CVE-2023-30847

2023-04-2715:15:13

CWE-824

[email protected]

web.nvd.nist.gov

h2o server

http

reverse proxy

upstream url

uninitialized pointer

pull request

commit f010336

security vulnerability

information leak

8.2 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H

8.1 High

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

58.8%

JSON

H2O is an HTTP server. In versions 2.3.0-beta2 and prior, when the reverse proxy handler tries to processes a certain type of invalid HTTP request, it tries to build an upstream URL by reading from uninitialized pointer. This behavior can lead to crashes or leak of information to back end HTTP servers. Pull request number 3229 fixes the issue. The pull request has been merged to the master branch in commit f010336. Users should upgrade to commit f010336 or later.