How severe is CVE-2024-45397?

This vulnerability has a severity rating of HIGH with a CVSS score of 7.5 out of 10.

What type of vulnerability is CVE-2024-45397?

This is classified as CWE-284, which is a common weakness in software security.

CVE-2024-45397 - HIGH Severity | CVSS 7.5

Vulnerability Description

h2o is an HTTP server with support for HTTP/1.x, HTTP/2 and HTTP/3. When an HTTP request using TLS/1.3 early data on top of TCP Fast Open or QUIC 0-RTT packets is received and the IP-address-based access control is used, the access control does not detect and prohibit HTTP requests conveyed by packets with a spoofed source address. This behavior allows attackers on the network to execute HTTP requests from addresses that are otherwise rejected by the address-based access control. The vulnerability has been addressed in commit 15ed15a. Users may disable the use of TCP FastOpen and QUIC to mitigate the issue.

Related Vulnerabilities

CVE-2010-2232

HIGH

CVSS:7.5(High)

In Apache Derby 10.1.2.1, 10.2.2.0, 10.3.1.4, and 10.4.1.3, Export processing may allow an attacker to overwrite an existing file.

CWE-2842010

CVE-2012-4380

HIGH

CVSS:7.5(High)

MediaWiki before 1.18.5, and 1.19.x before 1.19.2 allows remote attackers to bypass GlobalBlocking extension IP address blocking and create an account via unspecified vectors.

CWE-2842012

CVE-2013-2972

HIGH

CVSS:7.5(High)

IBM WebSphere Cast Iron 6.3 allows remote attackers to bypass intended access restrictions via unspecified vectors. IBM X-Force ID: 83868.

CWE-2842013

CVE-2014-3929

HIGH

CVSS:7.5(High)

The default configuration for Cougar-LG stores sensitive information under the web root with insufficient access control, which might allow remote attackers to obtain private ssh keys.

CWE-2842014

CVE-2014-3930

HIGH

CVSS:7.5(High)

lg.pl in Cistron-LG 1.01 stores sensitive information under the web root with insufficient access controls, which allows remote attackers to obtain IP addresses and other unspecified router credential...

CWE-2842014

CVE-2014-9504

HIGH

CVSS:7.5(High)

The OG Subgroups module, when used with the Open Atrium module 7.x-2.x before 7.x-2.26 for Drupal, allows remote attackers to access child groups via vectors related to membership inheritance.

CWE-2842014