cyber-dojo
flows
web-archived-at-1709658792
artifacts
7ef0a70593852064b16c4cc36800551f0776c030eca8f5265669ddb7a8cebbaf
By signing up, you agree to the
Terms of Service.
For more information about Kosli’s privacy practices, see the Kosli’s
Privacy Policy.
We’ll occasionally send you account-related emails.
We’ll occasionally send you account-related emails.
web-archived-at-1709658792
UX for practicing TDD
cyberdojo/web:a6d085f
Non-compliant
Download Evidence Package
JSON
{
"created_at": 1696305283.3395097,
"fingerprint": "7ef0a70593852064b16c4cc36800551f0776c030eca8f5265669ddb7a8cebbaf",
"filename": "cyberdojo/web:a6d085f",
"git_commit": "a6d085f22f1ba4c4097d1dd1086a0ed3b6703641",
"build_url": "https://github.com/cyber-dojo/web/actions/runs/6388442543",
"commit_url": "https://github.com/cyber-dojo/web/commit/a6d085f22f1ba4c4097d1dd1086a0ed3b6703641",
"evidence": {
"snyk-scan": {
"evidence_type": "snyk",
"is_compliant": false,
"build_url": "https://github.com/cyber-dojo/snyk_scans/actions/runs/6493367229",
"evidence_archive_fingerprint": "34d3bc749763936d301cce3ae3a5b4ff9acda265357ee79887b9ef91d1d8d456",
"user_data": {},
"snyk_results": {
"dependencyCount": 51,
"docker": {
"baseImage": "alpine:3.18.4",
"baseImageRemediation": {
"advice": [
{
"bold": true,
"message": "According to our scan, you are currently using the most secure version of the selected base image"
}
],
"code": "NO_REMEDIATION_AVAILABLE"
},
"binariesVulns": {
"affectedPkgs": {},
"issuesData": {}
}
},
"filesystemPolicy": true,
"filtered": {
"ignore": [],
"patch": []
},
"hasUnknownVersions": false,
"ignoreSettings": {
"adminOnly": false,
"disregardFilesystemIgnores": false,
"reasonRequired": false
},
"isPrivate": true,
"licensesPolicy": {
"orgLicenseRules": {
"AGPL-1.0": {
"instructions": "",
"licenseType": "AGPL-1.0",
"severity": "high"
},
"AGPL-3.0": {
"instructions": "",
"licenseType": "AGPL-3.0",
"severity": "high"
},
"Artistic-1.0": {
"instructions": "",
"licenseType": "Artistic-1.0",
"severity": "medium"
},
"Artistic-2.0": {
"instructions": "",
"licenseType": "Artistic-2.0",
"severity": "medium"
},
"CDDL-1.0": {
"instructions": "",
"licenseType": "CDDL-1.0",
"severity": "medium"
},
"CPOL-1.02": {
"instructions": "",
"licenseType": "CPOL-1.02",
"severity": "high"
},
"EPL-1.0": {
"instructions": "",
"licenseType": "EPL-1.0",
"severity": "medium"
},
"GPL-2.0": {
"instructions": "",
"licenseType": "GPL-2.0",
"severity": "high"
},
"GPL-3.0": {
"instructions": "",
"licenseType": "GPL-3.0",
"severity": "high"
},
"LGPL-2.0": {
"instructions": "",
"licenseType": "LGPL-2.0",
"severity": "medium"
},
"LGPL-2.1": {
"instructions": "",
"licenseType": "LGPL-2.1",
"severity": "medium"
},
"LGPL-3.0": {
"instructions": "",
"licenseType": "LGPL-3.0",
"severity": "medium"
},
"MPL-1.1": {
"instructions": "",
"licenseType": "MPL-1.1",
"severity": "medium"
},
"MPL-2.0": {
"instructions": "",
"licenseType": "MPL-2.0",
"severity": "medium"
},
"MS-RL": {
"instructions": "",
"licenseType": "MS-RL",
"severity": "medium"
},
"SimPL-2.0": {
"instructions": "",
"licenseType": "SimPL-2.0",
"severity": "high"
}
},
"severities": {}
},
"ok": false,
"org": "jonjagger",
"packageManager": "apk",
"path": "274425519734.dkr.ecr.eu-central-1.amazonaws.com/web:a6d085f@sha256:7ef0a70593852064b16c4cc36800551f0776c030eca8f5265669ddb7a8cebbaf/web:a6d085f",
"platform": "linux/amd64",
"policy": "# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.\nversion: v1.25.1\nignore: {}\npatch: {}\n",
"projectName": "docker-image|274425519734.dkr.ecr.eu-central-1.amazonaws.com/web:a6d085f",
"severityThreshold": "medium",
"summary": "6 medium or high or critical severity vulnerable dependency paths",
"uniqueCount": 2,
"vulnerabilities": [
{
"CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L/E:P",
"cpes": [],
"creationTime": "2023-10-11T11:45:04.817337Z",
"credit": [],
"cvssDetails": [],
"cvssScore": 7.7,
"description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `curl` package and not the `curl` package as distributed by `Alpine`._\n_See `How to fix?` for `Alpine:3.18` relevant fixed versions and status._\n\nin the `SOCKS5` proxy handshake process when the hostname is longer than the target buffer.\nThe local variable `socks5_resolve_local` could get the wrong value during a slow SOCKS5 handshake.\nSince the code wrongly thinks it should pass on the hostname, even though the hostname is too long to fit, the memory copy can overflow the allocated target buffer. \n\nThis is only exploitable if the SOCKS5 handshake is slow enough to trigger a local variable bug and the client uses a hostname longer than the download buffer.\n\nExploiting this vulnerability could allow an attacker to execute arbitrary code on the target system under certain conditions.\n\n\n**Note:**\n\nAn overflow is only possible in applications that don't set `CURLOPT_BUFFERSIZE` or set it smaller than 65541. \nSince the curl tool sets `CURLOPT_BUFFERSIZE` to 100kB by default, it is not vulnerable unless the user sets the rate limiting to a rate smaller than 65541 bytes/second.\n\nThe options that cause SOCKS5 with remote hostname to be used in `libcurl`:\n\n1) `CURLOPT_PROXYTYPE` set to type `CURLPROXY_SOCKS5_HOSTNAME`, or:\n`CURLOPT_PROXY` or `CURLOPT_PRE_PROXY` set to use the scheme `socks5h://`\n\n2) One of the proxy environment variables can be set to use the `socks5h://` scheme. For example, `http_proxy`, `HTTPS_PROXY` or `ALL_PROXY`.\n\n\nThe options that cause SOCKS5 with remote hostname to be used in the `curl` tool:\n\n1) `--socks5-hostname`, `--proxy` or `--preproxy` set to use the scheme `socks5h://`\n\n2) Environment variables as described in the libcurl section.\n\n\n\n**Changelog:**\n\n2023-10-04: Initial publication\n\n2023-10-11: Published updated information, including CWE, CVSS, official references and affected versions range.\n## Remediation\nUpgrade `Alpine:3.18` `curl` to version 8.4.0-r0 or higher.\n",
"disclosureTime": null,
"epssDetails": null,
"exploit": "Proof of Concept",
"fixedIn": [
"8.4.0-r0"
],
"from": [
"docker-image|274425519734.dkr.ecr.eu-central-1.amazonaws.com/web:a6d085f@*",
"curl/libcurl@8.3.0-r0"
],
"id": "SNYK-ALPINE318-CURL-5958913",
"identifiers": {
"ALTERNATIVE": [],
"CVE": [
"CVE-2023-38545"
],
"CWE": [
"CWE-122"
]
},
"insights": {
"triageAdvice": null
},
"isDisputed": false,
"isPatchable": false,
"isUpgradable": true,
"language": "linux",
"malicious": false,
"modificationTime": "2023-10-12T06:20:00.497141Z",
"name": "curl/libcurl",
"nearestFixedInVersion": "8.4.0-r0",
"nvdSeverity": null,
"packageManager": "alpine:3.18",
"packageName": "curl",
"patches": [],
"publicationTime": "2023-10-11T11:43:48.209416Z",
"references": [],
"relativeImportance": null,
"semver": {
"vulnerable": [
"<8.4.0-r0"
]
},
"severity": "high",
"severityWithCritical": "high",
"socialTrendAlert": false,
"title": "Heap-based Buffer Overflow",
"upgradePath": [
false,
"curl/libcurl@8.4.0-r0"
],
"version": "8.3.0-r0"
},
{
"CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L/E:P",
"cpes": [],
"creationTime": "2023-10-11T11:45:04.817337Z",
"credit": [],
"cvssDetails": [],
"cvssScore": 7.7,
"description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `curl` package and not the `curl` package as distributed by `Alpine`._\n_See `How to fix?` for `Alpine:3.18` relevant fixed versions and status._\n\nin the `SOCKS5` proxy handshake process when the hostname is longer than the target buffer.\nThe local variable `socks5_resolve_local` could get the wrong value during a slow SOCKS5 handshake.\nSince the code wrongly thinks it should pass on the hostname, even though the hostname is too long to fit, the memory copy can overflow the allocated target buffer. \n\nThis is only exploitable if the SOCKS5 handshake is slow enough to trigger a local variable bug and the client uses a hostname longer than the download buffer.\n\nExploiting this vulnerability could allow an attacker to execute arbitrary code on the target system under certain conditions.\n\n\n**Note:**\n\nAn overflow is only possible in applications that don't set `CURLOPT_BUFFERSIZE` or set it smaller than 65541. \nSince the curl tool sets `CURLOPT_BUFFERSIZE` to 100kB by default, it is not vulnerable unless the user sets the rate limiting to a rate smaller than 65541 bytes/second.\n\nThe options that cause SOCKS5 with remote hostname to be used in `libcurl`:\n\n1) `CURLOPT_PROXYTYPE` set to type `CURLPROXY_SOCKS5_HOSTNAME`, or:\n`CURLOPT_PROXY` or `CURLOPT_PRE_PROXY` set to use the scheme `socks5h://`\n\n2) One of the proxy environment variables can be set to use the `socks5h://` scheme. For example, `http_proxy`, `HTTPS_PROXY` or `ALL_PROXY`.\n\n\nThe options that cause SOCKS5 with remote hostname to be used in the `curl` tool:\n\n1) `--socks5-hostname`, `--proxy` or `--preproxy` set to use the scheme `socks5h://`\n\n2) Environment variables as described in the libcurl section.\n\n\n\n**Changelog:**\n\n2023-10-04: Initial publication\n\n2023-10-11: Published updated information, including CWE, CVSS, official references and affected versions range.\n## Remediation\nUpgrade `Alpine:3.18` `curl` to version 8.4.0-r0 or higher.\n",
"disclosureTime": null,
"epssDetails": null,
"exploit": "Proof of Concept",
"fixedIn": [
"8.4.0-r0"
],
"from": [
"docker-image|274425519734.dkr.ecr.eu-central-1.amazonaws.com/web:a6d085f@*",
"curl/curl@8.3.0-r0",
"curl/libcurl@8.3.0-r0"
],
"id": "SNYK-ALPINE318-CURL-5958913",
"identifiers": {
"ALTERNATIVE": [],
"CVE": [
"CVE-2023-38545"
],
"CWE": [
"CWE-122"
]
},
"insights": {
"triageAdvice": null
},
"isDisputed": false,
"isPatchable": false,
"isUpgradable": false,
"language": "linux",
"malicious": false,
"modificationTime": "2023-10-12T06:20:00.497141Z",
"name": "curl/libcurl",
"nearestFixedInVersion": "8.4.0-r0",
"nvdSeverity": null,
"packageManager": "alpine:3.18",
"packageName": "curl",
"patches": [],
"publicationTime": "2023-10-11T11:43:48.209416Z",
"references": [],
"relativeImportance": null,
"semver": {
"vulnerable": [
"<8.4.0-r0"
]
},
"severity": "high",
"severityWithCritical": "high",
"socialTrendAlert": false,
"title": "Heap-based Buffer Overflow",
"upgradePath": [],
"version": "8.3.0-r0"
},
{
"CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L/E:P",
"cpes": [],
"creationTime": "2023-10-11T11:45:04.817337Z",
"credit": [],
"cvssDetails": [],
"cvssScore": 7.7,
"description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `curl` package and not the `curl` package as distributed by `Alpine`._\n_See `How to fix?` for `Alpine:3.18` relevant fixed versions and status._\n\nin the `SOCKS5` proxy handshake process when the hostname is longer than the target buffer.\nThe local variable `socks5_resolve_local` could get the wrong value during a slow SOCKS5 handshake.\nSince the code wrongly thinks it should pass on the hostname, even though the hostname is too long to fit, the memory copy can overflow the allocated target buffer. \n\nThis is only exploitable if the SOCKS5 handshake is slow enough to trigger a local variable bug and the client uses a hostname longer than the download buffer.\n\nExploiting this vulnerability could allow an attacker to execute arbitrary code on the target system under certain conditions.\n\n\n**Note:**\n\nAn overflow is only possible in applications that don't set `CURLOPT_BUFFERSIZE` or set it smaller than 65541. \nSince the curl tool sets `CURLOPT_BUFFERSIZE` to 100kB by default, it is not vulnerable unless the user sets the rate limiting to a rate smaller than 65541 bytes/second.\n\nThe options that cause SOCKS5 with remote hostname to be used in `libcurl`:\n\n1) `CURLOPT_PROXYTYPE` set to type `CURLPROXY_SOCKS5_HOSTNAME`, or:\n`CURLOPT_PROXY` or `CURLOPT_PRE_PROXY` set to use the scheme `socks5h://`\n\n2) One of the proxy environment variables can be set to use the `socks5h://` scheme. For example, `http_proxy`, `HTTPS_PROXY` or `ALL_PROXY`.\n\n\nThe options that cause SOCKS5 with remote hostname to be used in the `curl` tool:\n\n1) `--socks5-hostname`, `--proxy` or `--preproxy` set to use the scheme `socks5h://`\n\n2) Environment variables as described in the libcurl section.\n\n\n\n**Changelog:**\n\n2023-10-04: Initial publication\n\n2023-10-11: Published updated information, including CWE, CVSS, official references and affected versions range.\n## Remediation\nUpgrade `Alpine:3.18` `curl` to version 8.4.0-r0 or higher.\n",
"disclosureTime": null,
"epssDetails": null,
"exploit": "Proof of Concept",
"fixedIn": [
"8.4.0-r0"
],
"from": [
"docker-image|274425519734.dkr.ecr.eu-central-1.amazonaws.com/web:a6d085f@*",
"git/git@2.40.1-r0",
"curl/libcurl@8.3.0-r0"
],
"id": "SNYK-ALPINE318-CURL-5958913",
"identifiers": {
"ALTERNATIVE": [],
"CVE": [
"CVE-2023-38545"
],
"CWE": [
"CWE-122"
]
},
"insights": {
"triageAdvice": null
},
"isDisputed": false,
"isPatchable": false,
"isUpgradable": false,
"language": "linux",
"malicious": false,
"modificationTime": "2023-10-12T06:20:00.497141Z",
"name": "curl/libcurl",
"nearestFixedInVersion": "8.4.0-r0",
"nvdSeverity": null,
"packageManager": "alpine:3.18",
"packageName": "curl",
"patches": [],
"publicationTime": "2023-10-11T11:43:48.209416Z",
"references": [],
"relativeImportance": null,
"semver": {
"vulnerable": [
"<8.4.0-r0"
]
},
"severity": "high",
"severityWithCritical": "high",
"socialTrendAlert": false,
"title": "Heap-based Buffer Overflow",
"upgradePath": [],
"version": "8.3.0-r0"
},
{
"CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L/E:P",
"cpes": [],
"creationTime": "2023-10-11T11:45:04.817337Z",
"credit": [],
"cvssDetails": [],
"cvssScore": 7.7,
"description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `curl` package and not the `curl` package as distributed by `Alpine`._\n_See `How to fix?` for `Alpine:3.18` relevant fixed versions and status._\n\nin the `SOCKS5` proxy handshake process when the hostname is longer than the target buffer.\nThe local variable `socks5_resolve_local` could get the wrong value during a slow SOCKS5 handshake.\nSince the code wrongly thinks it should pass on the hostname, even though the hostname is too long to fit, the memory copy can overflow the allocated target buffer. \n\nThis is only exploitable if the SOCKS5 handshake is slow enough to trigger a local variable bug and the client uses a hostname longer than the download buffer.\n\nExploiting this vulnerability could allow an attacker to execute arbitrary code on the target system under certain conditions.\n\n\n**Note:**\n\nAn overflow is only possible in applications that don't set `CURLOPT_BUFFERSIZE` or set it smaller than 65541. \nSince the curl tool sets `CURLOPT_BUFFERSIZE` to 100kB by default, it is not vulnerable unless the user sets the rate limiting to a rate smaller than 65541 bytes/second.\n\nThe options that cause SOCKS5 with remote hostname to be used in `libcurl`:\n\n1) `CURLOPT_PROXYTYPE` set to type `CURLPROXY_SOCKS5_HOSTNAME`, or:\n`CURLOPT_PROXY` or `CURLOPT_PRE_PROXY` set to use the scheme `socks5h://`\n\n2) One of the proxy environment variables can be set to use the `socks5h://` scheme. For example, `http_proxy`, `HTTPS_PROXY` or `ALL_PROXY`.\n\n\nThe options that cause SOCKS5 with remote hostname to be used in the `curl` tool:\n\n1) `--socks5-hostname`, `--proxy` or `--preproxy` set to use the scheme `socks5h://`\n\n2) Environment variables as described in the libcurl section.\n\n\n\n**Changelog:**\n\n2023-10-04: Initial publication\n\n2023-10-11: Published updated information, including CWE, CVSS, official references and affected versions range.\n## Remediation\nUpgrade `Alpine:3.18` `curl` to version 8.4.0-r0 or higher.\n",
"disclosureTime": null,
"epssDetails": null,
"exploit": "Proof of Concept",
"fixedIn": [
"8.4.0-r0"
],
"from": [
"docker-image|274425519734.dkr.ecr.eu-central-1.amazonaws.com/web:a6d085f@*",
"curl/curl@8.3.0-r0"
],
"id": "SNYK-ALPINE318-CURL-5958913",
"identifiers": {
"ALTERNATIVE": [],
"CVE": [
"CVE-2023-38545"
],
"CWE": [
"CWE-122"
]
},
"insights": {
"triageAdvice": null
},
"isDisputed": false,
"isPatchable": false,
"isUpgradable": true,
"language": "linux",
"malicious": false,
"modificationTime": "2023-10-12T06:20:00.497141Z",
"name": "curl/curl",
"nearestFixedInVersion": "8.4.0-r0",
"nvdSeverity": null,
"packageManager": "alpine:3.18",
"packageName": "curl",
"patches": [],
"publicationTime": "2023-10-11T11:43:48.209416Z",
"references": [],
"relativeImportance": null,
"semver": {
"vulnerable": [
"<8.4.0-r0"
]
},
"severity": "high",
"severityWithCritical": "high",
"socialTrendAlert": false,
"title": "Heap-based Buffer Overflow",
"upgradePath": [
false,
"curl/curl@8.4.0-r0"
],
"version": "8.3.0-r0"
},
{
"CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:H",
"cpes": [],
"creationTime": "2023-10-11T04:04:38.629011Z",
"credit": [
""
],
"cvssDetails": [
{
"assigner": "NVD",
"cvssV3BaseScore": 7.5,
"cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:H",
"modificationTime": "2023-10-11T14:31:08.807516Z",
"severity": "high"
}
],
"cvssScore": 7.5,
"description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `nghttp2` package and not the `nghttp2` package as distributed by `Alpine`._\n_See `How to fix?` for `Alpine:3.18` relevant fixed versions and status._\n\nThe HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.\n## Remediation\nUpgrade `Alpine:3.18` `nghttp2` to version 1.57.0-r0 or higher.\n## References\n- [cve@mitre.org](https://aws.amazon.com/security/security-bulletins/AWS-2023-011/)\n- [cve@mitre.org](https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/)\n- [cve@mitre.org](https://blog.cloudflare.com/zero-day-rapid-reset-http2-record-breaking-ddos-attack/)\n- [cve@mitre.org](https://cloud.google.com/blog/products/identity-security/google-cloud-mitigated-largest-ddos-attack-peaking-above-398-million-rps/)\n- [cve@mitre.org](https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack)\n- [cve@mitre.org](https://news.ycombinator.com/item?id=37831062)\n- [cve@mitre.org](https://www.nginx.com/blog/http-2-rapid-reset-attack-impacting-f5-nginx-products/)\n- [cve@mitre.org](https://www.phoronix.com/news/HTTP2-Rapid-Reset-Attack)\n- [cve@mitre.org](https://chaos.social/@icing/111210915918780532)\n- [cve@mitre.org](https://forums.swift.org/t/swift-nio-http2-security-update-cve-2023-44487-http-2-dos/67764)\n- [cve@mitre.org](https://github.com/alibaba/tengine/issues/1872)\n- [cve@mitre.org](https://github.com/apache/tomcat/tree/main/java/org/apache/coyote/http2)\n- [cve@mitre.org](https://github.com/bcdannyboy/CVE-2023-44487)\n- [cve@mitre.org](https://github.com/caddyserver/caddy/issues/5877)\n- [cve@mitre.org](https://github.com/eclipse/jetty.project/issues/10679)\n- [cve@mitre.org](https://github.com/envoyproxy/envoy/pull/30055)\n- [cve@mitre.org](https://github.com/haproxy/haproxy/issues/2312)\n- [cve@mitre.org](https://github.com/hyperium/hyper/issues/3337)\n- [cve@mitre.org](https://github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61)\n- [cve@mitre.org](https://github.com/nghttp2/nghttp2/pull/1961)\n- [cve@mitre.org](https://news.ycombinator.com/item?id=37830987)\n- [cve@mitre.org](https://news.ycombinator.com/item?id=37830998)\n- [cve@mitre.org](https://www.bleepingcomputer.com/news/security/new-http-2-rapid-reset-zero-day-attack-breaks-ddos-records/)\n- [cve@mitre.org](https://github.com/grpc/grpc-go/pull/6703)\n- [cve@mitre.org](https://github.com/icing/mod_h2/blob/0a864782af0a942aa2ad4ed960a6b32cd35bcf0a/mod_http2/README.md?plain=1#L239-L244)\n- [cve@mitre.org](https://github.com/nghttp2/nghttp2/releases/tag/v1.57.0)\n- [cve@mitre.org](https://mailman.nginx.org/pipermail/nginx-devel/2023-October/S36Q5HBXR7CAIMPLLPRSSSYR4PCMWILK.html)\n- [cve@mitre.org](https://my.f5.com/manage/s/article/K000137106)\n- [cve@mitre.org](https://bugzilla.proxmox.com/show_bug.cgi?id=4988)\n- [cve@mitre.org](https://cgit.freebsd.org/ports/commit/?id=c64c329c2c1752f46b73e3e6ce9f4329be6629f9)\n- [cve@mitre.org](https://msrc.microsoft.com/blog/2023/10/microsoft-response-to-distributed-denial-of-service-ddos-attacks-against-http/2/)\n- [cve@mitre.org](https://edg.io/lp/blog/resets-leaks-ddos-and-the-tale-of-a-hidden-cve)\n- [cve@mitre.org](https://gist.github.com/adulau/7c2bfb8e9cdbe4b35a5e131c66a0c088)\n- [cve@mitre.org](https://github.com/advisories/GHSA-vx74-f528-fxqg)\n- [cve@mitre.org](https://github.com/apache/trafficserver/pull/10564)\n- [cve@mitre.org](https://github.com/dotnet/announcements/issues/277)\n- [cve@mitre.org](https://github.com/facebook/proxygen/pull/466)\n- [cve@mitre.org](https://github.com/golang/go/issues/63417)\n- [cve@mitre.org](https://github.com/h2o/h2o/pull/3291)\n- [cve@mitre.org](https://github.com/h2o/h2o/security/advisories/GHSA-2m7v-gc89-fjqf)\n- [cve@mitre.org](https://github.com/micrictor/http2-rst-stream)\n- [cve@mitre.org](https://github.com/microsoft/CBL-Mariner/pull/6381)\n- [cve@mitre.org](https://github.com/nodejs/node/pull/50121)\n- [cve@mitre.org](https://groups.google.com/g/golang-announce/c/iNNxDTCjZvo)\n- [cve@mitre.org](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-44487)\n- [cve@mitre.org](https://openssf.org/blog/2023/10/10/http-2-rapid-reset-vulnerability-highlights-need-for-rapid-response/)\n- [cve@mitre.org](https://lists.apache.org/thread/5py8h42mxfsn8l1wy6o41xwhsjlsd87q)\n- [cve@mitre.org](https://seanmonstar.com/post/730794151136935936/hyper-http2-rapid-reset-unaffected)\n- [cve@mitre.org](https://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.1.14)\n- [cve@mitre.org](https://www.openwall.com/lists/oss-security/2023/10/10/6)\n- [cve@mitre.org](https://github.com/dotnet/core/blob/e4613450ea0da7fd2fc6b61dfb2c1c1dec1ce9ec/release-notes/6.0/6.0.23/6.0.23.md?plain=1#L73)\n- [cve@mitre.org](https://github.com/advisories/GHSA-xpw8-rcwv-8f8p)\n- [cve@mitre.org](https://github.com/kubernetes/kubernetes/pull/121120)\n- [cve@mitre.org](https://github.com/opensearch-project/data-prepper/issues/3474)\n- [cve@mitre.org](https://github.com/oqtane/oqtane.framework/discussions/3367)\n- [cve@mitre.org](https://netty.io/news/2023/10/10/4-1-100-Final.html)\n- [cve@mitre.org](https://www.haproxy.com/blog/haproxy-is-not-affected-by-the-http-2-rapid-reset-attack-cve-2023-44487)\n- [cve@mitre.org](https://blog.qualys.com/vulnerabilities-threat-research/2023/10/10/cve-2023-44487-http-2-rapid-reset-attack)\n- [cve@mitre.org](https://github.com/apache/httpd/blob/afcdbeebbff4b0c50ea26cdd16e178c0d1f24152/modules/http2/h2_mplx.c#L1101-L1113)\n- [cve@mitre.org](https://github.com/kazu-yamamoto/http2/commit/f61d41a502bd0f60eb24e1ce14edc7b6df6722a1)\n- [cve@mitre.org](https://github.com/kazu-yamamoto/http2/issues/93)\n- [cve@mitre.org](https://martinthomson.github.io/h2-stream-limits/draft-thomson-httpbis-h2-stream-limits.html)\n- [cve@mitre.org](https://news.ycombinator.com/item?id=37837043)\n- [cve@mitre.org](https://www.cisa.gov/news-events/alerts/2023/10/10/http2-rapid-reset-vulnerability-cve-2023-44487)\n- [cve@mitre.org](https://www.debian.org/security/2023/dsa-5521)\n- [cve@mitre.org](https://www.debian.org/security/2023/dsa-5522)\n- [cve@mitre.org](https://www.theregister.com/2023/10/10/http2_rapid_reset_zeroday/)\n- [cve@mitre.org](https://access.redhat.com/security/cve/cve-2023-44487)\n- [cve@mitre.org](https://blog.vespa.ai/cve-2023-44487/)\n- [cve@mitre.org](https://bugzilla.redhat.com/show_bug.cgi?id=2242803)\n- [cve@mitre.org](https://bugzilla.suse.com/show_bug.cgi?id=1216123)\n- [cve@mitre.org](https://community.traefik.io/t/is-traefik-vulnerable-to-cve-2023-44487/20125)\n- [cve@mitre.org](https://github.com/advisories/GHSA-qppj-fm5r-hxr3)\n- [cve@mitre.org](https://github.com/etcd-io/etcd/issues/16740)\n- [cve@mitre.org](https://github.com/junkurihara/rust-rpxy/issues/97)\n- [cve@mitre.org](https://github.com/ninenines/cowboy/issues/1615)\n- [cve@mitre.org](https://github.com/tempesta-tech/tempesta/issues/1986)\n- [cve@mitre.org](https://github.com/varnishcache/varnish-cache/issues/3996)\n- [cve@mitre.org](https://istio.io/latest/news/security/istio-security-2023-004/)\n- [cve@mitre.org](https://ubuntu.com/security/CVE-2023-44487)\n- [cve@mitre.org](https://www.darkreading.com/cloud/internet-wide-zero-day-bug-fuels-largest-ever-ddos-event)\n- [cve@mitre.org](https://github.com/apache/httpd-site/pull/10)\n- [cve@mitre.org](https://github.com/line/armeria/pull/5232)\n- [cve@mitre.org](https://github.com/linkerd/website/pull/1695/commits/4b9c6836471bc8270ab48aae6fd2181bc73fd632)\n- [cve@mitre.org](https://github.com/projectcontour/contour/pull/5826)\n- [cve@mitre.org](https://blog.litespeedtech.com/2023/10/11/rapid-reset-http-2-vulnerablilty/)\n- [CISA - Known Exploited Vulnerabilities](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)\n",
"disclosureTime": "2023-10-10T14:15:10.883000Z",
"epssDetails": null,
"exploit": "High",
"fixedIn": [
"1.57.0-r0"
],
"from": [
"docker-image|274425519734.dkr.ecr.eu-central-1.amazonaws.com/web:a6d085f@*",
"nghttp2/nghttp2-libs@1.55.1-r0"
],
"id": "SNYK-ALPINE318-NGHTTP2-5954768",
"identifiers": {
"ALTERNATIVE": [],
"CVE": [
"CVE-2023-44487"
],
"CWE": [
"CWE-400"
]
},
"insights": {
"triageAdvice": null
},
"isDisputed": false,
"isPatchable": false,
"isUpgradable": true,
"language": "linux",
"malicious": false,
"modificationTime": "2023-10-12T01:11:09.035012Z",
"name": "nghttp2/nghttp2-libs",
"nearestFixedInVersion": "1.57.0-r0",
"nvdSeverity": "high",
"packageManager": "alpine:3.18",
"packageName": "nghttp2",
"patches": [],
"publicationTime": "2023-10-11T04:04:38.608135Z",
"references": [
{
"title": "https://aws.amazon.com/security/security-bulletins/AWS-2023-011/",
"url": "https://aws.amazon.com/security/security-bulletins/AWS-2023-011/"
},
{
"title": "https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/",
"url": "https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/"
},
{
"title": "https://blog.cloudflare.com/zero-day-rapid-reset-http2-record-breaking-ddos-attack/",
"url": "https://blog.cloudflare.com/zero-day-rapid-reset-http2-record-breaking-ddos-attack/"
},
{
"title": "https://cloud.google.com/blog/products/identity-security/google-cloud-mitigated-largest-ddos-attack-peaking-above-398-million-rps/",
"url": "https://cloud.google.com/blog/products/identity-security/google-cloud-mitigated-largest-ddos-attack-peaking-above-398-million-rps/"
},
{
"title": "https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack",
"url": "https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack"
},
{
"title": "https://news.ycombinator.com/item?id=37831062",
"url": "https://news.ycombinator.com/item?id=37831062"
},
{
"title": "https://www.nginx.com/blog/http-2-rapid-reset-attack-impacting-f5-nginx-products/",
"url": "https://www.nginx.com/blog/http-2-rapid-reset-attack-impacting-f5-nginx-products/"
},
{
"title": "https://www.phoronix.com/news/HTTP2-Rapid-Reset-Attack",
"url": "https://www.phoronix.com/news/HTTP2-Rapid-Reset-Attack"
},
{
"title": "https://chaos.social/@icing/111210915918780532",
"url": "https://chaos.social/@icing/111210915918780532"
},
{
"title": "https://forums.swift.org/t/swift-nio-http2-security-update-cve-2023-44487-http-2-dos/67764",
"url": "https://forums.swift.org/t/swift-nio-http2-security-update-cve-2023-44487-http-2-dos/67764"
},
{
"title": "https://github.com/alibaba/tengine/issues/1872",
"url": "https://github.com/alibaba/tengine/issues/1872"
},
{
"title": "https://github.com/apache/tomcat/tree/main/java/org/apache/coyote/http2",
"url": "https://github.com/apache/tomcat/tree/main/java/org/apache/coyote/http2"
},
{
"title": "https://github.com/bcdannyboy/CVE-2023-44487",
"url": "https://github.com/bcdannyboy/CVE-2023-44487"
},
{
"title": "https://github.com/caddyserver/caddy/issues/5877",
"url": "https://github.com/caddyserver/caddy/issues/5877"
},
{
"title": "https://github.com/eclipse/jetty.project/issues/10679",
"url": "https://github.com/eclipse/jetty.project/issues/10679"
},
{
"title": "https://github.com/envoyproxy/envoy/pull/30055",
"url": "https://github.com/envoyproxy/envoy/pull/30055"
},
{
"title": "https://github.com/haproxy/haproxy/issues/2312",
"url": "https://github.com/haproxy/haproxy/issues/2312"
},
{
"title": "https://github.com/hyperium/hyper/issues/3337",
"url": "https://github.com/hyperium/hyper/issues/3337"
},
{
"title": "https://github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61",
"url": "https://github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61"
},
{
"title": "https://github.com/nghttp2/nghttp2/pull/1961",
"url": "https://github.com/nghttp2/nghttp2/pull/1961"
},
{
"title": "https://news.ycombinator.com/item?id=37830987",
"url": "https://news.ycombinator.com/item?id=37830987"
},
{
"title": "https://news.ycombinator.com/item?id=37830998",
"url": "https://news.ycombinator.com/item?id=37830998"
},
{
"title": "https://www.bleepingcomputer.com/news/security/new-http-2-rapid-reset-zero-day-attack-breaks-ddos-records/",
"url": "https://www.bleepingcomputer.com/news/security/new-http-2-rapid-reset-zero-day-attack-breaks-ddos-records/"
},
{
"title": "https://github.com/grpc/grpc-go/pull/6703",
"url": "https://github.com/grpc/grpc-go/pull/6703"
},
{
"title": "https://github.com/icing/mod_h2/blob/0a864782af0a942aa2ad4ed960a6b32cd35bcf0a/mod_http2/README.md?plain=1%23L239-L244",
"url": "https://github.com/icing/mod_h2/blob/0a864782af0a942aa2ad4ed960a6b32cd35bcf0a/mod_http2/README.md?plain=1%23L239-L244"
},
{
"title": "https://github.com/nghttp2/nghttp2/releases/tag/v1.57.0",
"url": "https://github.com/nghttp2/nghttp2/releases/tag/v1.57.0"
},
{
"title": "https://mailman.nginx.org/pipermail/nginx-devel/2023-October/S36Q5HBXR7CAIMPLLPRSSSYR4PCMWILK.html",
"url": "https://mailman.nginx.org/pipermail/nginx-devel/2023-October/S36Q5HBXR7CAIMPLLPRSSSYR4PCMWILK.html"
},
{
"title": "https://my.f5.com/manage/s/article/K000137106",
"url": "https://my.f5.com/manage/s/article/K000137106"
},
{
"title": "https://bugzilla.proxmox.com/show_bug.cgi?id=4988",
"url": "https://bugzilla.proxmox.com/show_bug.cgi?id=4988"
},
{
"title": "https://cgit.freebsd.org/ports/commit/?id=c64c329c2c1752f46b73e3e6ce9f4329be6629f9",
"url": "https://cgit.freebsd.org/ports/commit/?id=c64c329c2c1752f46b73e3e6ce9f4329be6629f9"
},
{
"title": "https://msrc.microsoft.com/blog/2023/10/microsoft-response-to-distributed-denial-of-service-ddos-attacks-against-http/2/",
"url": "https://msrc.microsoft.com/blog/2023/10/microsoft-response-to-distributed-denial-of-service-ddos-attacks-against-http/2/"
},
{
"title": "https://edg.io/lp/blog/resets-leaks-ddos-and-the-tale-of-a-hidden-cve",
"url": "https://edg.io/lp/blog/resets-leaks-ddos-and-the-tale-of-a-hidden-cve"
},
{
"title": "https://gist.github.com/adulau/7c2bfb8e9cdbe4b35a5e131c66a0c088",
"url": "https://gist.github.com/adulau/7c2bfb8e9cdbe4b35a5e131c66a0c088"
},
{
"title": "https://github.com/advisories/GHSA-vx74-f528-fxqg",
"url": "https://github.com/advisories/GHSA-vx74-f528-fxqg"
},
{
"title": "https://github.com/apache/trafficserver/pull/10564",
"url": "https://github.com/apache/trafficserver/pull/10564"
},
{
"title": "https://github.com/dotnet/announcements/issues/277",
"url": "https://github.com/dotnet/announcements/issues/277"
},
{
"title": "https://github.com/facebook/proxygen/pull/466",
"url": "https://github.com/facebook/proxygen/pull/466"
},
{
"title": "https://github.com/golang/go/issues/63417",
"url": "https://github.com/golang/go/issues/63417"
},
{
"title": "https://github.com/h2o/h2o/pull/3291",
"url": "https://github.com/h2o/h2o/pull/3291"
},
{
"title": "https://github.com/h2o/h2o/security/advisories/GHSA-2m7v-gc89-fjqf",
"url": "https://github.com/h2o/h2o/security/advisories/GHSA-2m7v-gc89-fjqf"
},
{
"title": "https://github.com/micrictor/http2-rst-stream",
"url": "https://github.com/micrictor/http2-rst-stream"
},
{
"title": "https://github.com/microsoft/CBL-Mariner/pull/6381",
"url": "https://github.com/microsoft/CBL-Mariner/pull/6381"
},
{
"title": "https://github.com/nodejs/node/pull/50121",
"url": "https://github.com/nodejs/node/pull/50121"
},
{
"title": "https://groups.google.com/g/golang-announce/c/iNNxDTCjZvo",
"url": "https://groups.google.com/g/golang-announce/c/iNNxDTCjZvo"
},
{
"title": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-44487",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-44487"
},
{
"title": "https://openssf.org/blog/2023/10/10/http-2-rapid-reset-vulnerability-highlights-need-for-rapid-response/",
"url": "https://openssf.org/blog/2023/10/10/http-2-rapid-reset-vulnerability-highlights-need-for-rapid-response/"
},
{
"title": "https://lists.apache.org/thread/5py8h42mxfsn8l1wy6o41xwhsjlsd87q",
"url": "https://lists.apache.org/thread/5py8h42mxfsn8l1wy6o41xwhsjlsd87q"
},
{
"title": "https://seanmonstar.com/post/730794151136935936/hyper-http2-rapid-reset-unaffected",
"url": "https://seanmonstar.com/post/730794151136935936/hyper-http2-rapid-reset-unaffected"
},
{
"title": "https://tomcat.apache.org/security-10.html%23Fixed_in_Apache_Tomcat_10.1.14",
"url": "https://tomcat.apache.org/security-10.html%23Fixed_in_Apache_Tomcat_10.1.14"
},
{
"title": "https://www.openwall.com/lists/oss-security/2023/10/10/6",
"url": "https://www.openwall.com/lists/oss-security/2023/10/10/6"
},
{
"title": "https://github.com/dotnet/core/blob/e4613450ea0da7fd2fc6b61dfb2c1c1dec1ce9ec/release-notes/6.0/6.0.23/6.0.23.md?plain=1%23L73",
"url": "https://github.com/dotnet/core/blob/e4613450ea0da7fd2fc6b61dfb2c1c1dec1ce9ec/release-notes/6.0/6.0.23/6.0.23.md?plain=1%23L73"
},
{
"title": "https://github.com/advisories/GHSA-xpw8-rcwv-8f8p",
"url": "https://github.com/advisories/GHSA-xpw8-rcwv-8f8p"
},
{
"title": "https://github.com/kubernetes/kubernetes/pull/121120",
"url": "https://github.com/kubernetes/kubernetes/pull/121120"
},
{
"title": "https://github.com/opensearch-project/data-prepper/issues/3474",
"url": "https://github.com/opensearch-project/data-prepper/issues/3474"
},
{
"title": "https://github.com/oqtane/oqtane.framework/discussions/3367",
"url": "https://github.com/oqtane/oqtane.framework/discussions/3367"
},
{
"title": "https://netty.io/news/2023/10/10/4-1-100-Final.html",
"url": "https://netty.io/news/2023/10/10/4-1-100-Final.html"
},
{
"title": "https://www.haproxy.com/blog/haproxy-is-not-affected-by-the-http-2-rapid-reset-attack-cve-2023-44487",
"url": "https://www.haproxy.com/blog/haproxy-is-not-affected-by-the-http-2-rapid-reset-attack-cve-2023-44487"
},
{
"title": "https://blog.qualys.com/vulnerabilities-threat-research/2023/10/10/cve-2023-44487-http-2-rapid-reset-attack",
"url": "https://blog.qualys.com/vulnerabilities-threat-research/2023/10/10/cve-2023-44487-http-2-rapid-reset-attack"
},
{
"title": "https://github.com/apache/httpd/blob/afcdbeebbff4b0c50ea26cdd16e178c0d1f24152/modules/http2/h2_mplx.c%23L1101-L1113",
"url": "https://github.com/apache/httpd/blob/afcdbeebbff4b0c50ea26cdd16e178c0d1f24152/modules/http2/h2_mplx.c%23L1101-L1113"
},
{
"title": "https://github.com/kazu-yamamoto/http2/commit/f61d41a502bd0f60eb24e1ce14edc7b6df6722a1",
"url": "https://github.com/kazu-yamamoto/http2/commit/f61d41a502bd0f60eb24e1ce14edc7b6df6722a1"
},
{
"title": "https://github.com/kazu-yamamoto/http2/issues/93",
"url": "https://github.com/kazu-yamamoto/http2/issues/93"
},
{
"title": "https://martinthomson.github.io/h2-stream-limits/draft-thomson-httpbis-h2-stream-limits.html",
"url": "https://martinthomson.github.io/h2-stream-limits/draft-thomson-httpbis-h2-stream-limits.html"
},
{
"title": "https://news.ycombinator.com/item?id=37837043",
"url": "https://news.ycombinator.com/item?id=37837043"
},
{
"title": "https://www.cisa.gov/news-events/alerts/2023/10/10/http2-rapid-reset-vulnerability-cve-2023-44487",
"url": "https://www.cisa.gov/news-events/alerts/2023/10/10/http2-rapid-reset-vulnerability-cve-2023-44487"
},
{
"title": "https://www.debian.org/security/2023/dsa-5521",
"url": "https://www.debian.org/security/2023/dsa-5521"
},
{
"title": "https://www.debian.org/security/2023/dsa-5522",
"url": "https://www.debian.org/security/2023/dsa-5522"
},
{
"title": "https://www.theregister.com/2023/10/10/http2_rapid_reset_zeroday/",
"url": "https://www.theregister.com/2023/10/10/http2_rapid_reset_zeroday/"
},
{
"title": "https://access.redhat.com/security/cve/cve-2023-44487",
"url": "https://access.redhat.com/security/cve/cve-2023-44487"
},
{
"title": "https://blog.vespa.ai/cve-2023-44487/",
"url": "https://blog.vespa.ai/cve-2023-44487/"
},
{
"title": "https://bugzilla.redhat.com/show_bug.cgi?id=2242803",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2242803"
},
{
"title": "https://bugzilla.suse.com/show_bug.cgi?id=1216123",
"url": "https://bugzilla.suse.com/show_bug.cgi?id=1216123"
},
{
"title": "https://community.traefik.io/t/is-traefik-vulnerable-to-cve-2023-44487/20125",
"url": "https://community.traefik.io/t/is-traefik-vulnerable-to-cve-2023-44487/20125"
},
{
"title": "https://github.com/advisories/GHSA-qppj-fm5r-hxr3",
"url": "https://github.com/advisories/GHSA-qppj-fm5r-hxr3"
},
{
"title": "https://github.com/etcd-io/etcd/issues/16740",
"url": "https://github.com/etcd-io/etcd/issues/16740"
},
{
"title": "https://github.com/junkurihara/rust-rpxy/issues/97",
"url": "https://github.com/junkurihara/rust-rpxy/issues/97"
},
{
"title": "https://github.com/ninenines/cowboy/issues/1615",
"url": "https://github.com/ninenines/cowboy/issues/1615"
},
{
"title": "https://github.com/tempesta-tech/tempesta/issues/1986",
"url": "https://github.com/tempesta-tech/tempesta/issues/1986"
},
{
"title": "https://github.com/varnishcache/varnish-cache/issues/3996",
"url": "https://github.com/varnishcache/varnish-cache/issues/3996"
},
{
"title": "https://istio.io/latest/news/security/istio-security-2023-004/",
"url": "https://istio.io/latest/news/security/istio-security-2023-004/"
},
{
"title": "https://ubuntu.com/security/CVE-2023-44487",
"url": "https://ubuntu.com/security/CVE-2023-44487"
},
{
"title": "https://www.darkreading.com/cloud/internet-wide-zero-day-bug-fuels-largest-ever-ddos-event",
"url": "https://www.darkreading.com/cloud/internet-wide-zero-day-bug-fuels-largest-ever-ddos-event"
},
{
"title": "https://github.com/apache/httpd-site/pull/10",
"url": "https://github.com/apache/httpd-site/pull/10"
},
{
"title": "https://github.com/line/armeria/pull/5232",
"url": "https://github.com/line/armeria/pull/5232"
},
{
"title": "https://github.com/linkerd/website/pull/1695/commits/4b9c6836471bc8270ab48aae6fd2181bc73fd632",
"url": "https://github.com/linkerd/website/pull/1695/commits/4b9c6836471bc8270ab48aae6fd2181bc73fd632"
},
{
"title": "https://github.com/projectcontour/contour/pull/5826",
"url": "https://github.com/projectcontour/contour/pull/5826"
},
{
"title": "https://blog.litespeedtech.com/2023/10/11/rapid-reset-http-2-vulnerablilty/",
"url": "https://blog.litespeedtech.com/2023/10/11/rapid-reset-http-2-vulnerablilty/"
},
{
"title": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog"
}
],
"relativeImportance": null,
"semver": {
"vulnerable": [
"<1.57.0-r0"
]
},
"severity": "high",
"severityWithCritical": "high",
"socialTrendAlert": false,
"title": "Resource Exhaustion",
"upgradePath": [
false,
"nghttp2/nghttp2-libs@1.57.0-r0"
],
"version": "1.55.1-r0"
},
{
"CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:H",
"cpes": [],
"creationTime": "2023-10-11T04:04:38.629011Z",
"credit": [
""
],
"cvssDetails": [
{
"assigner": "NVD",
"cvssV3BaseScore": 7.5,
"cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:H",
"modificationTime": "2023-10-11T14:31:08.807516Z",
"severity": "high"
}
],
"cvssScore": 7.5,
"description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `nghttp2` package and not the `nghttp2` package as distributed by `Alpine`._\n_See `How to fix?` for `Alpine:3.18` relevant fixed versions and status._\n\nThe HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.\n## Remediation\nUpgrade `Alpine:3.18` `nghttp2` to version 1.57.0-r0 or higher.\n## References\n- [cve@mitre.org](https://aws.amazon.com/security/security-bulletins/AWS-2023-011/)\n- [cve@mitre.org](https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/)\n- [cve@mitre.org](https://blog.cloudflare.com/zero-day-rapid-reset-http2-record-breaking-ddos-attack/)\n- [cve@mitre.org](https://cloud.google.com/blog/products/identity-security/google-cloud-mitigated-largest-ddos-attack-peaking-above-398-million-rps/)\n- [cve@mitre.org](https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack)\n- [cve@mitre.org](https://news.ycombinator.com/item?id=37831062)\n- [cve@mitre.org](https://www.nginx.com/blog/http-2-rapid-reset-attack-impacting-f5-nginx-products/)\n- [cve@mitre.org](https://www.phoronix.com/news/HTTP2-Rapid-Reset-Attack)\n- [cve@mitre.org](https://chaos.social/@icing/111210915918780532)\n- [cve@mitre.org](https://forums.swift.org/t/swift-nio-http2-security-update-cve-2023-44487-http-2-dos/67764)\n- [cve@mitre.org](https://github.com/alibaba/tengine/issues/1872)\n- [cve@mitre.org](https://github.com/apache/tomcat/tree/main/java/org/apache/coyote/http2)\n- [cve@mitre.org](https://github.com/bcdannyboy/CVE-2023-44487)\n- [cve@mitre.org](https://github.com/caddyserver/caddy/issues/5877)\n- [cve@mitre.org](https://github.com/eclipse/jetty.project/issues/10679)\n- [cve@mitre.org](https://github.com/envoyproxy/envoy/pull/30055)\n- [cve@mitre.org](https://github.com/haproxy/haproxy/issues/2312)\n- [cve@mitre.org](https://github.com/hyperium/hyper/issues/3337)\n- [cve@mitre.org](https://github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61)\n- [cve@mitre.org](https://github.com/nghttp2/nghttp2/pull/1961)\n- [cve@mitre.org](https://news.ycombinator.com/item?id=37830987)\n- [cve@mitre.org](https://news.ycombinator.com/item?id=37830998)\n- [cve@mitre.org](https://www.bleepingcomputer.com/news/security/new-http-2-rapid-reset-zero-day-attack-breaks-ddos-records/)\n- [cve@mitre.org](https://github.com/grpc/grpc-go/pull/6703)\n- [cve@mitre.org](https://github.com/icing/mod_h2/blob/0a864782af0a942aa2ad4ed960a6b32cd35bcf0a/mod_http2/README.md?plain=1#L239-L244)\n- [cve@mitre.org](https://github.com/nghttp2/nghttp2/releases/tag/v1.57.0)\n- [cve@mitre.org](https://mailman.nginx.org/pipermail/nginx-devel/2023-October/S36Q5HBXR7CAIMPLLPRSSSYR4PCMWILK.html)\n- [cve@mitre.org](https://my.f5.com/manage/s/article/K000137106)\n- [cve@mitre.org](https://bugzilla.proxmox.com/show_bug.cgi?id=4988)\n- [cve@mitre.org](https://cgit.freebsd.org/ports/commit/?id=c64c329c2c1752f46b73e3e6ce9f4329be6629f9)\n- [cve@mitre.org](https://msrc.microsoft.com/blog/2023/10/microsoft-response-to-distributed-denial-of-service-ddos-attacks-against-http/2/)\n- [cve@mitre.org](https://edg.io/lp/blog/resets-leaks-ddos-and-the-tale-of-a-hidden-cve)\n- [cve@mitre.org](https://gist.github.com/adulau/7c2bfb8e9cdbe4b35a5e131c66a0c088)\n- [cve@mitre.org](https://github.com/advisories/GHSA-vx74-f528-fxqg)\n- [cve@mitre.org](https://github.com/apache/trafficserver/pull/10564)\n- [cve@mitre.org](https://github.com/dotnet/announcements/issues/277)\n- [cve@mitre.org](https://github.com/facebook/proxygen/pull/466)\n- [cve@mitre.org](https://github.com/golang/go/issues/63417)\n- [cve@mitre.org](https://github.com/h2o/h2o/pull/3291)\n- [cve@mitre.org](https://github.com/h2o/h2o/security/advisories/GHSA-2m7v-gc89-fjqf)\n- [cve@mitre.org](https://github.com/micrictor/http2-rst-stream)\n- [cve@mitre.org](https://github.com/microsoft/CBL-Mariner/pull/6381)\n- [cve@mitre.org](https://github.com/nodejs/node/pull/50121)\n- [cve@mitre.org](https://groups.google.com/g/golang-announce/c/iNNxDTCjZvo)\n- [cve@mitre.org](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-44487)\n- [cve@mitre.org](https://openssf.org/blog/2023/10/10/http-2-rapid-reset-vulnerability-highlights-need-for-rapid-response/)\n- [cve@mitre.org](https://lists.apache.org/thread/5py8h42mxfsn8l1wy6o41xwhsjlsd87q)\n- [cve@mitre.org](https://seanmonstar.com/post/730794151136935936/hyper-http2-rapid-reset-unaffected)\n- [cve@mitre.org](https://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.1.14)\n- [cve@mitre.org](https://www.openwall.com/lists/oss-security/2023/10/10/6)\n- [cve@mitre.org](https://github.com/dotnet/core/blob/e4613450ea0da7fd2fc6b61dfb2c1c1dec1ce9ec/release-notes/6.0/6.0.23/6.0.23.md?plain=1#L73)\n- [cve@mitre.org](https://github.com/advisories/GHSA-xpw8-rcwv-8f8p)\n- [cve@mitre.org](https://github.com/kubernetes/kubernetes/pull/121120)\n- [cve@mitre.org](https://github.com/opensearch-project/data-prepper/issues/3474)\n- [cve@mitre.org](https://github.com/oqtane/oqtane.framework/discussions/3367)\n- [cve@mitre.org](https://netty.io/news/2023/10/10/4-1-100-Final.html)\n- [cve@mitre.org](https://www.haproxy.com/blog/haproxy-is-not-affected-by-the-http-2-rapid-reset-attack-cve-2023-44487)\n- [cve@mitre.org](https://blog.qualys.com/vulnerabilities-threat-research/2023/10/10/cve-2023-44487-http-2-rapid-reset-attack)\n- [cve@mitre.org](https://github.com/apache/httpd/blob/afcdbeebbff4b0c50ea26cdd16e178c0d1f24152/modules/http2/h2_mplx.c#L1101-L1113)\n- [cve@mitre.org](https://github.com/kazu-yamamoto/http2/commit/f61d41a502bd0f60eb24e1ce14edc7b6df6722a1)\n- [cve@mitre.org](https://github.com/kazu-yamamoto/http2/issues/93)\n- [cve@mitre.org](https://martinthomson.github.io/h2-stream-limits/draft-thomson-httpbis-h2-stream-limits.html)\n- [cve@mitre.org](https://news.ycombinator.com/item?id=37837043)\n- [cve@mitre.org](https://www.cisa.gov/news-events/alerts/2023/10/10/http2-rapid-reset-vulnerability-cve-2023-44487)\n- [cve@mitre.org](https://www.debian.org/security/2023/dsa-5521)\n- [cve@mitre.org](https://www.debian.org/security/2023/dsa-5522)\n- [cve@mitre.org](https://www.theregister.com/2023/10/10/http2_rapid_reset_zeroday/)\n- [cve@mitre.org](https://access.redhat.com/security/cve/cve-2023-44487)\n- [cve@mitre.org](https://blog.vespa.ai/cve-2023-44487/)\n- [cve@mitre.org](https://bugzilla.redhat.com/show_bug.cgi?id=2242803)\n- [cve@mitre.org](https://bugzilla.suse.com/show_bug.cgi?id=1216123)\n- [cve@mitre.org](https://community.traefik.io/t/is-traefik-vulnerable-to-cve-2023-44487/20125)\n- [cve@mitre.org](https://github.com/advisories/GHSA-qppj-fm5r-hxr3)\n- [cve@mitre.org](https://github.com/etcd-io/etcd/issues/16740)\n- [cve@mitre.org](https://github.com/junkurihara/rust-rpxy/issues/97)\n- [cve@mitre.org](https://github.com/ninenines/cowboy/issues/1615)\n- [cve@mitre.org](https://github.com/tempesta-tech/tempesta/issues/1986)\n- [cve@mitre.org](https://github.com/varnishcache/varnish-cache/issues/3996)\n- [cve@mitre.org](https://istio.io/latest/news/security/istio-security-2023-004/)\n- [cve@mitre.org](https://ubuntu.com/security/CVE-2023-44487)\n- [cve@mitre.org](https://www.darkreading.com/cloud/internet-wide-zero-day-bug-fuels-largest-ever-ddos-event)\n- [cve@mitre.org](https://github.com/apache/httpd-site/pull/10)\n- [cve@mitre.org](https://github.com/line/armeria/pull/5232)\n- [cve@mitre.org](https://github.com/linkerd/website/pull/1695/commits/4b9c6836471bc8270ab48aae6fd2181bc73fd632)\n- [cve@mitre.org](https://github.com/projectcontour/contour/pull/5826)\n- [cve@mitre.org](https://blog.litespeedtech.com/2023/10/11/rapid-reset-http-2-vulnerablilty/)\n- [CISA - Known Exploited Vulnerabilities](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)\n",
"disclosureTime": "2023-10-10T14:15:10.883000Z",
"epssDetails": null,
"exploit": "High",
"fixedIn": [
"1.57.0-r0"
],
"from": [
"docker-image|274425519734.dkr.ecr.eu-central-1.amazonaws.com/web:a6d085f@*",
"curl/curl@8.3.0-r0",
"curl/libcurl@8.3.0-r0",
"nghttp2/nghttp2-libs@1.55.1-r0"
],
"id": "SNYK-ALPINE318-NGHTTP2-5954768",
"identifiers": {
"ALTERNATIVE": [],
"CVE": [
"CVE-2023-44487"
],
"CWE": [
"CWE-400"
]
},
"insights": {
"triageAdvice": null
},
"isDisputed": false,
"isPatchable": false,
"isUpgradable": false,
"language": "linux",
"malicious": false,
"modificationTime": "2023-10-12T01:11:09.035012Z",
"name": "nghttp2/nghttp2-libs",
"nearestFixedInVersion": "1.57.0-r0",
"nvdSeverity": "high",
"packageManager": "alpine:3.18",
"packageName": "nghttp2",
"patches": [],
"publicationTime": "2023-10-11T04:04:38.608135Z",
"references": [
{
"title": "https://aws.amazon.com/security/security-bulletins/AWS-2023-011/",
"url": "https://aws.amazon.com/security/security-bulletins/AWS-2023-011/"
},
{
"title": "https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/",
"url": "https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/"
},
{
"title": "https://blog.cloudflare.com/zero-day-rapid-reset-http2-record-breaking-ddos-attack/",
"url": "https://blog.cloudflare.com/zero-day-rapid-reset-http2-record-breaking-ddos-attack/"
},
{
"title": "https://cloud.google.com/blog/products/identity-security/google-cloud-mitigated-largest-ddos-attack-peaking-above-398-million-rps/",
"url": "https://cloud.google.com/blog/products/identity-security/google-cloud-mitigated-largest-ddos-attack-peaking-above-398-million-rps/"
},
{
"title": "https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack",
"url": "https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack"
},
{
"title": "https://news.ycombinator.com/item?id=37831062",
"url": "https://news.ycombinator.com/item?id=37831062"
},
{
"title": "https://www.nginx.com/blog/http-2-rapid-reset-attack-impacting-f5-nginx-products/",
"url": "https://www.nginx.com/blog/http-2-rapid-reset-attack-impacting-f5-nginx-products/"
},
{
"title": "https://www.phoronix.com/news/HTTP2-Rapid-Reset-Attack",
"url": "https://www.phoronix.com/news/HTTP2-Rapid-Reset-Attack"
},
{
"title": "https://chaos.social/@icing/111210915918780532",
"url": "https://chaos.social/@icing/111210915918780532"
},
{
"title": "https://forums.swift.org/t/swift-nio-http2-security-update-cve-2023-44487-http-2-dos/67764",
"url": "https://forums.swift.org/t/swift-nio-http2-security-update-cve-2023-44487-http-2-dos/67764"
},
{
"title": "https://github.com/alibaba/tengine/issues/1872",
"url": "https://github.com/alibaba/tengine/issues/1872"
},
{
"title": "https://github.com/apache/tomcat/tree/main/java/org/apache/coyote/http2",
"url": "https://github.com/apache/tomcat/tree/main/java/org/apache/coyote/http2"
},
{
"title": "https://github.com/bcdannyboy/CVE-2023-44487",
"url": "https://github.com/bcdannyboy/CVE-2023-44487"
},
{
"title": "https://github.com/caddyserver/caddy/issues/5877",
"url": "https://github.com/caddyserver/caddy/issues/5877"
},
{
"title": "https://github.com/eclipse/jetty.project/issues/10679",
"url": "https://github.com/eclipse/jetty.project/issues/10679"
},
{
"title": "https://github.com/envoyproxy/envoy/pull/30055",
"url": "https://github.com/envoyproxy/envoy/pull/30055"
},
{
"title": "https://github.com/haproxy/haproxy/issues/2312",
"url": "https://github.com/haproxy/haproxy/issues/2312"
},
{
"title": "https://github.com/hyperium/hyper/issues/3337",
"url": "https://github.com/hyperium/hyper/issues/3337"
},
{
"title": "https://github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61",
"url": "https://github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61"
},
{
"title": "https://github.com/nghttp2/nghttp2/pull/1961",
"url": "https://github.com/nghttp2/nghttp2/pull/1961"
},
{
"title": "https://news.ycombinator.com/item?id=37830987",
"url": "https://news.ycombinator.com/item?id=37830987"
},
{
"title": "https://news.ycombinator.com/item?id=37830998",
"url": "https://news.ycombinator.com/item?id=37830998"
},
{
"title": "https://www.bleepingcomputer.com/news/security/new-http-2-rapid-reset-zero-day-attack-breaks-ddos-records/",
"url": "https://www.bleepingcomputer.com/news/security/new-http-2-rapid-reset-zero-day-attack-breaks-ddos-records/"
},
{
"title": "https://github.com/grpc/grpc-go/pull/6703",
"url": "https://github.com/grpc/grpc-go/pull/6703"
},
{
"title": "https://github.com/icing/mod_h2/blob/0a864782af0a942aa2ad4ed960a6b32cd35bcf0a/mod_http2/README.md?plain=1%23L239-L244",
"url": "https://github.com/icing/mod_h2/blob/0a864782af0a942aa2ad4ed960a6b32cd35bcf0a/mod_http2/README.md?plain=1%23L239-L244"
},
{
"title": "https://github.com/nghttp2/nghttp2/releases/tag/v1.57.0",
"url": "https://github.com/nghttp2/nghttp2/releases/tag/v1.57.0"
},
{
"title": "https://mailman.nginx.org/pipermail/nginx-devel/2023-October/S36Q5HBXR7CAIMPLLPRSSSYR4PCMWILK.html",
"url": "https://mailman.nginx.org/pipermail/nginx-devel/2023-October/S36Q5HBXR7CAIMPLLPRSSSYR4PCMWILK.html"
},
{
"title": "https://my.f5.com/manage/s/article/K000137106",
"url": "https://my.f5.com/manage/s/article/K000137106"
},
{
"title": "https://bugzilla.proxmox.com/show_bug.cgi?id=4988",
"url": "https://bugzilla.proxmox.com/show_bug.cgi?id=4988"
},
{
"title": "https://cgit.freebsd.org/ports/commit/?id=c64c329c2c1752f46b73e3e6ce9f4329be6629f9",
"url": "https://cgit.freebsd.org/ports/commit/?id=c64c329c2c1752f46b73e3e6ce9f4329be6629f9"
},
{
"title": "https://msrc.microsoft.com/blog/2023/10/microsoft-response-to-distributed-denial-of-service-ddos-attacks-against-http/2/",
"url": "https://msrc.microsoft.com/blog/2023/10/microsoft-response-to-distributed-denial-of-service-ddos-attacks-against-http/2/"
},
{
"title": "https://edg.io/lp/blog/resets-leaks-ddos-and-the-tale-of-a-hidden-cve",
"url": "https://edg.io/lp/blog/resets-leaks-ddos-and-the-tale-of-a-hidden-cve"
},
{
"title": "https://gist.github.com/adulau/7c2bfb8e9cdbe4b35a5e131c66a0c088",
"url": "https://gist.github.com/adulau/7c2bfb8e9cdbe4b35a5e131c66a0c088"
},
{
"title": "https://github.com/advisories/GHSA-vx74-f528-fxqg",
"url": "https://github.com/advisories/GHSA-vx74-f528-fxqg"
},
{
"title": "https://github.com/apache/trafficserver/pull/10564",
"url": "https://github.com/apache/trafficserver/pull/10564"
},
{
"title": "https://github.com/dotnet/announcements/issues/277",
"url": "https://github.com/dotnet/announcements/issues/277"
},
{
"title": "https://github.com/facebook/proxygen/pull/466",
"url": "https://github.com/facebook/proxygen/pull/466"
},
{
"title": "https://github.com/golang/go/issues/63417",
"url": "https://github.com/golang/go/issues/63417"
},
{
"title": "https://github.com/h2o/h2o/pull/3291",
"url": "https://github.com/h2o/h2o/pull/3291"
},
{
"title": "https://github.com/h2o/h2o/security/advisories/GHSA-2m7v-gc89-fjqf",
"url": "https://github.com/h2o/h2o/security/advisories/GHSA-2m7v-gc89-fjqf"
},
{
"title": "https://github.com/micrictor/http2-rst-stream",
"url": "https://github.com/micrictor/http2-rst-stream"
},
{
"title": "https://github.com/microsoft/CBL-Mariner/pull/6381",
"url": "https://github.com/microsoft/CBL-Mariner/pull/6381"
},
{
"title": "https://github.com/nodejs/node/pull/50121",
"url": "https://github.com/nodejs/node/pull/50121"
},
{
"title": "https://groups.google.com/g/golang-announce/c/iNNxDTCjZvo",
"url": "https://groups.google.com/g/golang-announce/c/iNNxDTCjZvo"
},
{
"title": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-44487",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-44487"
},
{
"title": "https://openssf.org/blog/2023/10/10/http-2-rapid-reset-vulnerability-highlights-need-for-rapid-response/",
"url": "https://openssf.org/blog/2023/10/10/http-2-rapid-reset-vulnerability-highlights-need-for-rapid-response/"
},
{
"title": "https://lists.apache.org/thread/5py8h42mxfsn8l1wy6o41xwhsjlsd87q",
"url": "https://lists.apache.org/thread/5py8h42mxfsn8l1wy6o41xwhsjlsd87q"
},
{
"title": "https://seanmonstar.com/post/730794151136935936/hyper-http2-rapid-reset-unaffected",
"url": "https://seanmonstar.com/post/730794151136935936/hyper-http2-rapid-reset-unaffected"
},
{
"title": "https://tomcat.apache.org/security-10.html%23Fixed_in_Apache_Tomcat_10.1.14",
"url": "https://tomcat.apache.org/security-10.html%23Fixed_in_Apache_Tomcat_10.1.14"
},
{
"title": "https://www.openwall.com/lists/oss-security/2023/10/10/6",
"url": "https://www.openwall.com/lists/oss-security/2023/10/10/6"
},
{
"title": "https://github.com/dotnet/core/blob/e4613450ea0da7fd2fc6b61dfb2c1c1dec1ce9ec/release-notes/6.0/6.0.23/6.0.23.md?plain=1%23L73",
"url": "https://github.com/dotnet/core/blob/e4613450ea0da7fd2fc6b61dfb2c1c1dec1ce9ec/release-notes/6.0/6.0.23/6.0.23.md?plain=1%23L73"
},
{
"title": "https://github.com/advisories/GHSA-xpw8-rcwv-8f8p",
"url": "https://github.com/advisories/GHSA-xpw8-rcwv-8f8p"
},
{
"title": "https://github.com/kubernetes/kubernetes/pull/121120",
"url": "https://github.com/kubernetes/kubernetes/pull/121120"
},
{
"title": "https://github.com/opensearch-project/data-prepper/issues/3474",
"url": "https://github.com/opensearch-project/data-prepper/issues/3474"
},
{
"title": "https://github.com/oqtane/oqtane.framework/discussions/3367",
"url": "https://github.com/oqtane/oqtane.framework/discussions/3367"
},
{
"title": "https://netty.io/news/2023/10/10/4-1-100-Final.html",
"url": "https://netty.io/news/2023/10/10/4-1-100-Final.html"
},
{
"title": "https://www.haproxy.com/blog/haproxy-is-not-affected-by-the-http-2-rapid-reset-attack-cve-2023-44487",
"url": "https://www.haproxy.com/blog/haproxy-is-not-affected-by-the-http-2-rapid-reset-attack-cve-2023-44487"
},
{
"title": "https://blog.qualys.com/vulnerabilities-threat-research/2023/10/10/cve-2023-44487-http-2-rapid-reset-attack",
"url": "https://blog.qualys.com/vulnerabilities-threat-research/2023/10/10/cve-2023-44487-http-2-rapid-reset-attack"
},
{
"title": "https://github.com/apache/httpd/blob/afcdbeebbff4b0c50ea26cdd16e178c0d1f24152/modules/http2/h2_mplx.c%23L1101-L1113",
"url": "https://github.com/apache/httpd/blob/afcdbeebbff4b0c50ea26cdd16e178c0d1f24152/modules/http2/h2_mplx.c%23L1101-L1113"
},
{
"title": "https://github.com/kazu-yamamoto/http2/commit/f61d41a502bd0f60eb24e1ce14edc7b6df6722a1",
"url": "https://github.com/kazu-yamamoto/http2/commit/f61d41a502bd0f60eb24e1ce14edc7b6df6722a1"
},
{
"title": "https://github.com/kazu-yamamoto/http2/issues/93",
"url": "https://github.com/kazu-yamamoto/http2/issues/93"
},
{
"title": "https://martinthomson.github.io/h2-stream-limits/draft-thomson-httpbis-h2-stream-limits.html",
"url": "https://martinthomson.github.io/h2-stream-limits/draft-thomson-httpbis-h2-stream-limits.html"
},
{
"title": "https://news.ycombinator.com/item?id=37837043",
"url": "https://news.ycombinator.com/item?id=37837043"
},
{
"title": "https://www.cisa.gov/news-events/alerts/2023/10/10/http2-rapid-reset-vulnerability-cve-2023-44487",
"url": "https://www.cisa.gov/news-events/alerts/2023/10/10/http2-rapid-reset-vulnerability-cve-2023-44487"
},
{
"title": "https://www.debian.org/security/2023/dsa-5521",
"url": "https://www.debian.org/security/2023/dsa-5521"
},
{
"title": "https://www.debian.org/security/2023/dsa-5522",
"url": "https://www.debian.org/security/2023/dsa-5522"
},
{
"title": "https://www.theregister.com/2023/10/10/http2_rapid_reset_zeroday/",
"url": "https://www.theregister.com/2023/10/10/http2_rapid_reset_zeroday/"
},
{
"title": "https://access.redhat.com/security/cve/cve-2023-44487",
"url": "https://access.redhat.com/security/cve/cve-2023-44487"
},
{
"title": "https://blog.vespa.ai/cve-2023-44487/",
"url": "https://blog.vespa.ai/cve-2023-44487/"
},
{
"title": "https://bugzilla.redhat.com/show_bug.cgi?id=2242803",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2242803"
},
{
"title": "https://bugzilla.suse.com/show_bug.cgi?id=1216123",
"url": "https://bugzilla.suse.com/show_bug.cgi?id=1216123"
},
{
"title": "https://community.traefik.io/t/is-traefik-vulnerable-to-cve-2023-44487/20125",
"url": "https://community.traefik.io/t/is-traefik-vulnerable-to-cve-2023-44487/20125"
},
{
"title": "https://github.com/advisories/GHSA-qppj-fm5r-hxr3",
"url": "https://github.com/advisories/GHSA-qppj-fm5r-hxr3"
},
{
"title": "https://github.com/etcd-io/etcd/issues/16740",
"url": "https://github.com/etcd-io/etcd/issues/16740"
},
{
"title": "https://github.com/junkurihara/rust-rpxy/issues/97",
"url": "https://github.com/junkurihara/rust-rpxy/issues/97"
},
{
"title": "https://github.com/ninenines/cowboy/issues/1615",
"url": "https://github.com/ninenines/cowboy/issues/1615"
},
{
"title": "https://github.com/tempesta-tech/tempesta/issues/1986",
"url": "https://github.com/tempesta-tech/tempesta/issues/1986"
},
{
"title": "https://github.com/varnishcache/varnish-cache/issues/3996",
"url": "https://github.com/varnishcache/varnish-cache/issues/3996"
},
{
"title": "https://istio.io/latest/news/security/istio-security-2023-004/",
"url": "https://istio.io/latest/news/security/istio-security-2023-004/"
},
{
"title": "https://ubuntu.com/security/CVE-2023-44487",
"url": "https://ubuntu.com/security/CVE-2023-44487"
},
{
"title": "https://www.darkreading.com/cloud/internet-wide-zero-day-bug-fuels-largest-ever-ddos-event",
"url": "https://www.darkreading.com/cloud/internet-wide-zero-day-bug-fuels-largest-ever-ddos-event"
},
{
"title": "https://github.com/apache/httpd-site/pull/10",
"url": "https://github.com/apache/httpd-site/pull/10"
},
{
"title": "https://github.com/line/armeria/pull/5232",
"url": "https://github.com/line/armeria/pull/5232"
},
{
"title": "https://github.com/linkerd/website/pull/1695/commits/4b9c6836471bc8270ab48aae6fd2181bc73fd632",
"url": "https://github.com/linkerd/website/pull/1695/commits/4b9c6836471bc8270ab48aae6fd2181bc73fd632"
},
{
"title": "https://github.com/projectcontour/contour/pull/5826",
"url": "https://github.com/projectcontour/contour/pull/5826"
},
{
"title": "https://blog.litespeedtech.com/2023/10/11/rapid-reset-http-2-vulnerablilty/",
"url": "https://blog.litespeedtech.com/2023/10/11/rapid-reset-http-2-vulnerablilty/"
},
{
"title": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog"
}
],
"relativeImportance": null,
"semver": {
"vulnerable": [
"<1.57.0-r0"
]
},
"severity": "high",
"severityWithCritical": "high",
"socialTrendAlert": false,
"title": "Resource Exhaustion",
"upgradePath": [],
"version": "1.55.1-r0"
}
]
},
"created_at": 1697100518.0060334,
"has_audit_package": true
}
},
"git_commit_info": {
"sha1": "a6d085f22f1ba4c4097d1dd1086a0ed3b6703641",
"message": "Dockerfile: add base-image env-var",
"author": "JonJagger <jon@kosli.com>",
"timestamp": 1696305187,
"branch": "main"
},
"repo_url": "https://github.com/cyber-dojo/web",
"template": [
"artifact",
"snyk-scan"
],
"last_modified_at": 1697100518.0060334,
"deployments": [
91,
90
],
"state": "NON-COMPLIANT",
"html_url": "https://app.kosli.com/cyber-dojo/flows/web-archived-at-1709658792/artifacts/7ef0a70593852064b16c4cc36800551f0776c030eca8f5265669ddb7a8cebbaf",
"api_url": "https://app.kosli.com/api/v2/artifacts/cyber-dojo/web-archived-at-1709658792/fingerprint/7ef0a70593852064b16c4cc36800551f0776c030eca8f5265669ddb7a8cebbaf"
}
Artifact Information |
|
| Name | cyberdojo/web:a6d085f |
| Fingerprint | 7ef0a70593852064b16c4cc36800551f0776c030eca8f5265669ddb7a8cebbaf |
| Git commit |
a6d085f
JonJagger <jon@kosli.com> (main)
1696305187.0 • 7 months ago
Dockerfile: add base-image env-var
|
| CI Build | https://github.com/cyber-dojo/web/actions/runs/6388442543 |
| Running | - |
| Exited | aws-beta#1876 aws-prod#1148 |
| Last modified | 1697100518.0060334 • 7 months ago |
Approvals
| None |
Evidence
Evidence for 'snyk-scan'
{ "evidence_type": "snyk", "name": "snyk-scan", "is_compliant": false, "build_url": "https://github.com/cyber-dojo/snyk_scans/actions/runs/6493367229", "evidence_archive_fingerprint": "34d3bc749763936d301cce3ae3a5b4ff9acda265357ee79887b9ef91d1d8d456", "user_data": {}, "snyk_results": { "dependencyCount": 51, "docker": { "baseImage": "alpine:3.18.4", "baseImageRemediation": { "advice": [ { "bold": true, "message": "According to our scan, you are currently using the most secure version of the selected base image" } ], "code": "NO_REMEDIATION_AVAILABLE" }, "binariesVulns": { "affectedPkgs": {}, "issuesData": {} } }, "filesystemPolicy": true, "filtered": { "ignore": [], "patch": [] }, "hasUnknownVersions": false, "ignoreSettings": { "adminOnly": false, "disregardFilesystemIgnores": false, "reasonRequired": false }, "isPrivate": true, "licensesPolicy": { "orgLicenseRules": { "AGPL-1.0": { "instructions": "", "licenseType": "AGPL-1.0", "severity": "high" }, "AGPL-3.0": { "instructions": "", "licenseType": "AGPL-3.0", "severity": "high" }, "Artistic-1.0": { "instructions": "", "licenseType": "Artistic-1.0", "severity": "medium" }, "Artistic-2.0": { "instructions": "", "licenseType": "Artistic-2.0", "severity": "medium" }, "CDDL-1.0": { "instructions": "", "licenseType": "CDDL-1.0", "severity": "medium" }, "CPOL-1.02": { "instructions": "", "licenseType": "CPOL-1.02", "severity": "high" }, "EPL-1.0": { "instructions": "", "licenseType": "EPL-1.0", "severity": "medium" }, "GPL-2.0": { "instructions": "", "licenseType": "GPL-2.0", "severity": "high" }, "GPL-3.0": { "instructions": "", "licenseType": "GPL-3.0", "severity": "high" }, "LGPL-2.0": { "instructions": "", "licenseType": "LGPL-2.0", "severity": "medium" }, "LGPL-2.1": { "instructions": "", "licenseType": "LGPL-2.1", "severity": "medium" }, "LGPL-3.0": { "instructions": "", "licenseType": "LGPL-3.0", "severity": "medium" }, "MPL-1.1": { "instructions": "", "licenseType": "MPL-1.1", "severity": "medium" }, "MPL-2.0": { "instructions": "", "licenseType": "MPL-2.0", "severity": "medium" }, "MS-RL": { "instructions": "", "licenseType": "MS-RL", "severity": "medium" }, "SimPL-2.0": { "instructions": "", "licenseType": "SimPL-2.0", "severity": "high" } }, "severities": {} }, "ok": false, "org": "jonjagger", "packageManager": "apk", "path": "274425519734.dkr.ecr.eu-central-1.amazonaws.com/web:a6d085f@sha256:7ef0a70593852064b16c4cc36800551f0776c030eca8f5265669ddb7a8cebbaf/web:a6d085f", "platform": "linux/amd64", "policy": "# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.\nversion: v1.25.1\nignore: {}\npatch: {}\n", "projectName": "docker-image|274425519734.dkr.ecr.eu-central-1.amazonaws.com/web:a6d085f", "severityThreshold": "medium", "summary": "6 medium or high or critical severity vulnerable dependency paths", "uniqueCount": 2, "vulnerabilities": [ { "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L/E:P", "cpes": [], "creationTime": "2023-10-11T11:45:04.817337Z", "credit": [], "cvssDetails": [], "cvssScore": 7.7, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `curl` package and not the `curl` package as distributed by `Alpine`._\n_See `How to fix?` for `Alpine:3.18` relevant fixed versions and status._\n\nin the `SOCKS5` proxy handshake process when the hostname is longer than the target buffer.\nThe local variable `socks5_resolve_local` could get the wrong value during a slow SOCKS5 handshake.\nSince the code wrongly thinks it should pass on the hostname, even though the hostname is too long to fit, the memory copy can overflow the allocated target buffer. \n\nThis is only exploitable if the SOCKS5 handshake is slow enough to trigger a local variable bug and the client uses a hostname longer than the download buffer.\n\nExploiting this vulnerability could allow an attacker to execute arbitrary code on the target system under certain conditions.\n\n\n**Note:**\n\nAn overflow is only possible in applications that don't set `CURLOPT_BUFFERSIZE` or set it smaller than 65541. \nSince the curl tool sets `CURLOPT_BUFFERSIZE` to 100kB by default, it is not vulnerable unless the user sets the rate limiting to a rate smaller than 65541 bytes/second.\n\nThe options that cause SOCKS5 with remote hostname to be used in `libcurl`:\n\n1) `CURLOPT_PROXYTYPE` set to type `CURLPROXY_SOCKS5_HOSTNAME`, or:\n`CURLOPT_PROXY` or `CURLOPT_PRE_PROXY` set to use the scheme `socks5h://`\n\n2) One of the proxy environment variables can be set to use the `socks5h://` scheme. For example, `http_proxy`, `HTTPS_PROXY` or `ALL_PROXY`.\n\n\nThe options that cause SOCKS5 with remote hostname to be used in the `curl` tool:\n\n1) `--socks5-hostname`, `--proxy` or `--preproxy` set to use the scheme `socks5h://`\n\n2) Environment variables as described in the libcurl section.\n\n\n\n**Changelog:**\n\n2023-10-04: Initial publication\n\n2023-10-11: Published updated information, including CWE, CVSS, official references and affected versions range.\n## Remediation\nUpgrade `Alpine:3.18` `curl` to version 8.4.0-r0 or higher.\n", "disclosureTime": null, "epssDetails": null, "exploit": "Proof of Concept", "fixedIn": [ "8.4.0-r0" ], "from": [ "docker-image|274425519734.dkr.ecr.eu-central-1.amazonaws.com/web:a6d085f@*", "curl/libcurl@8.3.0-r0" ], "id": "SNYK-ALPINE318-CURL-5958913", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2023-38545" ], "CWE": [ "CWE-122" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": true, "language": "linux", "malicious": false, "modificationTime": "2023-10-12T06:20:00.497141Z", "name": "curl/libcurl", "nearestFixedInVersion": "8.4.0-r0", "nvdSeverity": null, "packageManager": "alpine:3.18", "packageName": "curl", "patches": [], "publicationTime": "2023-10-11T11:43:48.209416Z", "references": [], "relativeImportance": null, "semver": { "vulnerable": [ "<8.4.0-r0" ] }, "severity": "high", "severityWithCritical": "high", "socialTrendAlert": false, "title": "Heap-based Buffer Overflow", "upgradePath": [ false, "curl/libcurl@8.4.0-r0" ], "version": "8.3.0-r0" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L/E:P", "cpes": [], "creationTime": "2023-10-11T11:45:04.817337Z", "credit": [], "cvssDetails": [], "cvssScore": 7.7, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `curl` package and not the `curl` package as distributed by `Alpine`._\n_See `How to fix?` for `Alpine:3.18` relevant fixed versions and status._\n\nin the `SOCKS5` proxy handshake process when the hostname is longer than the target buffer.\nThe local variable `socks5_resolve_local` could get the wrong value during a slow SOCKS5 handshake.\nSince the code wrongly thinks it should pass on the hostname, even though the hostname is too long to fit, the memory copy can overflow the allocated target buffer. \n\nThis is only exploitable if the SOCKS5 handshake is slow enough to trigger a local variable bug and the client uses a hostname longer than the download buffer.\n\nExploiting this vulnerability could allow an attacker to execute arbitrary code on the target system under certain conditions.\n\n\n**Note:**\n\nAn overflow is only possible in applications that don't set `CURLOPT_BUFFERSIZE` or set it smaller than 65541. \nSince the curl tool sets `CURLOPT_BUFFERSIZE` to 100kB by default, it is not vulnerable unless the user sets the rate limiting to a rate smaller than 65541 bytes/second.\n\nThe options that cause SOCKS5 with remote hostname to be used in `libcurl`:\n\n1) `CURLOPT_PROXYTYPE` set to type `CURLPROXY_SOCKS5_HOSTNAME`, or:\n`CURLOPT_PROXY` or `CURLOPT_PRE_PROXY` set to use the scheme `socks5h://`\n\n2) One of the proxy environment variables can be set to use the `socks5h://` scheme. For example, `http_proxy`, `HTTPS_PROXY` or `ALL_PROXY`.\n\n\nThe options that cause SOCKS5 with remote hostname to be used in the `curl` tool:\n\n1) `--socks5-hostname`, `--proxy` or `--preproxy` set to use the scheme `socks5h://`\n\n2) Environment variables as described in the libcurl section.\n\n\n\n**Changelog:**\n\n2023-10-04: Initial publication\n\n2023-10-11: Published updated information, including CWE, CVSS, official references and affected versions range.\n## Remediation\nUpgrade `Alpine:3.18` `curl` to version 8.4.0-r0 or higher.\n", "disclosureTime": null, "epssDetails": null, "exploit": "Proof of Concept", "fixedIn": [ "8.4.0-r0" ], "from": [ "docker-image|274425519734.dkr.ecr.eu-central-1.amazonaws.com/web:a6d085f@*", "curl/curl@8.3.0-r0", "curl/libcurl@8.3.0-r0" ], "id": "SNYK-ALPINE318-CURL-5958913", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2023-38545" ], "CWE": [ "CWE-122" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "linux", "malicious": false, "modificationTime": "2023-10-12T06:20:00.497141Z", "name": "curl/libcurl", "nearestFixedInVersion": "8.4.0-r0", "nvdSeverity": null, "packageManager": "alpine:3.18", "packageName": "curl", "patches": [], "publicationTime": "2023-10-11T11:43:48.209416Z", "references": [], "relativeImportance": null, "semver": { "vulnerable": [ "<8.4.0-r0" ] }, "severity": "high", "severityWithCritical": "high", "socialTrendAlert": false, "title": "Heap-based Buffer Overflow", "upgradePath": [], "version": "8.3.0-r0" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L/E:P", "cpes": [], "creationTime": "2023-10-11T11:45:04.817337Z", "credit": [], "cvssDetails": [], "cvssScore": 7.7, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `curl` package and not the `curl` package as distributed by `Alpine`._\n_See `How to fix?` for `Alpine:3.18` relevant fixed versions and status._\n\nin the `SOCKS5` proxy handshake process when the hostname is longer than the target buffer.\nThe local variable `socks5_resolve_local` could get the wrong value during a slow SOCKS5 handshake.\nSince the code wrongly thinks it should pass on the hostname, even though the hostname is too long to fit, the memory copy can overflow the allocated target buffer. \n\nThis is only exploitable if the SOCKS5 handshake is slow enough to trigger a local variable bug and the client uses a hostname longer than the download buffer.\n\nExploiting this vulnerability could allow an attacker to execute arbitrary code on the target system under certain conditions.\n\n\n**Note:**\n\nAn overflow is only possible in applications that don't set `CURLOPT_BUFFERSIZE` or set it smaller than 65541. \nSince the curl tool sets `CURLOPT_BUFFERSIZE` to 100kB by default, it is not vulnerable unless the user sets the rate limiting to a rate smaller than 65541 bytes/second.\n\nThe options that cause SOCKS5 with remote hostname to be used in `libcurl`:\n\n1) `CURLOPT_PROXYTYPE` set to type `CURLPROXY_SOCKS5_HOSTNAME`, or:\n`CURLOPT_PROXY` or `CURLOPT_PRE_PROXY` set to use the scheme `socks5h://`\n\n2) One of the proxy environment variables can be set to use the `socks5h://` scheme. For example, `http_proxy`, `HTTPS_PROXY` or `ALL_PROXY`.\n\n\nThe options that cause SOCKS5 with remote hostname to be used in the `curl` tool:\n\n1) `--socks5-hostname`, `--proxy` or `--preproxy` set to use the scheme `socks5h://`\n\n2) Environment variables as described in the libcurl section.\n\n\n\n**Changelog:**\n\n2023-10-04: Initial publication\n\n2023-10-11: Published updated information, including CWE, CVSS, official references and affected versions range.\n## Remediation\nUpgrade `Alpine:3.18` `curl` to version 8.4.0-r0 or higher.\n", "disclosureTime": null, "epssDetails": null, "exploit": "Proof of Concept", "fixedIn": [ "8.4.0-r0" ], "from": [ "docker-image|274425519734.dkr.ecr.eu-central-1.amazonaws.com/web:a6d085f@*", "git/git@2.40.1-r0", "curl/libcurl@8.3.0-r0" ], "id": "SNYK-ALPINE318-CURL-5958913", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2023-38545" ], "CWE": [ "CWE-122" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "linux", "malicious": false, "modificationTime": "2023-10-12T06:20:00.497141Z", "name": "curl/libcurl", "nearestFixedInVersion": "8.4.0-r0", "nvdSeverity": null, "packageManager": "alpine:3.18", "packageName": "curl", "patches": [], "publicationTime": "2023-10-11T11:43:48.209416Z", "references": [], "relativeImportance": null, "semver": { "vulnerable": [ "<8.4.0-r0" ] }, "severity": "high", "severityWithCritical": "high", "socialTrendAlert": false, "title": "Heap-based Buffer Overflow", "upgradePath": [], "version": "8.3.0-r0" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L/E:P", "cpes": [], "creationTime": "2023-10-11T11:45:04.817337Z", "credit": [], "cvssDetails": [], "cvssScore": 7.7, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `curl` package and not the `curl` package as distributed by `Alpine`._\n_See `How to fix?` for `Alpine:3.18` relevant fixed versions and status._\n\nin the `SOCKS5` proxy handshake process when the hostname is longer than the target buffer.\nThe local variable `socks5_resolve_local` could get the wrong value during a slow SOCKS5 handshake.\nSince the code wrongly thinks it should pass on the hostname, even though the hostname is too long to fit, the memory copy can overflow the allocated target buffer. \n\nThis is only exploitable if the SOCKS5 handshake is slow enough to trigger a local variable bug and the client uses a hostname longer than the download buffer.\n\nExploiting this vulnerability could allow an attacker to execute arbitrary code on the target system under certain conditions.\n\n\n**Note:**\n\nAn overflow is only possible in applications that don't set `CURLOPT_BUFFERSIZE` or set it smaller than 65541. \nSince the curl tool sets `CURLOPT_BUFFERSIZE` to 100kB by default, it is not vulnerable unless the user sets the rate limiting to a rate smaller than 65541 bytes/second.\n\nThe options that cause SOCKS5 with remote hostname to be used in `libcurl`:\n\n1) `CURLOPT_PROXYTYPE` set to type `CURLPROXY_SOCKS5_HOSTNAME`, or:\n`CURLOPT_PROXY` or `CURLOPT_PRE_PROXY` set to use the scheme `socks5h://`\n\n2) One of the proxy environment variables can be set to use the `socks5h://` scheme. For example, `http_proxy`, `HTTPS_PROXY` or `ALL_PROXY`.\n\n\nThe options that cause SOCKS5 with remote hostname to be used in the `curl` tool:\n\n1) `--socks5-hostname`, `--proxy` or `--preproxy` set to use the scheme `socks5h://`\n\n2) Environment variables as described in the libcurl section.\n\n\n\n**Changelog:**\n\n2023-10-04: Initial publication\n\n2023-10-11: Published updated information, including CWE, CVSS, official references and affected versions range.\n## Remediation\nUpgrade `Alpine:3.18` `curl` to version 8.4.0-r0 or higher.\n", "disclosureTime": null, "epssDetails": null, "exploit": "Proof of Concept", "fixedIn": [ "8.4.0-r0" ], "from": [ "docker-image|274425519734.dkr.ecr.eu-central-1.amazonaws.com/web:a6d085f@*", "curl/curl@8.3.0-r0" ], "id": "SNYK-ALPINE318-CURL-5958913", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2023-38545" ], "CWE": [ "CWE-122" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": true, "language": "linux", "malicious": false, "modificationTime": "2023-10-12T06:20:00.497141Z", "name": "curl/curl", "nearestFixedInVersion": "8.4.0-r0", "nvdSeverity": null, "packageManager": "alpine:3.18", "packageName": "curl", "patches": [], "publicationTime": "2023-10-11T11:43:48.209416Z", "references": [], "relativeImportance": null, "semver": { "vulnerable": [ "<8.4.0-r0" ] }, "severity": "high", "severityWithCritical": "high", "socialTrendAlert": false, "title": "Heap-based Buffer Overflow", "upgradePath": [ false, "curl/curl@8.4.0-r0" ], "version": "8.3.0-r0" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:H", "cpes": [], "creationTime": "2023-10-11T04:04:38.629011Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:H", "modificationTime": "2023-10-11T14:31:08.807516Z", "severity": "high" } ], "cvssScore": 7.5, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `nghttp2` package and not the `nghttp2` package as distributed by `Alpine`._\n_See `How to fix?` for `Alpine:3.18` relevant fixed versions and status._\n\nThe HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.\n## Remediation\nUpgrade `Alpine:3.18` `nghttp2` to version 1.57.0-r0 or higher.\n## References\n- [cve@mitre.org](https://aws.amazon.com/security/security-bulletins/AWS-2023-011/)\n- [cve@mitre.org](https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/)\n- [cve@mitre.org](https://blog.cloudflare.com/zero-day-rapid-reset-http2-record-breaking-ddos-attack/)\n- [cve@mitre.org](https://cloud.google.com/blog/products/identity-security/google-cloud-mitigated-largest-ddos-attack-peaking-above-398-million-rps/)\n- [cve@mitre.org](https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack)\n- [cve@mitre.org](https://news.ycombinator.com/item?id=37831062)\n- [cve@mitre.org](https://www.nginx.com/blog/http-2-rapid-reset-attack-impacting-f5-nginx-products/)\n- [cve@mitre.org](https://www.phoronix.com/news/HTTP2-Rapid-Reset-Attack)\n- [cve@mitre.org](https://chaos.social/@icing/111210915918780532)\n- [cve@mitre.org](https://forums.swift.org/t/swift-nio-http2-security-update-cve-2023-44487-http-2-dos/67764)\n- [cve@mitre.org](https://github.com/alibaba/tengine/issues/1872)\n- [cve@mitre.org](https://github.com/apache/tomcat/tree/main/java/org/apache/coyote/http2)\n- [cve@mitre.org](https://github.com/bcdannyboy/CVE-2023-44487)\n- [cve@mitre.org](https://github.com/caddyserver/caddy/issues/5877)\n- [cve@mitre.org](https://github.com/eclipse/jetty.project/issues/10679)\n- [cve@mitre.org](https://github.com/envoyproxy/envoy/pull/30055)\n- [cve@mitre.org](https://github.com/haproxy/haproxy/issues/2312)\n- [cve@mitre.org](https://github.com/hyperium/hyper/issues/3337)\n- [cve@mitre.org](https://github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61)\n- [cve@mitre.org](https://github.com/nghttp2/nghttp2/pull/1961)\n- [cve@mitre.org](https://news.ycombinator.com/item?id=37830987)\n- [cve@mitre.org](https://news.ycombinator.com/item?id=37830998)\n- [cve@mitre.org](https://www.bleepingcomputer.com/news/security/new-http-2-rapid-reset-zero-day-attack-breaks-ddos-records/)\n- [cve@mitre.org](https://github.com/grpc/grpc-go/pull/6703)\n- [cve@mitre.org](https://github.com/icing/mod_h2/blob/0a864782af0a942aa2ad4ed960a6b32cd35bcf0a/mod_http2/README.md?plain=1#L239-L244)\n- [cve@mitre.org](https://github.com/nghttp2/nghttp2/releases/tag/v1.57.0)\n- [cve@mitre.org](https://mailman.nginx.org/pipermail/nginx-devel/2023-October/S36Q5HBXR7CAIMPLLPRSSSYR4PCMWILK.html)\n- [cve@mitre.org](https://my.f5.com/manage/s/article/K000137106)\n- [cve@mitre.org](https://bugzilla.proxmox.com/show_bug.cgi?id=4988)\n- [cve@mitre.org](https://cgit.freebsd.org/ports/commit/?id=c64c329c2c1752f46b73e3e6ce9f4329be6629f9)\n- [cve@mitre.org](https://msrc.microsoft.com/blog/2023/10/microsoft-response-to-distributed-denial-of-service-ddos-attacks-against-http/2/)\n- [cve@mitre.org](https://edg.io/lp/blog/resets-leaks-ddos-and-the-tale-of-a-hidden-cve)\n- [cve@mitre.org](https://gist.github.com/adulau/7c2bfb8e9cdbe4b35a5e131c66a0c088)\n- [cve@mitre.org](https://github.com/advisories/GHSA-vx74-f528-fxqg)\n- [cve@mitre.org](https://github.com/apache/trafficserver/pull/10564)\n- [cve@mitre.org](https://github.com/dotnet/announcements/issues/277)\n- [cve@mitre.org](https://github.com/facebook/proxygen/pull/466)\n- [cve@mitre.org](https://github.com/golang/go/issues/63417)\n- [cve@mitre.org](https://github.com/h2o/h2o/pull/3291)\n- [cve@mitre.org](https://github.com/h2o/h2o/security/advisories/GHSA-2m7v-gc89-fjqf)\n- [cve@mitre.org](https://github.com/micrictor/http2-rst-stream)\n- [cve@mitre.org](https://github.com/microsoft/CBL-Mariner/pull/6381)\n- [cve@mitre.org](https://github.com/nodejs/node/pull/50121)\n- [cve@mitre.org](https://groups.google.com/g/golang-announce/c/iNNxDTCjZvo)\n- [cve@mitre.org](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-44487)\n- [cve@mitre.org](https://openssf.org/blog/2023/10/10/http-2-rapid-reset-vulnerability-highlights-need-for-rapid-response/)\n- [cve@mitre.org](https://lists.apache.org/thread/5py8h42mxfsn8l1wy6o41xwhsjlsd87q)\n- [cve@mitre.org](https://seanmonstar.com/post/730794151136935936/hyper-http2-rapid-reset-unaffected)\n- [cve@mitre.org](https://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.1.14)\n- [cve@mitre.org](https://www.openwall.com/lists/oss-security/2023/10/10/6)\n- [cve@mitre.org](https://github.com/dotnet/core/blob/e4613450ea0da7fd2fc6b61dfb2c1c1dec1ce9ec/release-notes/6.0/6.0.23/6.0.23.md?plain=1#L73)\n- [cve@mitre.org](https://github.com/advisories/GHSA-xpw8-rcwv-8f8p)\n- [cve@mitre.org](https://github.com/kubernetes/kubernetes/pull/121120)\n- [cve@mitre.org](https://github.com/opensearch-project/data-prepper/issues/3474)\n- [cve@mitre.org](https://github.com/oqtane/oqtane.framework/discussions/3367)\n- [cve@mitre.org](https://netty.io/news/2023/10/10/4-1-100-Final.html)\n- [cve@mitre.org](https://www.haproxy.com/blog/haproxy-is-not-affected-by-the-http-2-rapid-reset-attack-cve-2023-44487)\n- [cve@mitre.org](https://blog.qualys.com/vulnerabilities-threat-research/2023/10/10/cve-2023-44487-http-2-rapid-reset-attack)\n- [cve@mitre.org](https://github.com/apache/httpd/blob/afcdbeebbff4b0c50ea26cdd16e178c0d1f24152/modules/http2/h2_mplx.c#L1101-L1113)\n- [cve@mitre.org](https://github.com/kazu-yamamoto/http2/commit/f61d41a502bd0f60eb24e1ce14edc7b6df6722a1)\n- [cve@mitre.org](https://github.com/kazu-yamamoto/http2/issues/93)\n- [cve@mitre.org](https://martinthomson.github.io/h2-stream-limits/draft-thomson-httpbis-h2-stream-limits.html)\n- [cve@mitre.org](https://news.ycombinator.com/item?id=37837043)\n- [cve@mitre.org](https://www.cisa.gov/news-events/alerts/2023/10/10/http2-rapid-reset-vulnerability-cve-2023-44487)\n- [cve@mitre.org](https://www.debian.org/security/2023/dsa-5521)\n- [cve@mitre.org](https://www.debian.org/security/2023/dsa-5522)\n- [cve@mitre.org](https://www.theregister.com/2023/10/10/http2_rapid_reset_zeroday/)\n- [cve@mitre.org](https://access.redhat.com/security/cve/cve-2023-44487)\n- [cve@mitre.org](https://blog.vespa.ai/cve-2023-44487/)\n- [cve@mitre.org](https://bugzilla.redhat.com/show_bug.cgi?id=2242803)\n- [cve@mitre.org](https://bugzilla.suse.com/show_bug.cgi?id=1216123)\n- [cve@mitre.org](https://community.traefik.io/t/is-traefik-vulnerable-to-cve-2023-44487/20125)\n- [cve@mitre.org](https://github.com/advisories/GHSA-qppj-fm5r-hxr3)\n- [cve@mitre.org](https://github.com/etcd-io/etcd/issues/16740)\n- [cve@mitre.org](https://github.com/junkurihara/rust-rpxy/issues/97)\n- [cve@mitre.org](https://github.com/ninenines/cowboy/issues/1615)\n- [cve@mitre.org](https://github.com/tempesta-tech/tempesta/issues/1986)\n- [cve@mitre.org](https://github.com/varnishcache/varnish-cache/issues/3996)\n- [cve@mitre.org](https://istio.io/latest/news/security/istio-security-2023-004/)\n- [cve@mitre.org](https://ubuntu.com/security/CVE-2023-44487)\n- [cve@mitre.org](https://www.darkreading.com/cloud/internet-wide-zero-day-bug-fuels-largest-ever-ddos-event)\n- [cve@mitre.org](https://github.com/apache/httpd-site/pull/10)\n- [cve@mitre.org](https://github.com/line/armeria/pull/5232)\n- [cve@mitre.org](https://github.com/linkerd/website/pull/1695/commits/4b9c6836471bc8270ab48aae6fd2181bc73fd632)\n- [cve@mitre.org](https://github.com/projectcontour/contour/pull/5826)\n- [cve@mitre.org](https://blog.litespeedtech.com/2023/10/11/rapid-reset-http-2-vulnerablilty/)\n- [CISA - Known Exploited Vulnerabilities](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)\n", "disclosureTime": "2023-10-10T14:15:10.883000Z", "epssDetails": null, "exploit": "High", "fixedIn": [ "1.57.0-r0" ], "from": [ "docker-image|274425519734.dkr.ecr.eu-central-1.amazonaws.com/web:a6d085f@*", "nghttp2/nghttp2-libs@1.55.1-r0" ], "id": "SNYK-ALPINE318-NGHTTP2-5954768", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2023-44487" ], "CWE": [ "CWE-400" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": true, "language": "linux", "malicious": false, "modificationTime": "2023-10-12T01:11:09.035012Z", "name": "nghttp2/nghttp2-libs", "nearestFixedInVersion": "1.57.0-r0", "nvdSeverity": "high", "packageManager": "alpine:3.18", "packageName": "nghttp2", "patches": [], "publicationTime": "2023-10-11T04:04:38.608135Z", "references": [ { "title": "https://aws.amazon.com/security/security-bulletins/AWS-2023-011/", "url": "https://aws.amazon.com/security/security-bulletins/AWS-2023-011/" }, { "title": "https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/", "url": "https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/" }, { "title": "https://blog.cloudflare.com/zero-day-rapid-reset-http2-record-breaking-ddos-attack/", "url": "https://blog.cloudflare.com/zero-day-rapid-reset-http2-record-breaking-ddos-attack/" }, { "title": "https://cloud.google.com/blog/products/identity-security/google-cloud-mitigated-largest-ddos-attack-peaking-above-398-million-rps/", "url": "https://cloud.google.com/blog/products/identity-security/google-cloud-mitigated-largest-ddos-attack-peaking-above-398-million-rps/" }, { "title": "https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack", "url": "https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack" }, { "title": "https://news.ycombinator.com/item?id=37831062", "url": "https://news.ycombinator.com/item?id=37831062" }, { "title": "https://www.nginx.com/blog/http-2-rapid-reset-attack-impacting-f5-nginx-products/", "url": "https://www.nginx.com/blog/http-2-rapid-reset-attack-impacting-f5-nginx-products/" }, { "title": "https://www.phoronix.com/news/HTTP2-Rapid-Reset-Attack", "url": "https://www.phoronix.com/news/HTTP2-Rapid-Reset-Attack" }, { "title": "https://chaos.social/@icing/111210915918780532", "url": "https://chaos.social/@icing/111210915918780532" }, { "title": "https://forums.swift.org/t/swift-nio-http2-security-update-cve-2023-44487-http-2-dos/67764", "url": "https://forums.swift.org/t/swift-nio-http2-security-update-cve-2023-44487-http-2-dos/67764" }, { "title": "https://github.com/alibaba/tengine/issues/1872", "url": "https://github.com/alibaba/tengine/issues/1872" }, { "title": "https://github.com/apache/tomcat/tree/main/java/org/apache/coyote/http2", "url": "https://github.com/apache/tomcat/tree/main/java/org/apache/coyote/http2" }, { "title": "https://github.com/bcdannyboy/CVE-2023-44487", "url": "https://github.com/bcdannyboy/CVE-2023-44487" }, { "title": "https://github.com/caddyserver/caddy/issues/5877", "url": "https://github.com/caddyserver/caddy/issues/5877" }, { "title": "https://github.com/eclipse/jetty.project/issues/10679", "url": "https://github.com/eclipse/jetty.project/issues/10679" }, { "title": "https://github.com/envoyproxy/envoy/pull/30055", "url": "https://github.com/envoyproxy/envoy/pull/30055" }, { "title": "https://github.com/haproxy/haproxy/issues/2312", "url": "https://github.com/haproxy/haproxy/issues/2312" }, { "title": "https://github.com/hyperium/hyper/issues/3337", "url": "https://github.com/hyperium/hyper/issues/3337" }, { "title": "https://github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61", "url": "https://github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61" }, { "title": "https://github.com/nghttp2/nghttp2/pull/1961", "url": "https://github.com/nghttp2/nghttp2/pull/1961" }, { "title": "https://news.ycombinator.com/item?id=37830987", "url": "https://news.ycombinator.com/item?id=37830987" }, { "title": "https://news.ycombinator.com/item?id=37830998", "url": "https://news.ycombinator.com/item?id=37830998" }, { "title": "https://www.bleepingcomputer.com/news/security/new-http-2-rapid-reset-zero-day-attack-breaks-ddos-records/", "url": "https://www.bleepingcomputer.com/news/security/new-http-2-rapid-reset-zero-day-attack-breaks-ddos-records/" }, { "title": "https://github.com/grpc/grpc-go/pull/6703", "url": "https://github.com/grpc/grpc-go/pull/6703" }, { "title": "https://github.com/icing/mod_h2/blob/0a864782af0a942aa2ad4ed960a6b32cd35bcf0a/mod_http2/README.md?plain=1%23L239-L244", "url": "https://github.com/icing/mod_h2/blob/0a864782af0a942aa2ad4ed960a6b32cd35bcf0a/mod_http2/README.md?plain=1%23L239-L244" }, { "title": "https://github.com/nghttp2/nghttp2/releases/tag/v1.57.0", "url": "https://github.com/nghttp2/nghttp2/releases/tag/v1.57.0" }, { "title": "https://mailman.nginx.org/pipermail/nginx-devel/2023-October/S36Q5HBXR7CAIMPLLPRSSSYR4PCMWILK.html", "url": "https://mailman.nginx.org/pipermail/nginx-devel/2023-October/S36Q5HBXR7CAIMPLLPRSSSYR4PCMWILK.html" }, { "title": "https://my.f5.com/manage/s/article/K000137106", "url": "https://my.f5.com/manage/s/article/K000137106" }, { "title": "https://bugzilla.proxmox.com/show_bug.cgi?id=4988", "url": "https://bugzilla.proxmox.com/show_bug.cgi?id=4988" }, { "title": "https://cgit.freebsd.org/ports/commit/?id=c64c329c2c1752f46b73e3e6ce9f4329be6629f9", "url": "https://cgit.freebsd.org/ports/commit/?id=c64c329c2c1752f46b73e3e6ce9f4329be6629f9" }, { "title": "https://msrc.microsoft.com/blog/2023/10/microsoft-response-to-distributed-denial-of-service-ddos-attacks-against-http/2/", "url": "https://msrc.microsoft.com/blog/2023/10/microsoft-response-to-distributed-denial-of-service-ddos-attacks-against-http/2/" }, { "title": "https://edg.io/lp/blog/resets-leaks-ddos-and-the-tale-of-a-hidden-cve", "url": "https://edg.io/lp/blog/resets-leaks-ddos-and-the-tale-of-a-hidden-cve" }, { "title": "https://gist.github.com/adulau/7c2bfb8e9cdbe4b35a5e131c66a0c088", "url": "https://gist.github.com/adulau/7c2bfb8e9cdbe4b35a5e131c66a0c088" }, { "title": "https://github.com/advisories/GHSA-vx74-f528-fxqg", "url": "https://github.com/advisories/GHSA-vx74-f528-fxqg" }, { "title": "https://github.com/apache/trafficserver/pull/10564", "url": "https://github.com/apache/trafficserver/pull/10564" }, { "title": "https://github.com/dotnet/announcements/issues/277", "url": "https://github.com/dotnet/announcements/issues/277" }, { "title": "https://github.com/facebook/proxygen/pull/466", "url": "https://github.com/facebook/proxygen/pull/466" }, { "title": "https://github.com/golang/go/issues/63417", "url": "https://github.com/golang/go/issues/63417" }, { "title": "https://github.com/h2o/h2o/pull/3291", "url": "https://github.com/h2o/h2o/pull/3291" }, { "title": "https://github.com/h2o/h2o/security/advisories/GHSA-2m7v-gc89-fjqf", "url": "https://github.com/h2o/h2o/security/advisories/GHSA-2m7v-gc89-fjqf" }, { "title": "https://github.com/micrictor/http2-rst-stream", "url": "https://github.com/micrictor/http2-rst-stream" }, { "title": "https://github.com/microsoft/CBL-Mariner/pull/6381", "url": "https://github.com/microsoft/CBL-Mariner/pull/6381" }, { "title": "https://github.com/nodejs/node/pull/50121", "url": "https://github.com/nodejs/node/pull/50121" }, { "title": "https://groups.google.com/g/golang-announce/c/iNNxDTCjZvo", "url": "https://groups.google.com/g/golang-announce/c/iNNxDTCjZvo" }, { "title": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-44487", "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-44487" }, { "title": "https://openssf.org/blog/2023/10/10/http-2-rapid-reset-vulnerability-highlights-need-for-rapid-response/", "url": "https://openssf.org/blog/2023/10/10/http-2-rapid-reset-vulnerability-highlights-need-for-rapid-response/" }, { "title": "https://lists.apache.org/thread/5py8h42mxfsn8l1wy6o41xwhsjlsd87q", "url": "https://lists.apache.org/thread/5py8h42mxfsn8l1wy6o41xwhsjlsd87q" }, { "title": "https://seanmonstar.com/post/730794151136935936/hyper-http2-rapid-reset-unaffected", "url": "https://seanmonstar.com/post/730794151136935936/hyper-http2-rapid-reset-unaffected" }, { "title": "https://tomcat.apache.org/security-10.html%23Fixed_in_Apache_Tomcat_10.1.14", "url": "https://tomcat.apache.org/security-10.html%23Fixed_in_Apache_Tomcat_10.1.14" }, { "title": "https://www.openwall.com/lists/oss-security/2023/10/10/6", "url": "https://www.openwall.com/lists/oss-security/2023/10/10/6" }, { "title": "https://github.com/dotnet/core/blob/e4613450ea0da7fd2fc6b61dfb2c1c1dec1ce9ec/release-notes/6.0/6.0.23/6.0.23.md?plain=1%23L73", "url": "https://github.com/dotnet/core/blob/e4613450ea0da7fd2fc6b61dfb2c1c1dec1ce9ec/release-notes/6.0/6.0.23/6.0.23.md?plain=1%23L73" }, { "title": "https://github.com/advisories/GHSA-xpw8-rcwv-8f8p", "url": "https://github.com/advisories/GHSA-xpw8-rcwv-8f8p" }, { "title": "https://github.com/kubernetes/kubernetes/pull/121120", "url": "https://github.com/kubernetes/kubernetes/pull/121120" }, { "title": "https://github.com/opensearch-project/data-prepper/issues/3474", "url": "https://github.com/opensearch-project/data-prepper/issues/3474" }, { "title": "https://github.com/oqtane/oqtane.framework/discussions/3367", "url": "https://github.com/oqtane/oqtane.framework/discussions/3367" }, { "title": "https://netty.io/news/2023/10/10/4-1-100-Final.html", "url": "https://netty.io/news/2023/10/10/4-1-100-Final.html" }, { "title": "https://www.haproxy.com/blog/haproxy-is-not-affected-by-the-http-2-rapid-reset-attack-cve-2023-44487", "url": "https://www.haproxy.com/blog/haproxy-is-not-affected-by-the-http-2-rapid-reset-attack-cve-2023-44487" }, { "title": "https://blog.qualys.com/vulnerabilities-threat-research/2023/10/10/cve-2023-44487-http-2-rapid-reset-attack", "url": "https://blog.qualys.com/vulnerabilities-threat-research/2023/10/10/cve-2023-44487-http-2-rapid-reset-attack" }, { "title": "https://github.com/apache/httpd/blob/afcdbeebbff4b0c50ea26cdd16e178c0d1f24152/modules/http2/h2_mplx.c%23L1101-L1113", "url": "https://github.com/apache/httpd/blob/afcdbeebbff4b0c50ea26cdd16e178c0d1f24152/modules/http2/h2_mplx.c%23L1101-L1113" }, { "title": "https://github.com/kazu-yamamoto/http2/commit/f61d41a502bd0f60eb24e1ce14edc7b6df6722a1", "url": "https://github.com/kazu-yamamoto/http2/commit/f61d41a502bd0f60eb24e1ce14edc7b6df6722a1" }, { "title": "https://github.com/kazu-yamamoto/http2/issues/93", "url": "https://github.com/kazu-yamamoto/http2/issues/93" }, { "title": "https://martinthomson.github.io/h2-stream-limits/draft-thomson-httpbis-h2-stream-limits.html", "url": "https://martinthomson.github.io/h2-stream-limits/draft-thomson-httpbis-h2-stream-limits.html" }, { "title": "https://news.ycombinator.com/item?id=37837043", "url": "https://news.ycombinator.com/item?id=37837043" }, { "title": "https://www.cisa.gov/news-events/alerts/2023/10/10/http2-rapid-reset-vulnerability-cve-2023-44487", "url": "https://www.cisa.gov/news-events/alerts/2023/10/10/http2-rapid-reset-vulnerability-cve-2023-44487" }, { "title": "https://www.debian.org/security/2023/dsa-5521", "url": "https://www.debian.org/security/2023/dsa-5521" }, { "title": "https://www.debian.org/security/2023/dsa-5522", "url": "https://www.debian.org/security/2023/dsa-5522" }, { "title": "https://www.theregister.com/2023/10/10/http2_rapid_reset_zeroday/", "url": "https://www.theregister.com/2023/10/10/http2_rapid_reset_zeroday/" }, { "title": "https://access.redhat.com/security/cve/cve-2023-44487", "url": "https://access.redhat.com/security/cve/cve-2023-44487" }, { "title": "https://blog.vespa.ai/cve-2023-44487/", "url": "https://blog.vespa.ai/cve-2023-44487/" }, { "title": "https://bugzilla.redhat.com/show_bug.cgi?id=2242803", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2242803" }, { "title": "https://bugzilla.suse.com/show_bug.cgi?id=1216123", "url": "https://bugzilla.suse.com/show_bug.cgi?id=1216123" }, { "title": "https://community.traefik.io/t/is-traefik-vulnerable-to-cve-2023-44487/20125", "url": "https://community.traefik.io/t/is-traefik-vulnerable-to-cve-2023-44487/20125" }, { "title": "https://github.com/advisories/GHSA-qppj-fm5r-hxr3", "url": "https://github.com/advisories/GHSA-qppj-fm5r-hxr3" }, { "title": "https://github.com/etcd-io/etcd/issues/16740", "url": "https://github.com/etcd-io/etcd/issues/16740" }, { "title": "https://github.com/junkurihara/rust-rpxy/issues/97", "url": "https://github.com/junkurihara/rust-rpxy/issues/97" }, { "title": "https://github.com/ninenines/cowboy/issues/1615", "url": "https://github.com/ninenines/cowboy/issues/1615" }, { "title": "https://github.com/tempesta-tech/tempesta/issues/1986", "url": "https://github.com/tempesta-tech/tempesta/issues/1986" }, { "title": "https://github.com/varnishcache/varnish-cache/issues/3996", "url": "https://github.com/varnishcache/varnish-cache/issues/3996" }, { "title": "https://istio.io/latest/news/security/istio-security-2023-004/", "url": "https://istio.io/latest/news/security/istio-security-2023-004/" }, { "title": "https://ubuntu.com/security/CVE-2023-44487", "url": "https://ubuntu.com/security/CVE-2023-44487" }, { "title": "https://www.darkreading.com/cloud/internet-wide-zero-day-bug-fuels-largest-ever-ddos-event", "url": "https://www.darkreading.com/cloud/internet-wide-zero-day-bug-fuels-largest-ever-ddos-event" }, { "title": "https://github.com/apache/httpd-site/pull/10", "url": "https://github.com/apache/httpd-site/pull/10" }, { "title": "https://github.com/line/armeria/pull/5232", "url": "https://github.com/line/armeria/pull/5232" }, { "title": "https://github.com/linkerd/website/pull/1695/commits/4b9c6836471bc8270ab48aae6fd2181bc73fd632", "url": "https://github.com/linkerd/website/pull/1695/commits/4b9c6836471bc8270ab48aae6fd2181bc73fd632" }, { "title": "https://github.com/projectcontour/contour/pull/5826", "url": "https://github.com/projectcontour/contour/pull/5826" }, { "title": "https://blog.litespeedtech.com/2023/10/11/rapid-reset-http-2-vulnerablilty/", "url": "https://blog.litespeedtech.com/2023/10/11/rapid-reset-http-2-vulnerablilty/" }, { "title": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "relativeImportance": null, "semver": { "vulnerable": [ "<1.57.0-r0" ] }, "severity": "high", "severityWithCritical": "high", "socialTrendAlert": false, "title": "Resource Exhaustion", "upgradePath": [ false, "nghttp2/nghttp2-libs@1.57.0-r0" ], "version": "1.55.1-r0" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:H", "cpes": [], "creationTime": "2023-10-11T04:04:38.629011Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:H", "modificationTime": "2023-10-11T14:31:08.807516Z", "severity": "high" } ], "cvssScore": 7.5, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `nghttp2` package and not the `nghttp2` package as distributed by `Alpine`._\n_See `How to fix?` for `Alpine:3.18` relevant fixed versions and status._\n\nThe HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.\n## Remediation\nUpgrade `Alpine:3.18` `nghttp2` to version 1.57.0-r0 or higher.\n## References\n- [cve@mitre.org](https://aws.amazon.com/security/security-bulletins/AWS-2023-011/)\n- [cve@mitre.org](https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/)\n- [cve@mitre.org](https://blog.cloudflare.com/zero-day-rapid-reset-http2-record-breaking-ddos-attack/)\n- [cve@mitre.org](https://cloud.google.com/blog/products/identity-security/google-cloud-mitigated-largest-ddos-attack-peaking-above-398-million-rps/)\n- [cve@mitre.org](https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack)\n- [cve@mitre.org](https://news.ycombinator.com/item?id=37831062)\n- [cve@mitre.org](https://www.nginx.com/blog/http-2-rapid-reset-attack-impacting-f5-nginx-products/)\n- [cve@mitre.org](https://www.phoronix.com/news/HTTP2-Rapid-Reset-Attack)\n- [cve@mitre.org](https://chaos.social/@icing/111210915918780532)\n- [cve@mitre.org](https://forums.swift.org/t/swift-nio-http2-security-update-cve-2023-44487-http-2-dos/67764)\n- [cve@mitre.org](https://github.com/alibaba/tengine/issues/1872)\n- [cve@mitre.org](https://github.com/apache/tomcat/tree/main/java/org/apache/coyote/http2)\n- [cve@mitre.org](https://github.com/bcdannyboy/CVE-2023-44487)\n- [cve@mitre.org](https://github.com/caddyserver/caddy/issues/5877)\n- [cve@mitre.org](https://github.com/eclipse/jetty.project/issues/10679)\n- [cve@mitre.org](https://github.com/envoyproxy/envoy/pull/30055)\n- [cve@mitre.org](https://github.com/haproxy/haproxy/issues/2312)\n- [cve@mitre.org](https://github.com/hyperium/hyper/issues/3337)\n- [cve@mitre.org](https://github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61)\n- [cve@mitre.org](https://github.com/nghttp2/nghttp2/pull/1961)\n- [cve@mitre.org](https://news.ycombinator.com/item?id=37830987)\n- [cve@mitre.org](https://news.ycombinator.com/item?id=37830998)\n- [cve@mitre.org](https://www.bleepingcomputer.com/news/security/new-http-2-rapid-reset-zero-day-attack-breaks-ddos-records/)\n- [cve@mitre.org](https://github.com/grpc/grpc-go/pull/6703)\n- [cve@mitre.org](https://github.com/icing/mod_h2/blob/0a864782af0a942aa2ad4ed960a6b32cd35bcf0a/mod_http2/README.md?plain=1#L239-L244)\n- [cve@mitre.org](https://github.com/nghttp2/nghttp2/releases/tag/v1.57.0)\n- [cve@mitre.org](https://mailman.nginx.org/pipermail/nginx-devel/2023-October/S36Q5HBXR7CAIMPLLPRSSSYR4PCMWILK.html)\n- [cve@mitre.org](https://my.f5.com/manage/s/article/K000137106)\n- [cve@mitre.org](https://bugzilla.proxmox.com/show_bug.cgi?id=4988)\n- [cve@mitre.org](https://cgit.freebsd.org/ports/commit/?id=c64c329c2c1752f46b73e3e6ce9f4329be6629f9)\n- [cve@mitre.org](https://msrc.microsoft.com/blog/2023/10/microsoft-response-to-distributed-denial-of-service-ddos-attacks-against-http/2/)\n- [cve@mitre.org](https://edg.io/lp/blog/resets-leaks-ddos-and-the-tale-of-a-hidden-cve)\n- [cve@mitre.org](https://gist.github.com/adulau/7c2bfb8e9cdbe4b35a5e131c66a0c088)\n- [cve@mitre.org](https://github.com/advisories/GHSA-vx74-f528-fxqg)\n- [cve@mitre.org](https://github.com/apache/trafficserver/pull/10564)\n- [cve@mitre.org](https://github.com/dotnet/announcements/issues/277)\n- [cve@mitre.org](https://github.com/facebook/proxygen/pull/466)\n- [cve@mitre.org](https://github.com/golang/go/issues/63417)\n- [cve@mitre.org](https://github.com/h2o/h2o/pull/3291)\n- [cve@mitre.org](https://github.com/h2o/h2o/security/advisories/GHSA-2m7v-gc89-fjqf)\n- [cve@mitre.org](https://github.com/micrictor/http2-rst-stream)\n- [cve@mitre.org](https://github.com/microsoft/CBL-Mariner/pull/6381)\n- [cve@mitre.org](https://github.com/nodejs/node/pull/50121)\n- [cve@mitre.org](https://groups.google.com/g/golang-announce/c/iNNxDTCjZvo)\n- [cve@mitre.org](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-44487)\n- [cve@mitre.org](https://openssf.org/blog/2023/10/10/http-2-rapid-reset-vulnerability-highlights-need-for-rapid-response/)\n- [cve@mitre.org](https://lists.apache.org/thread/5py8h42mxfsn8l1wy6o41xwhsjlsd87q)\n- [cve@mitre.org](https://seanmonstar.com/post/730794151136935936/hyper-http2-rapid-reset-unaffected)\n- [cve@mitre.org](https://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.1.14)\n- [cve@mitre.org](https://www.openwall.com/lists/oss-security/2023/10/10/6)\n- [cve@mitre.org](https://github.com/dotnet/core/blob/e4613450ea0da7fd2fc6b61dfb2c1c1dec1ce9ec/release-notes/6.0/6.0.23/6.0.23.md?plain=1#L73)\n- [cve@mitre.org](https://github.com/advisories/GHSA-xpw8-rcwv-8f8p)\n- [cve@mitre.org](https://github.com/kubernetes/kubernetes/pull/121120)\n- [cve@mitre.org](https://github.com/opensearch-project/data-prepper/issues/3474)\n- [cve@mitre.org](https://github.com/oqtane/oqtane.framework/discussions/3367)\n- [cve@mitre.org](https://netty.io/news/2023/10/10/4-1-100-Final.html)\n- [cve@mitre.org](https://www.haproxy.com/blog/haproxy-is-not-affected-by-the-http-2-rapid-reset-attack-cve-2023-44487)\n- [cve@mitre.org](https://blog.qualys.com/vulnerabilities-threat-research/2023/10/10/cve-2023-44487-http-2-rapid-reset-attack)\n- [cve@mitre.org](https://github.com/apache/httpd/blob/afcdbeebbff4b0c50ea26cdd16e178c0d1f24152/modules/http2/h2_mplx.c#L1101-L1113)\n- [cve@mitre.org](https://github.com/kazu-yamamoto/http2/commit/f61d41a502bd0f60eb24e1ce14edc7b6df6722a1)\n- [cve@mitre.org](https://github.com/kazu-yamamoto/http2/issues/93)\n- [cve@mitre.org](https://martinthomson.github.io/h2-stream-limits/draft-thomson-httpbis-h2-stream-limits.html)\n- [cve@mitre.org](https://news.ycombinator.com/item?id=37837043)\n- [cve@mitre.org](https://www.cisa.gov/news-events/alerts/2023/10/10/http2-rapid-reset-vulnerability-cve-2023-44487)\n- [cve@mitre.org](https://www.debian.org/security/2023/dsa-5521)\n- [cve@mitre.org](https://www.debian.org/security/2023/dsa-5522)\n- [cve@mitre.org](https://www.theregister.com/2023/10/10/http2_rapid_reset_zeroday/)\n- [cve@mitre.org](https://access.redhat.com/security/cve/cve-2023-44487)\n- [cve@mitre.org](https://blog.vespa.ai/cve-2023-44487/)\n- [cve@mitre.org](https://bugzilla.redhat.com/show_bug.cgi?id=2242803)\n- [cve@mitre.org](https://bugzilla.suse.com/show_bug.cgi?id=1216123)\n- [cve@mitre.org](https://community.traefik.io/t/is-traefik-vulnerable-to-cve-2023-44487/20125)\n- [cve@mitre.org](https://github.com/advisories/GHSA-qppj-fm5r-hxr3)\n- [cve@mitre.org](https://github.com/etcd-io/etcd/issues/16740)\n- [cve@mitre.org](https://github.com/junkurihara/rust-rpxy/issues/97)\n- [cve@mitre.org](https://github.com/ninenines/cowboy/issues/1615)\n- [cve@mitre.org](https://github.com/tempesta-tech/tempesta/issues/1986)\n- [cve@mitre.org](https://github.com/varnishcache/varnish-cache/issues/3996)\n- [cve@mitre.org](https://istio.io/latest/news/security/istio-security-2023-004/)\n- [cve@mitre.org](https://ubuntu.com/security/CVE-2023-44487)\n- [cve@mitre.org](https://www.darkreading.com/cloud/internet-wide-zero-day-bug-fuels-largest-ever-ddos-event)\n- [cve@mitre.org](https://github.com/apache/httpd-site/pull/10)\n- [cve@mitre.org](https://github.com/line/armeria/pull/5232)\n- [cve@mitre.org](https://github.com/linkerd/website/pull/1695/commits/4b9c6836471bc8270ab48aae6fd2181bc73fd632)\n- [cve@mitre.org](https://github.com/projectcontour/contour/pull/5826)\n- [cve@mitre.org](https://blog.litespeedtech.com/2023/10/11/rapid-reset-http-2-vulnerablilty/)\n- [CISA - Known Exploited Vulnerabilities](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)\n", "disclosureTime": "2023-10-10T14:15:10.883000Z", "epssDetails": null, "exploit": "High", "fixedIn": [ "1.57.0-r0" ], "from": [ "docker-image|274425519734.dkr.ecr.eu-central-1.amazonaws.com/web:a6d085f@*", "curl/curl@8.3.0-r0", "curl/libcurl@8.3.0-r0", "nghttp2/nghttp2-libs@1.55.1-r0" ], "id": "SNYK-ALPINE318-NGHTTP2-5954768", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2023-44487" ], "CWE": [ "CWE-400" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "linux", "malicious": false, "modificationTime": "2023-10-12T01:11:09.035012Z", "name": "nghttp2/nghttp2-libs", "nearestFixedInVersion": "1.57.0-r0", "nvdSeverity": "high", "packageManager": "alpine:3.18", "packageName": "nghttp2", "patches": [], "publicationTime": "2023-10-11T04:04:38.608135Z", "references": [ { "title": "https://aws.amazon.com/security/security-bulletins/AWS-2023-011/", "url": "https://aws.amazon.com/security/security-bulletins/AWS-2023-011/" }, { "title": "https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/", "url": "https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/" }, { "title": "https://blog.cloudflare.com/zero-day-rapid-reset-http2-record-breaking-ddos-attack/", "url": "https://blog.cloudflare.com/zero-day-rapid-reset-http2-record-breaking-ddos-attack/" }, { "title": "https://cloud.google.com/blog/products/identity-security/google-cloud-mitigated-largest-ddos-attack-peaking-above-398-million-rps/", "url": "https://cloud.google.com/blog/products/identity-security/google-cloud-mitigated-largest-ddos-attack-peaking-above-398-million-rps/" }, { "title": "https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack", "url": "https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack" }, { "title": "https://news.ycombinator.com/item?id=37831062", "url": "https://news.ycombinator.com/item?id=37831062" }, { "title": "https://www.nginx.com/blog/http-2-rapid-reset-attack-impacting-f5-nginx-products/", "url": "https://www.nginx.com/blog/http-2-rapid-reset-attack-impacting-f5-nginx-products/" }, { "title": "https://www.phoronix.com/news/HTTP2-Rapid-Reset-Attack", "url": "https://www.phoronix.com/news/HTTP2-Rapid-Reset-Attack" }, { "title": "https://chaos.social/@icing/111210915918780532", "url": "https://chaos.social/@icing/111210915918780532" }, { "title": "https://forums.swift.org/t/swift-nio-http2-security-update-cve-2023-44487-http-2-dos/67764", "url": "https://forums.swift.org/t/swift-nio-http2-security-update-cve-2023-44487-http-2-dos/67764" }, { "title": "https://github.com/alibaba/tengine/issues/1872", "url": "https://github.com/alibaba/tengine/issues/1872" }, { "title": "https://github.com/apache/tomcat/tree/main/java/org/apache/coyote/http2", "url": "https://github.com/apache/tomcat/tree/main/java/org/apache/coyote/http2" }, { "title": "https://github.com/bcdannyboy/CVE-2023-44487", "url": "https://github.com/bcdannyboy/CVE-2023-44487" }, { "title": "https://github.com/caddyserver/caddy/issues/5877", "url": "https://github.com/caddyserver/caddy/issues/5877" }, { "title": "https://github.com/eclipse/jetty.project/issues/10679", "url": "https://github.com/eclipse/jetty.project/issues/10679" }, { "title": "https://github.com/envoyproxy/envoy/pull/30055", "url": "https://github.com/envoyproxy/envoy/pull/30055" }, { "title": "https://github.com/haproxy/haproxy/issues/2312", "url": "https://github.com/haproxy/haproxy/issues/2312" }, { "title": "https://github.com/hyperium/hyper/issues/3337", "url": "https://github.com/hyperium/hyper/issues/3337" }, { "title": "https://github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61", "url": "https://github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61" }, { "title": "https://github.com/nghttp2/nghttp2/pull/1961", "url": "https://github.com/nghttp2/nghttp2/pull/1961" }, { "title": "https://news.ycombinator.com/item?id=37830987", "url": "https://news.ycombinator.com/item?id=37830987" }, { "title": "https://news.ycombinator.com/item?id=37830998", "url": "https://news.ycombinator.com/item?id=37830998" }, { "title": "https://www.bleepingcomputer.com/news/security/new-http-2-rapid-reset-zero-day-attack-breaks-ddos-records/", "url": "https://www.bleepingcomputer.com/news/security/new-http-2-rapid-reset-zero-day-attack-breaks-ddos-records/" }, { "title": "https://github.com/grpc/grpc-go/pull/6703", "url": "https://github.com/grpc/grpc-go/pull/6703" }, { "title": "https://github.com/icing/mod_h2/blob/0a864782af0a942aa2ad4ed960a6b32cd35bcf0a/mod_http2/README.md?plain=1%23L239-L244", "url": "https://github.com/icing/mod_h2/blob/0a864782af0a942aa2ad4ed960a6b32cd35bcf0a/mod_http2/README.md?plain=1%23L239-L244" }, { "title": "https://github.com/nghttp2/nghttp2/releases/tag/v1.57.0", "url": "https://github.com/nghttp2/nghttp2/releases/tag/v1.57.0" }, { "title": "https://mailman.nginx.org/pipermail/nginx-devel/2023-October/S36Q5HBXR7CAIMPLLPRSSSYR4PCMWILK.html", "url": "https://mailman.nginx.org/pipermail/nginx-devel/2023-October/S36Q5HBXR7CAIMPLLPRSSSYR4PCMWILK.html" }, { "title": "https://my.f5.com/manage/s/article/K000137106", "url": "https://my.f5.com/manage/s/article/K000137106" }, { "title": "https://bugzilla.proxmox.com/show_bug.cgi?id=4988", "url": "https://bugzilla.proxmox.com/show_bug.cgi?id=4988" }, { "title": "https://cgit.freebsd.org/ports/commit/?id=c64c329c2c1752f46b73e3e6ce9f4329be6629f9", "url": "https://cgit.freebsd.org/ports/commit/?id=c64c329c2c1752f46b73e3e6ce9f4329be6629f9" }, { "title": "https://msrc.microsoft.com/blog/2023/10/microsoft-response-to-distributed-denial-of-service-ddos-attacks-against-http/2/", "url": "https://msrc.microsoft.com/blog/2023/10/microsoft-response-to-distributed-denial-of-service-ddos-attacks-against-http/2/" }, { "title": "https://edg.io/lp/blog/resets-leaks-ddos-and-the-tale-of-a-hidden-cve", "url": "https://edg.io/lp/blog/resets-leaks-ddos-and-the-tale-of-a-hidden-cve" }, { "title": "https://gist.github.com/adulau/7c2bfb8e9cdbe4b35a5e131c66a0c088", "url": "https://gist.github.com/adulau/7c2bfb8e9cdbe4b35a5e131c66a0c088" }, { "title": "https://github.com/advisories/GHSA-vx74-f528-fxqg", "url": "https://github.com/advisories/GHSA-vx74-f528-fxqg" }, { "title": "https://github.com/apache/trafficserver/pull/10564", "url": "https://github.com/apache/trafficserver/pull/10564" }, { "title": "https://github.com/dotnet/announcements/issues/277", "url": "https://github.com/dotnet/announcements/issues/277" }, { "title": "https://github.com/facebook/proxygen/pull/466", "url": "https://github.com/facebook/proxygen/pull/466" }, { "title": "https://github.com/golang/go/issues/63417", "url": "https://github.com/golang/go/issues/63417" }, { "title": "https://github.com/h2o/h2o/pull/3291", "url": "https://github.com/h2o/h2o/pull/3291" }, { "title": "https://github.com/h2o/h2o/security/advisories/GHSA-2m7v-gc89-fjqf", "url": "https://github.com/h2o/h2o/security/advisories/GHSA-2m7v-gc89-fjqf" }, { "title": "https://github.com/micrictor/http2-rst-stream", "url": "https://github.com/micrictor/http2-rst-stream" }, { "title": "https://github.com/microsoft/CBL-Mariner/pull/6381", "url": "https://github.com/microsoft/CBL-Mariner/pull/6381" }, { "title": "https://github.com/nodejs/node/pull/50121", "url": "https://github.com/nodejs/node/pull/50121" }, { "title": "https://groups.google.com/g/golang-announce/c/iNNxDTCjZvo", "url": "https://groups.google.com/g/golang-announce/c/iNNxDTCjZvo" }, { "title": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-44487", "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-44487" }, { "title": "https://openssf.org/blog/2023/10/10/http-2-rapid-reset-vulnerability-highlights-need-for-rapid-response/", "url": "https://openssf.org/blog/2023/10/10/http-2-rapid-reset-vulnerability-highlights-need-for-rapid-response/" }, { "title": "https://lists.apache.org/thread/5py8h42mxfsn8l1wy6o41xwhsjlsd87q", "url": "https://lists.apache.org/thread/5py8h42mxfsn8l1wy6o41xwhsjlsd87q" }, { "title": "https://seanmonstar.com/post/730794151136935936/hyper-http2-rapid-reset-unaffected", "url": "https://seanmonstar.com/post/730794151136935936/hyper-http2-rapid-reset-unaffected" }, { "title": "https://tomcat.apache.org/security-10.html%23Fixed_in_Apache_Tomcat_10.1.14", "url": "https://tomcat.apache.org/security-10.html%23Fixed_in_Apache_Tomcat_10.1.14" }, { "title": "https://www.openwall.com/lists/oss-security/2023/10/10/6", "url": "https://www.openwall.com/lists/oss-security/2023/10/10/6" }, { "title": "https://github.com/dotnet/core/blob/e4613450ea0da7fd2fc6b61dfb2c1c1dec1ce9ec/release-notes/6.0/6.0.23/6.0.23.md?plain=1%23L73", "url": "https://github.com/dotnet/core/blob/e4613450ea0da7fd2fc6b61dfb2c1c1dec1ce9ec/release-notes/6.0/6.0.23/6.0.23.md?plain=1%23L73" }, { "title": "https://github.com/advisories/GHSA-xpw8-rcwv-8f8p", "url": "https://github.com/advisories/GHSA-xpw8-rcwv-8f8p" }, { "title": "https://github.com/kubernetes/kubernetes/pull/121120", "url": "https://github.com/kubernetes/kubernetes/pull/121120" }, { "title": "https://github.com/opensearch-project/data-prepper/issues/3474", "url": "https://github.com/opensearch-project/data-prepper/issues/3474" }, { "title": "https://github.com/oqtane/oqtane.framework/discussions/3367", "url": "https://github.com/oqtane/oqtane.framework/discussions/3367" }, { "title": "https://netty.io/news/2023/10/10/4-1-100-Final.html", "url": "https://netty.io/news/2023/10/10/4-1-100-Final.html" }, { "title": "https://www.haproxy.com/blog/haproxy-is-not-affected-by-the-http-2-rapid-reset-attack-cve-2023-44487", "url": "https://www.haproxy.com/blog/haproxy-is-not-affected-by-the-http-2-rapid-reset-attack-cve-2023-44487" }, { "title": "https://blog.qualys.com/vulnerabilities-threat-research/2023/10/10/cve-2023-44487-http-2-rapid-reset-attack", "url": "https://blog.qualys.com/vulnerabilities-threat-research/2023/10/10/cve-2023-44487-http-2-rapid-reset-attack" }, { "title": "https://github.com/apache/httpd/blob/afcdbeebbff4b0c50ea26cdd16e178c0d1f24152/modules/http2/h2_mplx.c%23L1101-L1113", "url": "https://github.com/apache/httpd/blob/afcdbeebbff4b0c50ea26cdd16e178c0d1f24152/modules/http2/h2_mplx.c%23L1101-L1113" }, { "title": "https://github.com/kazu-yamamoto/http2/commit/f61d41a502bd0f60eb24e1ce14edc7b6df6722a1", "url": "https://github.com/kazu-yamamoto/http2/commit/f61d41a502bd0f60eb24e1ce14edc7b6df6722a1" }, { "title": "https://github.com/kazu-yamamoto/http2/issues/93", "url": "https://github.com/kazu-yamamoto/http2/issues/93" }, { "title": "https://martinthomson.github.io/h2-stream-limits/draft-thomson-httpbis-h2-stream-limits.html", "url": "https://martinthomson.github.io/h2-stream-limits/draft-thomson-httpbis-h2-stream-limits.html" }, { "title": "https://news.ycombinator.com/item?id=37837043", "url": "https://news.ycombinator.com/item?id=37837043" }, { "title": "https://www.cisa.gov/news-events/alerts/2023/10/10/http2-rapid-reset-vulnerability-cve-2023-44487", "url": "https://www.cisa.gov/news-events/alerts/2023/10/10/http2-rapid-reset-vulnerability-cve-2023-44487" }, { "title": "https://www.debian.org/security/2023/dsa-5521", "url": "https://www.debian.org/security/2023/dsa-5521" }, { "title": "https://www.debian.org/security/2023/dsa-5522", "url": "https://www.debian.org/security/2023/dsa-5522" }, { "title": "https://www.theregister.com/2023/10/10/http2_rapid_reset_zeroday/", "url": "https://www.theregister.com/2023/10/10/http2_rapid_reset_zeroday/" }, { "title": "https://access.redhat.com/security/cve/cve-2023-44487", "url": "https://access.redhat.com/security/cve/cve-2023-44487" }, { "title": "https://blog.vespa.ai/cve-2023-44487/", "url": "https://blog.vespa.ai/cve-2023-44487/" }, { "title": "https://bugzilla.redhat.com/show_bug.cgi?id=2242803", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2242803" }, { "title": "https://bugzilla.suse.com/show_bug.cgi?id=1216123", "url": "https://bugzilla.suse.com/show_bug.cgi?id=1216123" }, { "title": "https://community.traefik.io/t/is-traefik-vulnerable-to-cve-2023-44487/20125", "url": "https://community.traefik.io/t/is-traefik-vulnerable-to-cve-2023-44487/20125" }, { "title": "https://github.com/advisories/GHSA-qppj-fm5r-hxr3", "url": "https://github.com/advisories/GHSA-qppj-fm5r-hxr3" }, { "title": "https://github.com/etcd-io/etcd/issues/16740", "url": "https://github.com/etcd-io/etcd/issues/16740" }, { "title": "https://github.com/junkurihara/rust-rpxy/issues/97", "url": "https://github.com/junkurihara/rust-rpxy/issues/97" }, { "title": "https://github.com/ninenines/cowboy/issues/1615", "url": "https://github.com/ninenines/cowboy/issues/1615" }, { "title": "https://github.com/tempesta-tech/tempesta/issues/1986", "url": "https://github.com/tempesta-tech/tempesta/issues/1986" }, { "title": "https://github.com/varnishcache/varnish-cache/issues/3996", "url": "https://github.com/varnishcache/varnish-cache/issues/3996" }, { "title": "https://istio.io/latest/news/security/istio-security-2023-004/", "url": "https://istio.io/latest/news/security/istio-security-2023-004/" }, { "title": "https://ubuntu.com/security/CVE-2023-44487", "url": "https://ubuntu.com/security/CVE-2023-44487" }, { "title": "https://www.darkreading.com/cloud/internet-wide-zero-day-bug-fuels-largest-ever-ddos-event", "url": "https://www.darkreading.com/cloud/internet-wide-zero-day-bug-fuels-largest-ever-ddos-event" }, { "title": "https://github.com/apache/httpd-site/pull/10", "url": "https://github.com/apache/httpd-site/pull/10" }, { "title": "https://github.com/line/armeria/pull/5232", "url": "https://github.com/line/armeria/pull/5232" }, { "title": "https://github.com/linkerd/website/pull/1695/commits/4b9c6836471bc8270ab48aae6fd2181bc73fd632", "url": "https://github.com/linkerd/website/pull/1695/commits/4b9c6836471bc8270ab48aae6fd2181bc73fd632" }, { "title": "https://github.com/projectcontour/contour/pull/5826", "url": "https://github.com/projectcontour/contour/pull/5826" }, { "title": "https://blog.litespeedtech.com/2023/10/11/rapid-reset-http-2-vulnerablilty/", "url": "https://blog.litespeedtech.com/2023/10/11/rapid-reset-http-2-vulnerablilty/" }, { "title": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "relativeImportance": null, "semver": { "vulnerable": [ "<1.57.0-r0" ] }, "severity": "high", "severityWithCritical": "high", "socialTrendAlert": false, "title": "Resource Exhaustion", "upgradePath": [], "version": "1.55.1-r0" } ] }, "created_at": 1697100518.0060334, "has_audit_package": true }