CVE-2024-45397

Oct. 15, 2024, 12:58 p.m.

5.9
Medium

Description

h2o is an HTTP server with support for HTTP/1.x, HTTP/2 and HTTP/3. When an HTTP request using TLS/1.3 early data on top of TCP Fast Open or QUIC 0-RTT packets is received and the IP-address-based access control is used, the access control does not detect and prohibit HTTP requests conveyed by packets with a spoofed source address. This behavior allows attackers on the network to execute HTTP requests from addresses that are otherwise rejected by the address-based access control. The vulnerability has been addressed in commit 15ed15a. Users may disable the use of TCP FastOpen and QUIC to mitigate the issue.

Product(s) Impacted

Product Versions
h2o
  • []

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-284
Improper Access Control
The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

References

https://github.com/h2o/h2o/commit/15ed15a2efb83a77bb4baaa5a119e639c2f6898a
https://github.com/h2o/h2o/security/advisories/GHSA-jf2c-xjcp-wg4c
https://h2o.examp1e.net/configure/http3_directives.html

Tags

CWE-284
security-advisories@github.com
2024-10-11
CVE-2024-45397

CVSS Score

5.9 / 10

CVSS Data - 3.1

  • Attack Vector: NETWORK
  • Attack Complexity: HIGH
  • Privileges Required: NONE
  • Scope: UNCHANGED
  • Confidentiality Impact: HIGH
  • Integrity Impact: NONE
  • Availability Impact: NONE

    • CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

    View Vector String

Timeline

Published: Oct. 11, 2024, 3:15 p.m.
Last Modified: Oct. 15, 2024, 12:58 p.m.

Status : Undergoing Analysis

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

security-advisories@github.com

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.