How severe is CVE-2021-43848?

This vulnerability has a severity rating of MEDIUM with a CVSS score of 5.9 out of 10.

What type of vulnerability is CVE-2021-43848?

This is classified as CWE-908, which is a common weakness in software security.

CVE-2021-43848

MEDIUM Year: 2021

CVSS v3 Score

5.9

Medium

CVSS v2 Score

4.3

Medium

Weakness Type

CWE-908

View all →

Vulnerability Description

h2o is an open source http server. In code prior to the `8c0eca3` commit h2o may attempt to access uninitialized memory. When receiving QUIC frames in certain order, HTTP/3 server-side implementation of h2o can be misguided to treat uninitialized memory as HTTP/3 frames that have been received. When h2o is used as a reverse proxy, an attacker can abuse this vulnerability to send internal state of h2o to backend servers controlled by the attacker or third party. Also, if there is an HTTP endpoint that reflects the traffic sent from the client, an attacker can use that reflector to obtain internal state of h2o. This internal state includes traffic of other connections in unencrypted form and TLS session tickets. This vulnerability exists in h2o server with HTTP/3 support, between commit 93af138 and d1f0f65. None of the released versions of h2o are affected by this vulnerability. There are no known workarounds. Users of unreleased versions of h2o using HTTP/3 are advised to upgrade immediately.

CVE-2019-18603

MEDIUM

CVSS:5.9(Medium)

OpenAFS before 1.6.24 and 1.8.x before 1.8.5 is prone to information leakage upon certain error conditions because uninitialized RPC output variables are sent over the network to a peer.

CWE-9082019

CVE-2020-14703

MEDIUM

CVSS:6.0(Medium)

Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are Prior to 5.2.44, prior to 6.0.24 and prior to 6.1.12. Easily expl...

CWE-9082020

CVE-2020-14704

MEDIUM

CVSS:6.0(Medium)

CWE-9082020

CVE-2021-31423

MEDIUM

CVSS:6.0(Medium)

This vulnerability allows local attackers to disclose sensitive information on affected installations of Parallels Desktop 15.1.5-47309. An attacker must first obtain the ability to execute high-privi...

CWE-9082021

CVE-2020-35494

MEDIUM

CVSS:6.1(Medium)

There's a flaw in binutils /opcodes/tic4x-dis.c. An attacker who is able to submit a crafted input file to be processed by binutils could cause usage of uninitialized memory. The highest threat is to ...

CWE-9082020

CVE-2024-57874

MEDIUM

CVSS:6.1(Medium)

In the Linux kernel, the following vulnerability has been resolved: arm64: ptrace: fix partial SETREGSET for NT_ARM_TAGGED_ADDR_CTRL Currently tagged_addr_ctrl_set() doesn't initialize the temporary '...

CWE-9082024

CVE-2021-43848

Vulnerability Description

Related Vulnerabilities

CVE-2019-18603

CVE-2020-14703

CVE-2020-14704

CVE-2021-31423

CVE-2020-35494

CVE-2024-57874