CVE-2024-45403

LOW
Published Oct 11, 2024 Modified Nov 12, 2024 CWE-617

Description

h2o is an HTTP server with support for HTTP/1.x, HTTP/2 and HTTP/3. When h2o is configured as a reverse proxy and HTTP/3 requests are cancelled by the client, h2o might crash due to an assertion failure. The crash can be exploited by an attacker to mount a Denial-of-Service attack. By default, the h2o standalone server automatically restarts, minimizing the impact. However, HTTP requests that were served concurrently will still be disrupted. The vulnerability has been addressed in commit 1ed32b2. Users may disable the use of HTTP/3 to mitigate the issue.

CVSS v3.1 Score

3.7
LOW
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L

Weakness Type (CWE)

CWE-617 CWE-617

Affected Products

Vendor Product
dena h2o

References

Frequently Asked Questions

What is CVE-2024-45403? +
h2o is an HTTP server with support for HTTP/1.x, HTTP/2 and HTTP/3. When h2o is configured as a reverse proxy and HTTP/3 requests are cancelled by the client, h2o might crash due to an assertion failure. The crash can be exploited by an attacker to mount a Denial-of-Service attack. By default, the h2o standalone server automatically restarts, minimizing the impact. However, HTTP requests that were served concurrently will still be disrupted. The vulnerability has been addressed in commit 1ed32b2. Users may disable the use of HTTP/3 to mitigate the issue. It has a CVSS v3.1 base score of 3.7 (LOW).
How severe is CVE-2024-45403? +
CVE-2024-45403 has a CVSS v3.1 score of 3.7 out of 10, rated LOW. This is a low-severity vulnerability with limited impact.
What products are affected by CVE-2024-45403? +
CVE-2024-45403 affects products from dena, specifically: h2o. Check the affected products table above for specific version ranges.
How do I check if I'm vulnerable to CVE-2024-45403? +
You can use Secably's free Website Scanner to check your website for known vulnerabilities. For infrastructure scanning, use the Port Scanner to identify exposed services that may be affected. Check the vendor advisories linked above for specific patch and version information.

Related Vulnerabilities

Don't wait for an exploit

Scan your website for vulnerabilities like CVE-2024-45403 — free, no signup required.

Start Free Scan