CVE-2024-45403

HIGH Year: 2024
CVSS v3 Score
7.5
High
Weakness Type
CWE-617
View all →

Vulnerability Description

h2o is an HTTP server with support for HTTP/1.x, HTTP/2 and HTTP/3. When h2o is configured as a reverse proxy and HTTP/3 requests are cancelled by the client, h2o might crash due to an assertion failure. The crash can be exploited by an attacker to mount a Denial-of-Service attack. By default, the h2o standalone server automatically restarts, minimizing the impact. However, HTTP requests that were served concurrently will still be disrupted. The vulnerability has been addressed in commit 1ed32b2. Users may disable the use of HTTP/3 to mitigate the issue.

Related Vulnerabilities

CVE-2006-4095

HIGH
CVSS:7.5(High)

BIND before 9.2.6-P1 and 9.3.x before 9.3.2-P1 allows remote attackers to cause a denial of service (crash) via certain SIG queries, which cause an assertion failure when multiple RRsets are returned.

CWE-6172006

CVE-2006-5779

HIGH
CVSS:7.5(High)

OpenLDAP before 2.3.29 allows remote attackers to cause a denial of service (daemon crash) via LDAP BIND requests with long authcid names, which triggers an assertion failure.

CWE-6172006

CVE-2006-6767

HIGH
CVSS:7.5(High)

oftpd before 0.3.7 allows remote attackers to cause a denial of service (daemon abort) via a (1) LPRT or (2) LPASV command with an unsupported address family, which triggers an assertion failure.

CWE-6172006

CVE-2011-3596

HIGH
CVSS:7.5(High)

Polipo before 1.0.4.1 suffers from a DoD vulnerability via specially-crafted HTTP POST / PUT request.

CWE-6172011

CVE-2015-8012

HIGH
CVSS:7.5(High)

lldpd before 0.8.0 allows remote attackers to cause a denial of service (assertion failure and daemon crash) via a malformed packet.

CWE-6172015

CVE-2016-8864

HIGH
CVSS:7.5(High)

named in ISC BIND 9.x before 9.9.9-P4, 9.10.x before 9.10.4-P4, and 9.11.x before 9.11.0-P1 allows remote attackers to cause a denial of service (assertion failure and daemon exit) via a DNAME record ...

CWE-6172016