CVE-2023-50247

CVSS 3.1 Score 7.5 of 10 (high)

Details

Published Dec 12, 2023

Updated: Dec 19, 2023

CWE ID 770

Summary

CVE-2023-50247 affects version 2.3.0-beta and prior of the h2o HTTP server, which uses the quicly stack for HTTP/3. A remote attacker can exploit a state exhaustion vulnerability in this stack, causing H2O to retain progressively more memory and ultimately abort due to memory exhaustion. This issue is specific to HTTP/3 and does not impact HTTP/1 or HTTP/2. The vulnerability has been resolved in commit d67e81d03be12a9d53dc8271af6530f40164cd35. To mitigate the issue without upgrading, administrators can disable HTTP/3 support in their h2o configurations.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.

Dena H2o

Affected Vendors

Dena

Advisories, Assessments, and Mitigations

https://app.recordedfuture.com/live/sc/entity/tsu09K
https://www.cve.org/CVERecord?id=CVE-2023-50247
https://nvd.nist.gov/vuln/detail/CVE-2023-50247

Back to Vulnerability Database