Description

h2o is an HTTP server with support for HTTP/1.x, HTTP/2 and HTTP/3. When an HTTP request using TLS/1.3 early data on top of TCP Fast Open or QUIC 0-RTT packets is received and the IP-address-based access control is used, the access control does not detect and prohibit HTTP requests conveyed by packets with a spoofed source address. This behavior allows attackers on the network to execute HTTP requests from addresses that are otherwise rejected by the address-based access control. The vulnerability has been addressed in commit 15ed15a. Users may disable the use of TCP FastOpen and QUIC to mitigate the issue.

INFO

Published Date :

2024-10-11T14:24:57.687Z

Last Modified :

2024-10-11T14:42:24.963Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2024-45397 vulnerability.

Vendors Products
Dena
  • H2o
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2024-45397.

URL Resource
https://github.com/h2o/h2o/commit/15ed15a2efb83a77bb4baaa5a119e639c2f6898a cve-icon cve-icon
https://github.com/h2o/h2o/security/advisories/GHSA-jf2c-xjcp-wg4c cve-icon cve-icon
https://h2o.examp1e.net/configure/http3_directives.html cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact