CVE-2023-30847

EUVD-2023-35199

27.04.2023, 15:15

H2O is an HTTP server. In versions 2.3.0-beta2 and prior, when the reverse proxy handler tries to processes a certain type of invalid HTTP request, it tries to build an upstream URL by reading from uninitialized pointer. This behavior can lead to crashes or leak of information to back end HTTP servers. Pull request  number 3229 fixes the issue. The pull request has been merged to the `master` branch in commit f010336. Users should upgrade to commit f010336 or later.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	8.2 HIGH	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H
GitHub_M	CNA	8.2 HIGH	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 56%

Affected Products (NVD)

Vendor	Product	Version
dena	h2o	𝑥 ≤ 2.2.6
dena	h2o	2.3.0:beta1
dena	h2o	2.3.0:beta2

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

h2o

bookworm	2.2.5+dfsg2-7 fixed
bullseye	2.2.5+dfsg2-6 fixed
sid	2.2.5+dfsg2-11 fixed
trixie	2.2.5+dfsg2-9 fixed

Ubuntu Releases

Ubuntu Product

Codename

h2o

bionic	needs-triage
focal	needs-triage
jammy	needs-triage
kinetic	ignored
lunar	ignored
mantic	ignored
noble	needs-triage
oracular	needs-triage
trusty	ignored
xenial	ignored

Common Weakness Enumeration

CWE-824 - Access of Uninitialized Pointer
The program accesses or uses a pointer that has not been initialized.

References

https://github.com/h2o/h2o/commit/f010336bab162839df43d9e87570897466c97e33

https://github.com/h2o/h2o/pull/3229

https://github.com/h2o/h2o/security/advisories/GHSA-p5hj-phwj-hrvx

https://github.com/h2o/h2o/commit/f010336bab162839df43d9e87570897466c97e33

https://github.com/h2o/h2o/pull/3229

https://github.com/h2o/h2o/security/advisories/GHSA-p5hj-phwj-hrvx