CVE-2023-30847

2023-04-2715:15:13

Debian Security Bug Tracker

security-tracker.debian.org

h2o http server

reverse proxy

vulnerability

cve-2023-30847

http request

pull request

commit

upgrade

information leak

crash

8.2 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H

0.002 Low

EPSS

Percentile

58.8%

JSON

H2O is an HTTP server. In versions 2.3.0-beta2 and prior, when the reverse proxy handler tries to processes a certain type of invalid HTTP request, it tries to build an upstream URL by reading from uninitialized pointer. This behavior can lead to crashes or leak of information to back end HTTP servers. Pull request number 3229 fixes the issue. The pull request has been merged to the master branch in commit f010336. Users should upgrade to commit f010336 or later.

OSVersionArchitecturePackageVersionFilename
Debian12allh2o< 2.2.5+dfsg2-7h2o_2.2.5+dfsg2-7_all.deb
Debian11allh2o< 2.2.5+dfsg2-6h2o_2.2.5+dfsg2-6_all.deb
Debian999allh2o< 2.2.5+dfsg2-8.1h2o_2.2.5+dfsg2-8.1_all.deb
Debian13allh2o< 2.2.5+dfsg2-8.1h2o_2.2.5+dfsg2-8.1_all.deb

OS	Version	Architecture	Package	Version	Filename
Debian	12	all	h2o	< 2.2.5+dfsg2-7	h2o_2.2.5+dfsg2-7_all.deb
Debian	11	all	h2o	< 2.2.5+dfsg2-6	h2o_2.2.5+dfsg2-6_all.deb
Debian	999	all	h2o	< 2.2.5+dfsg2-8.1	h2o_2.2.5+dfsg2-8.1_all.deb
Debian	13	all	h2o	< 2.2.5+dfsg2-8.1	h2o_2.2.5+dfsg2-8.1_all.deb