title": "https://www.darkreading.com/cloud/internet-wide-zero-day-bug-fuels-largest-ever-ddos-event", "url": "https://www.darkreading.com/cloud/internet-wide-zero-day-bug-fuels-largest-ever-ddos-event" }, { "title": "https://github.com/apache/httpd-site/pull/10", "url": "https://github.com/apache/httpd-site/pull/10" }, { "title": "https://github.com/line/armeria/pull/5232", "url": "https://github.com/line/armeria/pull/5232" }, { "title": "https://github.com/linkerd/website/pull/1695/commits/4b9c6836471bc8270ab48aae6fd2181bc73fd632", "url": "https://github.com/linkerd/website/pull/1695/commits/4b9c6836471bc8270ab48aae6fd2181bc73fd632" }, { "title": "https://github.com/projectcontour/contour/pull/5826", "url": "https://github.com/projectcontour/contour/pull/5826" }, { "title": "https://blog.litespeedtech.com/2023/10/11/rapid-reset-http-2-vulnerablilty/", "url": "https://blog.litespeedtech.com/2023/10/11/rapid-reset-http-2-vulnerablilty/" }, { "title": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "relativeImportance": null, "semver": { "vulnerable": [ "<1.57.0-r0" ] }, "severity": "high", "severityWithCritical": "high", "socialTrendAlert": false, "title": "Resource Exhaustion", "upgradePath": [ false, "nghttp2/nghttp2-libs@1.57.0-r0" ], "version": "1.55.1-r0" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:H", "cpes": [], "creationTime": "2023-10-11T04:04:38.629011Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:H", "modificationTime": "2023-10-11T14:31:08.807516Z", "severity": "high" } ], "cvssScore": 7.5, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `nghttp2` package and not the `nghttp2` package as distributed by `Alpine`._\n_See `How to fix?` for `Alpine:3.18` relevant fixed versions and status._\n\nThe HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.\n## Remediation\nUpgrade `Alpine:3.18` `nghttp2` to version 1.57.0-r0 or higher.\n## References\n- [cve@mitre.org](https://aws.amazon.com/security/security-bulletins/AWS-2023-011/)\n- [cve@mitre.org](https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/)\n- [cve@mitre.org](https://blog.cloudflare.com/zero-day-rapid-reset-http2-record-breaking-ddos-attack/)\n- [cve@mitre.org](https://cloud.google.com/blog/products/identity-security/google-cloud-mitigated-largest-ddos-attack-peaking-above-398-million-rps/)\n- [cve@mitre.org](https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack)\n- [cve@mitre.org](https://news.ycombinator.com/item?id=37831062)\n- [cve@mitre.org](https://www.nginx.com/blog/http-2-rapid-reset-attack-impacting-f5-nginx-products/)\n- [cve@mitre.org](https://www.phoronix.com/news/HTTP2-Rapid-Reset-Attack)\n- [cve@mitre.org](https://chaos.social/@icing/111210915918780532)\n- [cve@mitre.org](https://forums.swift.org/t/swift-nio-http2-security-update-cve-2023-44487-http-2-dos/67764)\n- [cve@mitre.org](https://github.com/alibaba/tengine/issues/1872)\n- [cve@mitre.org](https://github.com/apache/tomcat/tree/main/java/org/apache/coyote/http2)\n- [cve@mitre.org](https://github.com/bcdannyboy/CVE-2023-44487)\n- [cve@mitre.org](https://github.com/caddyserver/caddy/issues/5877)\n- [cve@mitre.org](https://github.com/eclipse/jetty.project/issues/10679)\n- [cve@mitre.org](https://github.com/envoyproxy/envoy/pull/30055)\n- [cve@mitre.org](https://github.com/haproxy/haproxy/issues/2312)\n- [cve@mitre.org](https://github.com/hyperium/hyper/issues/3337)\n- [cve@mitre.org](https://github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61)\n- [cve@mitre.org](https://github.com/nghttp2/nghttp2/pull/1961)\n- [cve@mitre.org](https://news.ycombinator.com/item?id=37830987)\n- [cve@mitre.org](https://news.ycombinator.com/item?id=37830998)\n- [cve@mitre.org](https://www.bleepingcomputer.com/news/security/new-http-2-rapid-reset-zero-day-attack-breaks-ddos-records/)\n- [cve@mitre.org](https://github.com/grpc/grpc-go/pull/6703)\n- [cve@mitre.org](https://github.com/icing/mod_h2/blob/0a864782af0a942aa2ad4ed960a6b32cd35bcf0a/mod_http2/README.md?plain=1#L239-L244)\n- [cve@mitre.org](https://github.com/nghttp2/nghttp2/releases/tag/v1.57.0)\n- [cve@mitre.org](https://mailman.nginx.org/pipermail/nginx-devel/2023-October/S36Q5HBXR7CAIMPLLPRSSSYR4PCMWILK.html)\n- [cve@mitre.org](https://my.f5.com/manage/s/article/K000137106)\n- [cve@mitre.org](https://bugzilla.proxmox.com/show_bug.cgi?id=4988)\n- [cve@mitre.org](https://cgit.freebsd.org/ports/commit/?id=c64c329c2c1752f46b73e3e6ce9f4329be6629f9)\n- [cve@mitre.org](https://msrc.microsoft.com/blog/2023/10/microsoft-response-to-distributed-denial-of-service-ddos-attacks-against-http/2/)\n- [cve@mitre.org](https://edg.io/lp/blog/resets-leaks-ddos-and-the-tale-of-a-hidden-cve)\n- [cve@mitre.org](https://gist.github.com/adulau/7c2bfb8e9cdbe4b35a5e131c66a0c088)\n- [cve@mitre.org](https://github.com/advisories/GHSA-vx74-f528-fxqg)\n- [cve@mitre.org](https://github.com/apache/trafficserver/pull/10564)\n- [cve@mitre.org](https://github.com/dotnet/announcements/issues/277)\n- [cve@mitre.org](https://github.com/facebook/proxygen/pull/466)\n- [cve@mitre.org](https://github.com/golang/go/issues/63417)\n- [cve@mitre.org](https://github.com/h2o/h2o/pull/3291)\n- [cve@mitre.org](https://github.com/h2o/h2o/security/advisories/GHSA-2m7v-gc89-fjqf)\n- [cve@mitre.org](https://github.com/micrictor/http2-rst-stream)\n- [cve@mitre.org](https://github.com/microsoft/CBL-Mariner/pull/6381)\n- [cve@mitre.org](https://github.com/nodejs/node/pull/50121)\n- [cve@mitre.org](https://groups.google.com/g/golang-announce/c/iNNxDTCjZvo)\n- [cve@mitre.org](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-44487)\n- [cve@mitre.org](https://openssf.org/blog/2023/10/10/http-2-rapid-reset-vulnerability-highlights-need-for-rapid-response/)\n- [cve@mitre.org](https://lists.apache.org/thread/5py8h42mxfsn8l1wy6o41xwhsjlsd87q)\n- [cve@mitre.org](https://seanmonstar.com/post/730794151136935936/hyper-http2-rapid-reset-unaffected)\n- [cve@mitre.org](https://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.1.14)\n- [cve@mitre.org](https://www.openwall.com/lists/oss-security/2023/10/10/6)\n- [cve@mitre.org](https://github.com/dotnet/core/blob/e4613450ea0da7fd2fc6b61dfb2c1c1dec1ce9ec/release-notes/6.0/6.0.23/6.0.23.md?plain=1#L73)\n- [cve@mitre.org](https://github.com/advisories/GHSA-xpw8-rcwv-8f8p)\n- [cve@mitre.org](https://github.com/kubernetes/kubernetes/pull/121120)\n- [cve@mitre.org](https://github.com/opensearch-project/data-prepper/issues/3474)\n- [cve@mitre.org](https://github.com/oqtane/oqtane.framework/discussions/3367)\n- [cve@mitre.org](https://netty.io/news/2023/10/10/4-1-100-Final.html)\n- [cve@mitre.org](https://www.haproxy.com/blog/haproxy-is-not-affected-by-the-http-2-rapid-reset-attack-cve-2023-44487)\n- [cve@mitre.org](https://blog.qualys.com/vulnerabilities-threat-research/2023/10/10/cve-2023-44487-http-2-rapid-reset-attack)\n- [cve@mitre.org](https://github.com/apache/httpd/blob/afcdbeebbff4b0c50ea26cdd16e178c0d1f24152/modules/http2/h2_mplx.c#L1101-L1113)\n- [cve@mitre.org](https://github.com/kazu-yamamoto/http2/commit/f61d41a502bd0f60eb24e1ce14edc7b6df6722a1)\n- [cve@mitre.org](https://github.com/kazu-yamamoto/http2/issues/93)\n- [cve@mitre.org](https://martinthomson.github.io/h2-stream-limits/draft-thomson-httpbis-h2-stream-limits.html)\n- [cve@mitre.org](https://news.ycombinator.com/item?id=37837043)\n- [cve@mitre.org](https://www.cisa.gov/news-events/alerts/2023/10/10/http2-rapid-reset-vulnerability-cve-2023-44487)\n- [cve@mitre.org](https://www.debian.org/security/2023/dsa-5521)\n- [cve@mitre.org](https://www.debian.org/security/2023/dsa-5522)\n- [cve@mitre.org](https://www.theregister.com/2023/10/10/http2_rapid_reset_zeroday/)\n- [cve@mitre.org](https://access.redhat.com/security/cve/cve-2023-44487)\n- [cve@mitre.org](https://blog.vespa.ai/cve-2023-44487/)\n- [cve@mitre.org](https://bugzilla.redhat.com/show_bug.cgi?id=2242803)\n- [cve@mitre.org](https://bugzilla.suse.com/show_bug.cgi?id=1216123)\n- [cve@mitre.org](https://community.traefik.io/t/is-traefik-vulnerable-to-cve-2023-44487/20125)\n- [cve@mitre.org](https://github.com/advisories/GHSA-qppj-fm5r-hxr3)\n- [cve@mitre.org](https://github.com/etcd-io/etcd/issues/16740)\n- [cve@mitre.org](https://github.com/junkurihara/rust-rpxy/issues/97)\n- [cve@mitre.org](https://github.com/ninenines/cowboy/issues/1615)\n- [cve@mitre.org](https://github.com/tempesta-tech/tempesta/issues/1986)\n- [cve@mitre.org](https://github.com/varnishcache/varnish-cache/issues/3996)\n- [cve@mitre.org](https://istio.io/latest/news/security/istio-security-2023-004/)\n- [cve@mitre.org](https://ubuntu.com/security/CVE-2023-44487)\n- [cve@mitre.org](https://www.darkreading.com/cloud/internet-wide-zero-day-bug-fuels-largest-ever-ddos-event)\n- [cve@mitre.org](https://github.com/apache/httpd-site/pull/10)\n- [cve@mitre.org](https://github.com/line/armeria/pull/5232)\n- [cve@mitre.org](https://github.com/linkerd/website/pull/1695/commits/4b9c6836471bc8270ab48aae6fd2181bc73fd632)\n- [cve@mitre.org](https://github.com/projectcontour/contour/pull/5826)\n- [cve@mitre.org](https://blog.litespeedtech.com/2023/10/11/rapid-reset-http-2-vulnerablilty/)\n- [CISA - Known Exploited Vulnerabilities](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)\n", "disclosureTime": "2023-10-10T14:15:10.883000Z", "dockerBaseImage": "ruby:3.2.2-alpine3.18", "dockerfileInstruction": "apk add nodejs", "epssDetails": null, "exploit": "High", "fixedIn": [ "1.57.0-r0" ], "from": [ "docker-image|cyberdojo/shas@*", "nodejs/nodejs@18.17.1-r0", "nghttp2/nghttp2-libs@1.55.1-r0" ], "id": "SNYK-ALPINE318-NGHTTP2-5954768", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2023-44487" ], "CWE": [ "CWE-400" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "linux", "malicious": false, "modificationTime": "2023-10-12T01:11:09.035012Z", "name": "nghttp2/nghttp2-libs", "nearestFixedInVersion": "1.57.0-r0", "nvdSeverity": "high", "packageManager": "alpine:3.18", "packageName": "nghttp2", "patches": [], "publicationTime": "2023-10-11T04:04:38.608135Z", "references": [ { "title": "https://aws.amazon.com/security/security-bulletins/AWS-2023-011/", "url": "https://aws.amazon.com/security/security-bulletins/AWS-2023-011/" }, { "title": "https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/", "url": "https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/" }, { "title": "https://blog.cloudflare.com/zero-day-rapid-reset-http2-record-breaking-ddos-attack/", "url": "https://blog.cloudflare.com/zero-day-rapid-reset-http2-record-breaking-ddos-attack/" }, { "title": "https://cloud.google.com/blog/products/identity-security/google-cloud-mitigated-largest-ddos-attack-peaking-above-398-million-rps/", "url": "https://cloud.google.com/blog/products/identity-security/google-cloud-mitigated-largest-ddos-attack-peaking-above-398-million-rps/" }, { "title": "https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack", "url": "https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack" }, { "title": "https://news.ycombinator.com/item?id=37831062", "url": "https://news.ycombinator.com/item?id=37831062" }, { "title": "https://www.nginx.com/blog/http-2-rapid-reset-attack-impacting-f5-nginx-products/", "url": "https://www.nginx.com/blog/http-2-rapid-reset-attack-impacting-f5-nginx-products/" }, { "title": "https://www.phoronix.com/news/HTTP2-Rapid-Reset-Attack", "url": "https://www.phoronix.com/news/HTTP2-Rapid-Reset-Attack" }, { "title": "https://chaos.social/@icing/111210915918780532", "url": "https://chaos.social/@icing/111210915918780532" }, { "title": "https://forums.swift.org/t/swift-nio-http2-security-update-cve-2023-44487-http-2-dos/67764", "url": "https://forums.swift.org/t/swift-nio-http2-security-update-cve-2023-44487-http-2-dos/67764" }, { "title": "https://github.com/alibaba/tengine/issues/1872", "url": "https://github.com/alibaba/tengine/issues/1872" }, { "title": "https://github.com/apache/tomcat/tree/main/java/org/apache/coyote/http2", "url": "https://github.com/apache/tomcat/tree/main/java/org/apache/coyote/http2" }, { "title": "https://github.com/bcdannyboy/CVE-2023-44487", "url": "https://github.com/bcdannyboy/CVE-2023-44487" }, { "title": "https://github.com/caddyserver/caddy/issues/5877", "url": "https://github.com/caddyserver/caddy/issues/5877" }, { "title": "https://github.com/eclipse/jetty.project/issues/10679", "url": "https://github.com/eclipse/jetty.project/issues/10679" }, { "title": "https://github.com/envoyproxy/envoy/pull/30055", "url": "https://github.com/envoyproxy/envoy/pull/30055" }, { "title": "https://github.com/haproxy/haproxy/issues/2312", "url": "https://github.com/haproxy/haproxy/issues/2312" }, { "title": "https://github.com/hyperium/hyper/issues/3337", "url": "https://github.com/hyperium/hyper/issues/3337" }, { "title": "https://github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61", "url": "https://github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61" }, { "title": "https://github.com/nghttp2/nghttp2/pull/1961", "url": "https://github.com/nghttp2/nghttp2/pull/1961" }, { "title": "https://news.ycombinator.com/item?id=37830987", "url": "https://news.ycombinator.com/item?id=37830987" }, { "title": "https://news.ycombinator.com/item?id=37830998", "url": "https://news.ycombinator.com/item?id=37830998" }, { "title": "https://www.bleepingcomputer.com/news/security/new-http-2-rapid-reset-zero-day-attack-breaks-ddos-records/", "url": "https://www.bleepingcomputer.com/news/security/new-http-2-rapid-reset-zero-day-attack-breaks-ddos-records/" }, { "title": "https://github.com/grpc/grpc-go/pull/6703", "url": "https://github.com/grpc/grpc-go/pull/6703" }, { "title": "https://github.com/icing/mod_h2/blob/0a864782af0a942aa2ad4ed960a6b32cd35bcf0a/mod_http2/README.md?plain=1%23L239-L244", "url": "https://github.com/icing/mod_h2/blob/0a864782af0a942aa2ad4ed960a6b32cd35bcf0a/mod_http2/README.md?plain=1%23L239-L244" }, { "title": "https://github.com/nghttp2/nghttp2/releases/tag/v1.57.0", "url": "https://github.com/nghttp2/nghttp2/releases/tag/v1.57.0" }, { "title": "https://mailman.nginx.org/pipermail/nginx-devel/2023-October/S36Q5HBXR7CAIMPLLPRSSSYR4PCMWILK.html", "url": "https://mailman.nginx.org/pipermail/nginx-devel/2023-October/S36Q5HBXR7CAIMPLLPRSSSYR4PCMWILK.html" }, { "title": "https://my.f5.com/manage/s/article/K000137106", "url": "https://my.f5.com/manage/s/article/K000137106" }, { "title": "https://bugzilla.proxmox.com/show_bug.cgi?id=4988", "url": "https://bugzilla.proxmox.com/show_bug.cgi?id=4988" }, { "title": "https://cgit.freebsd.org/ports/commit/?id=c64c329c2c1752f46b73e3e6ce9f4329be6629f9", "url": "https://cgit.freebsd.org/ports/commit/?id=c64c329c2c1752f46b73e3e6ce9f4329be6629f9" }, { "title": "https://msrc.microsoft.com/blog/2023/10/microsoft-response-to-distributed-denial-of-service-ddos-attacks-against-http/2/", "url": "https://msrc.microsoft.com/blog/2023/10/microsoft-response-to-distributed-denial-of-service-ddos-attacks-against-http/2/" }, { "title": "https://edg.io/lp/blog/resets-leaks-ddos-and-the-tale-of-a-hidden-cve", "url": "https://edg.io/lp/blog/resets-leaks-ddos-and-the-tale-of-a-hidden-cve" }, { "title": "https://gist.github.com/adulau/7c2bfb8e9cdbe4b35a5e131c66a0c088", "url": "https://gist.github.com/adulau/7c2bfb8e9cdbe4b35a5e131c66a0c088" }, { "title": "https://github.com/advisories/GHSA-vx74-f528-fxqg", "url": "https://github.com/advisories/GHSA-vx74-f528-fxqg" }, { "title": "https://github.com/apache/trafficserver/pull/10564", "url": "https://github.com/apache/trafficserver/pull/10564" }, { "title": "https://github.com/dotnet/announcements/issues/277", "url": "https://github.com/dotnet/announcements/issues/277" }, { "title": "https://github.com/facebook/proxygen/pull/466", "url": "https://github.com/facebook/proxygen/pull/466" }, { "title": "https://github.com/golang/go/issues/63417", "url": "https://github.com/golang/go/issues/63417" }, { "title": "https://github.com/h2o/h2o/pull/3291", "url": "https://github.com/h2o/h2o/pull/3291" }, { "title": "https://github.com/h2o/h2o/security/advisories/GHSA-2m7v-gc89-fjqf", "url": "https://github.com/h2o/h2o/security/advisories/GHSA-2m7v-gc89-fjqf" }, { "title": "https://github.com/micrictor/http2-rst-stream", "url": "https://github.com/micrictor/http2-rst-stream" }, { "title": "https://github.com/microsoft/CBL-Mariner/pull/6381", "url": "https://github.com/microsoft/CBL-Mariner/pull/6381" }, { "title": "https://github.com/nodejs/node/pull/50121", "url": "https://github.com/nodejs/node/pull/50121" }, { "title": "https://groups.google.com/g/golang-announce/c/iNNxDTCjZvo", "url": "https://groups.google.com/g/golang-announce/c/iNNxDTCjZvo" }, { "title": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-44487", "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-44487" }, { "title": "https://openssf.org/blog/2023/10/10/http-2-rapid-reset-vulnerability-highlights-need-for-rapid-response/", "url": "https://openssf.org/blog/2023/10/10/http-2-rapid-reset-vulnerability-highlights-need-for-rapid-response/" }, { "title": "https://lists.apache.org/thread/5py8h42mxfsn8l1wy6o41xwhsjlsd87q", "url": "https://lists.apache.org/thread/5py8h42mxfsn8l1wy6o41xwhsjlsd87q" }, { "title": "https://seanmonstar.com/post/730794151136935936/hyper-http2-rapid-reset-unaffected", "url": "https://seanmonstar.com/post/730794151136935936/hyper-http2-rapid-reset-unaffected" }, { "title": "https://tomcat.apache.org/security-10.html%23Fixed_in_Apache_Tomcat_10.1.14", "url": "https://tomcat.apache.org/security-10.html%23Fixed_in_Apache_Tomcat_10.1.14" }, { "title": "https://www.openwall.com/lists/oss-security/2023/10/10/6", "url": "https://www.openwall.com/lists/oss-security/2023/10/10/6" }, { "title": "https://github.com/dotnet/core/blob/e4613450ea0da7fd2fc6b61dfb2c1c1dec1ce9ec/release-notes/6.0/6.0.23/6.0.23.md?plain=1%23L73", "url": "https://github.com/dotnet/core/blob/e4613450ea0da7fd2fc6b61dfb2c1c1dec1ce9ec/release-notes/6.0/6.0.23/6.0.23.md?plain=1%23L73" }, { "title": "https://github.com/advisories/GHSA-xpw8-rcwv-8f8p", "url": "https://github.com/advisories/GHSA-xpw8-rcwv-8f8p" }, { "title": "https://github.com/kubernetes/kubernetes/pull/121120", "url": "https://github.com/kubernetes/kubernetes/pull/121120" }, { "title": "https://github.com/opensearch-project/data-prepper/issues/3474", "url": "https://github.com/opensearch-project/data-prepper/issues/3474" }, { "title": "https://github.com/oqtane/oqtane.framework/discussions/3367", "url": "https://github.com/oqtane/oqtane.framework/discussions/3367" }, { "title": "https://netty.io/news/2023/10/10/4-1-100-Final.html", "url": "https://netty.io/news/2023/10/10/4-1-100-Final.html" }, { "title": "https://www.haproxy.com/blog/haproxy-is-not-affected-by-the-http-2-rapid-reset-attack-cve-2023-44487", "url": "https://www.haproxy.com/blog/haproxy-is-not-affected-by-the-http-2-rapid-reset-attack-cve-2023-44487" }, { "title": "https://blog.qualys.com/vulnerabilities-threat-research/2023/10/10/cve-2023-44487-http-2-rapid-reset-attack", "url": "https://blog.qualys.com/vulnerabilities-threat-research/2023/10/10/cve-2023-44487-http-2-rapid-reset-attack" }, { "title": "https://github.com/apache/httpd/blob/afcdbeebbff4b0c50ea26cdd16e178c0d1f24152/modules/http2/h2_mplx.c%23L1101-L1113", "url": "https://github.com/apache/httpd/blob/afcdbeebbff4b0c50ea26cdd16e178c0d1f24152/modules/http2/h2_mplx.c%23L1101-L1113" }, { "title": "https://github.com/kazu-yamamoto/http2/commit/f61d41a502bd0f60eb24e1ce14edc7b6df6722a1", "url": "https://github.com/kazu-yamamoto/http2/commit/f61d41a502bd0f60eb24e1ce14edc7b6df6722a1" }, { "title": "https://github.com/kazu-yamamoto/http2/issues/93", "url": "https://github.com/kazu-yamamoto/http2/issues/93" }, { "title": "https://martinthomson.github.io/h2-stream-limits/draft-thomson-httpbis-h2-stream-limits.html", "url": "https://martinthomson.github.io/h2-stream-limits/draft-thomson-httpbis-h2-stream-limits.html" }, { "title": "https://news.ycombinator.com/item?id=37837043", "url": "https://news.ycombinator.com/item?id=37837043" }, { "title": "https://www.cisa.gov/news-events/alerts/2023/10/10/http2-rapid-reset-vulnerability-cve-2023-44487", "url": "https://www.cisa.gov/news-events/alerts/2023/10/10/http2-rapid-reset-vulnerability-cve-2023-44487" }, { "title": "https://www.debian.org/security/2023/dsa-5521", "url": "https://www.debian.org/security/2023/dsa-5521" }, { "title": "https://www.debian.org/security/2023/dsa-5522", "url": "https://www.debian.org/security/2023/dsa-5522" }, { "title": "https://www.theregister.com/2023/10/10/http2_rapid_reset_zeroday/", "url": "https://www.theregister.com/2023/10/10/http2_rapid_reset_zeroday/" }, { "title": "https://access.redhat.com/security/cve/cve-2023-44487", "url": "https://access.redhat.com/security/cve/cve-2023-44487" }, { "title": "https://blog.vespa.ai/cve-2023-44487/", "url": "https://blog.vespa.ai/cve-2023-44487/" }, { "title": "https://bugzilla.redhat.com/show_bug.cgi?id=2242803", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2242803" }, { "title": "https://bugzilla.suse.com/show_bug.cgi?id=1216123", "url": "https://bugzilla.suse.com/show_bug.cgi?id=1216123" }, { "title": "https://community.traefik.io/t/is-traefik-vulnerable-to-cve-2023-44487/20125", "url": "https://community.traefik.io/t/is-traefik-vulnerable-to-cve-2023-44487/20125" }, { "title": "https://github.com/advisories/GHSA-qppj-fm5r-hxr3", "url": "https://github.com/advisories/GHSA-qppj-fm5r-hxr3" }, { "title": "https://github.com/etcd-io/etcd/issues/16740", "url": "https://github.com/etcd-io/etcd/issues/16740" }, { "title": "https://github.com/junkurihara/rust-rpxy/issues/97", "url": "https://github.com/junkurihara/rust-rpxy/issues/97" }, { "title": "https://github.com/ninenines/cowboy/issues/1615", "url": "https://github.com/ninenines/cowboy/issues/1615" }, { "title": "https://github.com/tempesta-tech/tempesta/issues/1986", "url": "https://github.com/tempesta-tech/tempesta/issues/1986" }, { "title": "https://github.com/varnishcache/varnish-cache/issues/3996", "url": "https://github.com/varnishcache/varnish-cache/issues/3996" }, { "title": "https://istio.io/latest/news/security/istio-security-2023-004/", "url": "https://istio.io/latest/news/security/istio-security-2023-004/" }, { "title": "https://ubuntu.com/security/CVE-2023-44487", "url": "https://ubuntu.com/security/CVE-2023-44487" }, { "title": "https://www.darkreading.com/cloud/internet-wide-zero-day-bug-fuels-largest-ever-ddos-event", "url": "https://www.darkreading.com/cloud/internet-wide-zero-day-bug-fuels-largest-ever-ddos-event" }, { "title": "https://github.com/apache/httpd-site/pull/10", "url": "https://github.com/apache/httpd-site/pull/10" }, { "title": "https://github.com/line/armeria/pull/5232", "url": "https://github.com/line/armeria/pull/5232" }, { "title": "https://github.com/linkerd/website/pull/1695/commits/4b9c6836471bc8270ab48aae6fd2181bc73fd632", "url": "https://github.com/linkerd/website/pull/1695/commits/4b9c6836471bc8270ab48aae6fd2181bc73fd632" }, { "title": "https://github.com/projectcontour/contour/pull/5826", "url": "https://github.com/projectcontour/contour/pull/5826" }, { "title": "https://blog.litespeedtech.com/2023/10/11/rapid-reset-http-2-vulnerablilty/", "url": "https://blog.litespeedtech.com/2023/10/11/rapid-reset-http-2-vulnerablilty/" }, { "title": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "relativeImportance": null, "semver": { "vulnerable": [ "<1.57.0-r0" ] }, "severity": "high", "severityWithCritical": "high", "socialTrendAlert": false, "title": "Resource Exhaustion", "upgradePath": [], "version": "1.55.1-r0" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:H", "cpes": [], "creationTime": "2023-10-11T04:04:38.629011Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:H", "modificationTime": "2023-10-11T14:31:08.807516Z", "severity": "high" } ], "cvssScore": 7.5, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `nghttp2` package and not the `nghttp2` package as distributed by `Alpine`._\n_See `How to fix?` for `Alpine:3.18` relevant fixed versions and status._\n\nThe HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.\n## Remediation\nUpgrade `Alpine:3.18` `nghttp2` to version 1.57.0-r0 or higher.\n## References\n- [cve@mitre.org](https://aws.amazon.com/security/security-bulletins/AWS-2023-011/)\n- [cve@mitre.org](https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/)\n- [cve@mitre.org](https://blog.cloudflare.com/zero-day-rapid-reset-http2-record-breaking-ddos-attack/)\n- [cve@mitre.org](https://cloud.google.com/blog/products/identity-security/google-cloud-mitigated-largest-ddos-attack-peaking-above-398-million-rps/)\n- [cve@mitre.org](https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack)\n- [cve@mitre.org](https://news.ycombinator.com/item?id=37831062)\n- [cve@mitre.org](https://www.nginx.com/blog/http-2-rapid-reset-attack-impacting-f5-nginx-products/)\n- [cve@mitre.org](https://www.phoronix.com/news/HTTP2-Rapid-Reset-Attack)\n- [cve@mitre.org](https://chaos.social/@icing/111210915918780532)\n- [cve@mitre.org](https://forums.swift.org/t/swift-nio-http2-security-update-cve-2023-44487-http-2-dos/67764)\n- [cve@mitre.org](https://github.com/alibaba/tengine/issues/1872)\n- [cve@mitre.org](https://github.com/apache/tomcat/tree/main/java/org/apache/coyote/http2)\n- [cve@mitre.org](https://github.com/bcdannyboy/CVE-2023-44487)\n- [cve@mitre.org](https://github.com/caddyserver/caddy/issues/5877)\n- [cve@mitre.org](https://github.com/eclipse/jetty.project/issues/10679)\n- [cve@mitre.org](https://github.com/envoyproxy/envoy/pull/30055)\n- [cve@mitre.org](https://github.com/haproxy/haproxy/issues/2312)\n- [cve@mitre.org](https://github.com/hyperium/hyper/issues/3337)\n- [cve@mitre.org](https://github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61)\n- [cve@mitre.org](https://github.com/nghttp2/nghttp2/pull/1961)\n- [cve@mitre.org](https://news.ycombinator.com/item?id=37830987)\n- [cve@mitre.org](https://news.ycombinator.com/item?id=37830998)\n- [cve@mitre.org](https://www.bleepingcomputer.com/news/security/new-http-2-rapid-reset-zero-day-attack-breaks-ddos-records/)\n- [cve@mitre.org](https://github.com/grpc/grpc-go/pull/6703)\n- [cve@mitre.org](https://github.com/icing/mod_h2/blob/0a864782af0a942aa2ad4ed960a6b32cd35bcf0a/mod_http2/README.md?plain=1#L239-L244)\n- [cve@mitre.org](https://github.com/nghttp2/nghttp2/releases/tag/v1.57.0)\n- [cve@mitre.org](https://mailman.nginx.org/pipermail/nginx-devel/2023-October/S36Q5HBXR7CAIMPLLPRSSSYR4PCMWILK.html)\n- [cve@mitre.org](https://my.f5.com/manage/s/article/K000137106)\n- [cve@mitre.org](https://bugzilla.proxmox.com/show_bug.cgi?id=4988)\n- [cve@mitre.org](https://cgit.freebsd.org/ports/commit/?id=c64c329c2c1752f46b73e3e6ce9f4329be6629f9)\n- [cve@mitre.org](https://msrc.microsoft.com/blog/2023/10/microsoft-response-to-distributed-denial-of-service-ddos-attacks-against-http/2/)\n- [cve@mitre.org](https://edg.io/lp/blog/resets-leaks-ddos-and-the-tale-of-a-hidden-cve)\n- [cve@mitre.org](https://gist.github.com/adulau/7c2bfb8e9cdbe4b35a5e131c66a0c088)\n- [cve@mitre.org](https://github.com/advisories/GHSA-vx74-f528-fxqg)\n- [cve@mitre.org](https://github.com/apache/trafficserver/pull/10564)\n- [cve@mitre.org](https://github.com/dotnet/announcements/issues/277)\n- [cve@mitre.org](https://github.com/facebook/proxygen/pull/466)\n- [cve@mitre.org](https://github.com/golang/go/issues/63417)\n- [cve@mitre.org](https://github.com/h2o/h2o/pull/3291)\n- [cve@mitre.org](https://github.com/h2o/h2o/security/advisories/GHSA-2m7v-gc89-fjqf)\n- [cve@mitre.org](https://github.com/micrictor/http2-rst-stream)\n- [cve@mitre.org](https://github.com/microsoft/CBL-Mariner/pull/6381)\n- [cve@mitre.org](https://github.com/nodejs/node/pull/50121)\n- [cve@mitre.org](https://groups.google.com/g/golang-announce/c/iNNxDTCjZvo)\n- [cve@mitre.org](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-44487)\n- [cve@mitre.org](https://openssf.org/blog/2023/10/10/http-2-rapid-reset-vulnerability-highlights-need-for-rapid-response/)\n- [cve@mitre.org](https://lists.apache.org/thread/5py8h42mxfsn8l1wy6o41xwhsjlsd87q)\n- [cve@mitre.org](https://seanmonstar.com/post/730794151136935936/hyper-http2-rapid-reset-unaffected)\n- [cve@mitre.org](https://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.1.14)\n- [cve@mitre.org](https://www.openwall.com/lists/oss-security/2023/10/10/6)\n- [cve@mitre.org](https://github.com/dotnet/core/blob/e4613450ea0da7fd2fc6b61dfb2c1c1dec1ce9ec/release-notes/6.0/6.0.23/6.0.23.md?plain=1#L73)\n- [cve@mitre.org](https://github.com/advisories/GHSA-xpw8-rcwv-8f8p)\n- [cve@mitre.org](https://github.com/kubernetes/kubernetes/pull/121120)\n- [cve@mitre.org](https://github.com/opensearch-project/data-prepper/issues/3474)\n- [cve@mitre.org](https://github.com/oqtane/oqtane.framework/discussions/3367)\n- [cve@mitre.org](https://netty.io/news/2023/10/10/4-1-100-Final.html)\n- [cve@mitre.org](https://www.haproxy.com/blog/haproxy-is-not-affected-by-the-http-2-rapid-reset-attack-cve-2023-44487)\n- [cve@mitre.org](https://blog.qualys.com/vulnerabilities-threat-research/2023/10/10/cve-2023-44487-http-2-rapid-reset-attack)\n- [cve@mitre.org](https://github.com/apache/httpd/blob/afcdbeebbff4b0c50ea26cdd16e178c0d1f24152/modules/http2/h2_mplx.c#L1101-L1113)\n- [cve@mitre.org](https://github.com/kazu-yamamoto/http2/commit/f61d41a502bd0f60eb24e1ce14edc7b6df6722a1)\n- [cve@mitre.org](https://github.com/kazu-yamamoto/http2/issues/93)\n- [cve@mitre.org](https://martinthomson.github.io/h2-stream-limits/draft-thomson-httpbis-h2-stream-limits.html)\n- [cve@mitre.org](https://news.ycombinator.com/item?id=37837043)\n- [cve@mitre.org](https://www.cisa.gov/news-events/alerts/2023/10/10/http2-rapid-reset-vulnerability-cve-2023-44487)\n- [cve@mitre.org](https://www.debian.org/security/2023/dsa-5521)\n- [cve@mitre.org](https://www.debian.org/security/2023/dsa-5522)\n- [cve@mitre.org](https://www.theregister.com/2023/10/10/http2_rapid_reset_zeroday/)\n- [cve@mitre.org](https://access.redhat.com/security/cve/cve-2023-44487)\n- [cve@mitre.org](https://blog.vespa.ai/cve-2023-44487/)\n- [cve@mitre.org](https://bugzilla.redhat.com/show_bug.cgi?id=2242803)\n- [cve@mitre.org](https://bugzilla.suse.com/show_bug.cgi?id=1216123)\n- [cve@mitre.org](https://community.traefik.io/t/is-traefik-vulnerable-to-cve-2023-44487/20125)\n- [cve@mitre.org](https://github.com/advisories/GHSA-qppj-fm5r-hxr3)\n- [cve@mitre.org](https://github.com/etcd-io/etcd/issues/16740)\n- [cve@mitre.org](https://github.com/junkurihara/rust-rpxy/issues/97)\n- [cve@mitre.org](https://github.com/ninenines/cowboy/issues/1615)\n- [cve@mitre.org](https://github.com/tempesta-tech/tempesta/issues/1986)\n- [cve@mitre.org](https://github.com/varnishcache/varnish-cache/issues/3996)\n- [cve@mitre.org](https://istio.io/latest/news/security/istio-security-2023-004/)\n- [cve@mitre.org](https://ubuntu.com/security/CVE-2023-44487)\n- [cve@mitre.org](https://www.darkreading.com/cloud/internet-wide-zero-day-bug-fuels-largest-ever-ddos-event)\n- [cve@mitre.org](https://github.com/apache/httpd-site/pull/10)\n- [cve@mitre.org](https://github.com/line/armeria/pull/5232)\n- [cve@mitre.org](https://github.com/linkerd/website/pull/1695/commits/4b9c6836471bc8270ab48aae6fd2181bc73fd632)\n- [cve@mitre.org](https://github.com/projectcontour/contour/pull/5826)\n- [cve@mitre.org](https://blog.litespeedtech.com/2023/10/11/rapid-reset-http-2-vulnerablilty/)\n- [CISA - Known Exploited Vulnerabilities](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)\n", "disclosureTime": "2023-10-10T14:15:10.883000Z", "dockerBaseImage": "ruby:3.2.2-alpine3.18", "dockerfileInstruction": "apk add nodejs", "epssDetails": null, "exploit": "High", "fixedIn": [ "1.57.0-r0" ], "from": [ "docker-image|cyberdojo/shas@*", "curl/curl@8.3.0-r0", "curl/libcurl@8.3.0-r0", "nghttp2/nghttp2-libs@1.55.1-r0" ], "id": "SNYK-ALPINE318-NGHTTP2-5954768", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2023-44487" ], "CWE": [ "CWE-400" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "linux", "malicious": false, "modificationTime": "2023-10-12T01:11:09.035012Z", "name": "nghttp2/nghttp2-libs", "nearestFixedInVersion": "1.57.0-r0", "nvdSeverity": "high", "packageManager": "alpine:3.18", "packageName": "nghttp2", "patches": [], "publicationTime": "2023-10-11T04:04:38.608135Z", "references": [ { "title": "https://aws.amazon.com/security/security-bulletins/AWS-2023-011/", "url": "https://aws.amazon.com/security/security-bulletins/AWS-2023-011/" }, { "title": "https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/", "url": "https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/" }, { "title": "https://blog.cloudflare.com/zero-day-rapid-reset-http2-record-breaking-ddos-attack/", "url": "https://blog.cloudflare.com/zero-day-rapid-reset-http2-record-breaking-ddos-attack/" }, { "title": "https://cloud.google.com/blog/products/identity-security/google-cloud-mitigated-largest-ddos-attack-peaking-above-398-million-rps/", "url": "https://cloud.google.com/blog/products/identity-security/google-cloud-mitigated-largest-ddos-attack-peaking-above-398-million-rps/" }, { "title": "https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack", "url": "https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack" }, { "title": "https://news.ycombinator.com/item?id=37831062", "url": "https://news.ycombinator.com/item?id=37831062" }, { "title": "https://www.nginx.com/blog/http-2-rapid-reset-attack-impacting-f5-nginx-products/", "url": "https://www.nginx.com/blog/http-2-rapid-reset-attack-impacting-f5-nginx-products/" }, { "title": "https://www.phoronix.com/news/HTTP2-Rapid-Reset-Attack", "url": "https://www.phoronix.com/news/HTTP2-Rapid-Reset-Attack" }, { "title": "https://chaos.social/@icing/111210915918780532", "url": "https://chaos.social/@icing/111210915918780532" }, { "title": "https://forums.swift.org/t/swift-nio-http2-security-update-cve-2023-44487-http-2-dos/67764", "url": "https://forums.swift.org/t/swift-nio-http2-security-update-cve-2023-44487-http-2-dos/67764" }, { "title": "https://github.com/alibaba/tengine/issues/1872", "url": "https://github.com/alibaba/tengine/issues/1872" }, { "title": "https://github.com/apache/tomcat/tree/main/java/org/apache/coyote/http2", "url": "https://github.com/apache/tomcat/tree/main/java/org/apache/coyote/http2" }, { "title": "https://github.com/bcdannyboy/CVE-2023-44487", "url": "https://github.com/bcdannyboy/CVE-2023-44487" }, { "title": "https://github.com/caddyserver/caddy/issues/5877", "url": "https://github.com/caddyserver/caddy/issues/5877" }, { "title": "https://github.com/eclipse/jetty.project/issues/10679", "url": "https://github.com/eclipse/jetty.project/issues/10679" }, { "title": "https://github.com/envoyproxy/envoy/pull/30055", "url": "https://github.com/envoyproxy/envoy/pull/30055" }, { "title": "https://github.com/haproxy/haproxy/issues/2312", "url": "https://github.com/haproxy/haproxy/issues/2312" }, { "title": "https://github.com/hyperium/hyper/issues/3337", "url": "https://github.com/hyperium/hyper/issues/3337" }, { "title": "https://github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61", "url": "https://github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61" }, { "title": "https://github.com/nghttp2/nghttp2/pull/1961", "url": "https://github.com/nghttp2/nghttp2/pull/1961" }, { "title": "https://news.ycombinator.com/item?id=37830987", "url": "https://news.ycombinator.com/item?id=37830987" }, { "title": "https://news.ycombinator.com/item?id=37830998", "url": "https://news.ycombinator.com/item?id=37830998" }, { "title": "https://www.bleepingcomputer.com/news/security/new-http-2-rapid-reset-zero-day-attack-breaks-ddos-records/", "url": "https://www.bleepingcomputer.com/news/security/new-http-2-rapid-reset-zero-day-attack-breaks-ddos-records/" }, { "title": "https://github.com/grpc/grpc-go/pull/6703", "url": "https://github.com/grpc/grpc-go/pull/6703" }, { "title": "https://github.com/icing/mod_h2/blob/0a864782af0a942aa2ad4ed960a6b32cd35bcf0a/mod_http2/README.md?plain=1%23L239-L244", "url": "https://github.com/icing/mod_h2/blob/0a864782af0a942aa2ad4ed960a6b32cd35bcf0a/mod_http2/README.md?plain=1%23L239-L244" }, { "title": "https://github.com/nghttp2/nghttp2/releases/tag/v1.57.0", "url": "https://github.com/nghttp2/nghttp2/releases/tag/v1.57.0" }, { "title": "https://mailman.nginx.org/pipermail/nginx-devel/2023-October/S36Q5HBXR7CAIMPLLPRSSSYR4PCMWILK.html", "url": "https://mailman.nginx.org/pipermail/nginx-devel/2023-October/S36Q5HBXR7CAIMPLLPRSSSYR4PCMWILK.html" }, { "title": "https://my.f5.com/manage/s/article/K000137106", "url": "https://my.f5.com/manage/s/article/K000137106" }, { "title": "https://bugzilla.proxmox.com/show_bug.cgi?id=4988", "url": "https://bugzilla.proxmox.com/show_bug.cgi?id=4988" }, { "title": "https://cgit.freebsd.org/ports/commit/?id=c64c329c2c1752f46b73e3e6ce9f4329be6629f9", "url": "https://cgit.freebsd.org/ports/commit/?id=c64c329c2c1752f46b73e3e6ce9f4329be6629f9" }, { "title": "https://msrc.microsoft.com/blog/2023/10/microsoft-response-to-distributed-denial-of-service-ddos-attacks-against-http/2/", "url": "https://msrc.microsoft.com/blog/2023/10/microsoft-response-to-distributed-denial-of-service-ddos-attacks-against-http/2/" }, { "title": "https://edg.io/lp/blog/resets-leaks-ddos-and-the-tale-of-a-hidden-cve", "url": "https://edg.io/lp/blog/resets-leaks-ddos-and-the-tale-of-a-hidden-cve" }, { "title": "https://gist.github.com/adulau/7c2bfb8e9cdbe4b35a5e131c66a0c088", "url": "https://gist.github.com/adulau/7c2bfb8e9cdbe4b35a5e131c66a0c088" }, { "title": "https://github.com/advisories/GHSA-vx74-f528-fxqg", "url": "https://github.com/advisories/GHSA-vx74-f528-fxqg" }, { "title": "https://github.com/apache/trafficserver/pull/10564", "url": "https://github.com/apache/trafficserver/pull/10564" }, { "title": "https://github.com/dotnet/announcements/issues/277", "url": "https://github.com/dotnet/announcements/issues/277" }, { "title": "https://github.com/facebook/proxygen/pull/466", "url": "https://github.com/facebook/proxygen/pull/466" }, { "title": "https://github.com/golang/go/issues/63417", "url": "https://github.com/golang/go/issues/63417" }, { "title": "https://github.com/h2o/h2o/pull/3291", "url": "https://github.com/h2o/h2o/pull/3291" }, { "title": "https://github.com/h2o/h2o/security/advisories/GHSA-2m7v-gc89-fjqf", "url": "https://github.com/h2o/h2o/security/advisories/GHSA-2m7v-gc89-fjqf" }, { "title": "https://github.com/micrictor/http2-rst-stream", "url": "https://github.com/micrictor/http2-rst-stream" }, { "title": "https://github.com/microsoft/CBL-Mariner/pull/6381", "url": "https://github.com/microsoft/CBL-Mariner/pull/6381" }, { "title": "https://github.com/nodejs/node/pull/50121", "url": "https://github.com/nodejs/node/pull/50121" }, { "title": "https://groups.google.com/g/golang-announce/c/iNNxDTCjZvo", "url": "https://groups.google.com/g/golang-announce/c/iNNxDTCjZvo" }, { "title": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-44487", "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-44487" }, { "title": "https://openssf.org/blog/2023/10/10/http-2-rapid-reset-vulnerability-highlights-need-for-rapid-response/", "url": "https://openssf.org/blog/2023/10/10/http-2-rapid-reset-vulnerability-highlights-need-for-rapid-response/" }, { "title": "https://lists.apache.org/thread/5py8h42mxfsn8l1wy6o41xwhsjlsd87q", "url": "https://lists.apache.org/thread/5py8h42mxfsn8l1wy6o41xwhsjlsd87q" }, { "title": "https://seanmonstar.com/post/730794151136935936/hyper-http2-rapid-reset-unaffected", "url": "https://seanmonstar.com/post/730794151136935936/hyper-http2-rapid-reset-unaffected" }, { "title": "https://tomcat.apache.org/security-10.html%23Fixed_in_Apache_Tomcat_10.1.14", "url": "https://tomcat.apache.org/security-10.html%23Fixed_in_Apache_Tomcat_10.1.14" }, { "title": "https://www.openwall.com/lists/oss-security/2023/10/10/6", "url": "https://www.openwall.com/lists/oss-security/2023/10/10/6" }, { "title": "https://github.com/dotnet/core/blob/e4613450ea0da7fd2fc6b61dfb2c1c1dec1ce9ec/release-notes/6.0/6.0.23/6.0.23.md?plain=1%23L73", "url": "https://github.com/dotnet/core/blob/e4613450ea0da7fd2fc6b61dfb2c1c1dec1ce9ec/release-notes/6.0/6.0.23/6.0.23.md?plain=1%23L73" }, { "title": "https://github.com/advisories/GHSA-xpw8-rcwv-8f8p", "url": "https://github.com/advisories/GHSA-xpw8-rcwv-8f8p" }, { "title": "https://github.com/kubernetes/kubernetes/pull/121120", "url": "https://github.com/kubernetes/kubernetes/pull/121120" }, { "title": "https://github.com/opensearch-project/data-prepper/issues/3474", "url": "https://github.com/opensearch-project/data-prepper/issues/3474" }, { "title": "https://github.com/oqtane/oqtane.framework/discussions/3367", "url": "https://github.com/oqtane/oqtane.framework/discussions/3367" }, { "title": "https://netty.io/news/2023/10/10/4-1-100-Final.html", "url": "https://netty.io/news/2023/10/10/4-1-100-Final.html" }, { "title": "https://www.haproxy.com/blog/haproxy-is-not-affected-by-the-http-2-rapid-reset-attack-cve-2023-44487", "url": "https://www.haproxy.com/blog/haproxy-is-not-affected-by-the-http-2-rapid-reset-attack-cve-2023-44487" }, { "title": "https://blog.qualys.com/vulnerabilities-threat-research/2023/10/10/cve-2023-44487-http-2-rapid-reset-attack", "url": "https://blog.qualys.com/vulnerabilities-threat-research/2023/10/10/cve-2023-44487-http-2-rapid-reset-attack" }, { "title": "https://github.com/apache/httpd/blob/afcdbeebbff4b0c50ea26cdd16e178c0d1f24152/modules/http2/h2_mplx.c%23L1101-L1113", "url": "https://github.com/apache/httpd/blob/afcdbeebbff4b0c50ea26cdd16e178c0d1f24152/modules/http2/h2_mplx.c%23L1101-L1113" }, { "title": "https://github.com/kazu-yamamoto/http2/commit/f61d41a502bd0f60eb24e1ce14edc7b6df6722a1", "url": "https://github.com/kazu-yamamoto/http2/commit/f61d41a502bd0f60eb24e1ce14edc7b6df6722a1" }, { "title": "https://github.com/kazu-yamamoto/http2/issues/93", "url": "https://github.com/kazu-yamamoto/http2/issues/93" }, { "title": "https://martinthomson.github.io/h2-stream-limits/draft-thomson-httpbis-h2-stream-limits.html", "url": "https://martinthomson.github.io/h2-stream-limits/draft-thomson-httpbis-h2-stream-limits.html" }, { "title": "https://news.ycombinator.com/item?id=37837043", "url": "https://news.ycombinator.com/item?id=37837043" }, { "title": "https://www.cisa.gov/news-events/alerts/2023/10/10/http2-rapid-reset-vulnerability-cve-2023-44487", "url": "https://www.cisa.gov/news-events/alerts/2023/10/10/http2-rapid-reset-vulnerability-cve-2023-44487" }, { "title": "https://www.debian.org/security/2023/dsa-5521", "url": "https://www.debian.org/security/2023/dsa-5521" }, { "title": "https://www.debian.org/security/2023/dsa-5522", "url": "https://www.debian.org/security/2023/dsa-5522" }, { "title": "https://www.theregister.com/2023/10/10/http2_rapid_reset_zeroday/", "url": "https://www.theregister.com/2023/10/10/http2_rapid_reset_zeroday/" }, { "title": "https://access.redhat.com/security/cve/cve-2023-44487", "url": "https://access.redhat.com/security/cve/cve-2023-44487" }, { "title": "https://blog.vespa.ai/cve-2023-44487/", "url": "https://blog.vespa.ai/cve-2023-44487/" }, { "title": "https://bugzilla.redhat.com/show_bug.cgi?id=2242803", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2242803" }, { "title": "https://bugzilla.suse.com/show_bug.cgi?id=1216123", "url": "https://bugzilla.suse.com/show_bug.cgi?id=1216123" }, { "title": "https://community.traefik.io/t/is-traefik-vulnerable-to-cve-2023-44487/20125", "url": "https://community.traefik.io/t/is-traefik-vulnerable-to-cve-2023-44487/20125" }, { "title": "https://github.com/advisories/GHSA-qppj-fm5r-hxr3", "url": "https://github.com/advisories/GHSA-qppj-fm5r-hxr3" }, { "title": "https://github.com/etcd-io/etcd/issues/16740", "url": "https://github.com/etcd-io/etcd/issues/16740" }, { "title": "https://github.com/junkurihara/rust-rpxy/issues/97", "url": "https://github.com/junkurihara/rust-rpxy/issues/97" }, { "title": "https://github.com/ninenines/cowboy/issues/1615", "url": "https://github.com/ninenines/cowboy/issues/1615" }, { "title": "https://github.com/tempesta-tech/tempesta/issues/1986", "url": "https://github.com/tempesta-tech/tempesta/issues/1986" }, { "title": "https://github.com/varnishcache/varnish-cache/issues/3996", "url": "https://github.com/varnishcache/varnish-cache/issues/3996" }, { "title": "https://istio.io/latest/news/security/istio-security-2023-004/", "url": "https://istio.io/latest/news/security/istio-security-2023-004/" }, { "title": "https://ubuntu.com/security/CVE-2023-44487", "url": "https://ubuntu.com/security/CVE-2023-44487" }, { "title": "https://www.darkreading.com/cloud/internet-wide-zero-day-bug-fuels-largest-ever-ddos-event", "url": "https://www.darkreading.com/cloud/internet-wide-zero-day-bug-fuels-largest-ever-ddos-event" }, { "title": "https://github.com/apache/httpd-site/pull/10", "url": "https://github.com/apache/httpd-site/pull/10" }, { "title": "https://github.com/line/armeria/pull/5232", "url": "https://github.com/line/armeria/pull/5232" }, { "title": "https://github.com/linkerd/website/pull/1695/commits/4b9c6836471bc8270ab48aae6fd2181bc73fd632", "url": "https://github.com/linkerd/website/pull/1695/commits/4b9c6836471bc8270ab48aae6fd2181bc73fd632" }, { "title": "https://github.com/projectcontour/contour/pull/5826", "url": "https://github.com/projectcontour/contour/pull/5826" }, { "title": "https://blog.litespeedtech.com/2023/10/11/rapid-reset-http-2-vulnerablilty/", "url": "https://blog.litespeedtech.com/2023/10/11/rapid-reset-http-2-vulnerablilty/" }, { "title": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "relativeImportance": null, "semver": { "vulnerable": [ "<1.57.0-r0" ] }, "severity": "high", "severityWithCritical": "high", "socialTrendAlert": false, "title": "Resource Exhaustion", "upgradePath": [], "version": "1.55.1-r0" } ] }, "created_at": 1697097977.7158828, "has_audit_package": true }