search

cgpu / staries

The *ies. A series of <star>-ies util snippets, scripts or templates that I use day to day.
4 stars 1 forks source link

CVE-2023-44487 (High) detected in libnghttp2-1.46.0-h812cca2_0.tar.bz2 #218

Closed mend-bolt-for-github[bot] closed 1 month ago

mend-bolt-for-github[bot] commented 5 months ago

CVE-2023-44487 - High Severity Vulnerability

Vulnerable Library - libnghttp2-1.46.0-h812cca2_0.tar.bz2

This is an implementation of Hypertext Transfer Protocol version 2.

Library home page: https://api.anaconda.org/download/conda-forge/libnghttp2/1.46.0/linux-64/libnghttp2-1.46.0-h812cca2_0.tar.bz2

Path to dependency file: /containers/report/environment.yml

Path to vulnerable library: /home/wss-scanner/anaconda3/pkgs/libnghttp2-1.46.0-h812cca2_0.tar.bz2

Dependency Hierarchy: - r-base-4.0.3-h349a78a_8.tar.bz2 (Root Library) - libcurl-7.76.1-hc4aaa36_1.tar.bz2 - :x: **libnghttp2-1.46.0-h812cca2_0.tar.bz2** (Vulnerable Library)

Found in HEAD commit: 13a695b50fb85e7ab6cd2f04a402f6cae746398e

Found in base branch: main

Vulnerability Details

The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.

Publish Date: 2023-10-10

URL: CVE-2023-44487

CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2023-44487

Release Date: 2023-10-10

Fix Resolution: org.eclipse.jetty.http2:http2-server:9.4.53.v20231009,10.0.17,11.0.17, org.eclipse.jetty.http2:jetty-http2-server:12.0.2, org.eclipse.jetty.http2:http2-common:9.4.53.v20231009,10.0.17,11.0.17, org.eclipse.jetty.http2:jetty-http2-common:12.0.2, nghttp - v1.57.0, swift-nio-http2 - 1.28.0, io.netty:netty-codec-http2:4.1.100.Final, trafficserver - 9.2.3, org.apache.tomcat:tomcat-coyote:8.5.94,9.0.81,10.1.14, org.apache.tomcat.embed:tomcat-embed-core:8.5.94,9.0.81,10.1.14, Microsoft.AspNetCore.App - 6.0.23,7.0.12, contour - v1.26.1, proxygen - v2023.10.16.00, grpc-go - v1.56.3,v1.57.1,v1.58.3, kubernetes/kubernetes - v1.25.15,v1.26.10,v1.27.7,v1.28.3,v1.29.0, kubernetes/apimachinery - v0.25.15,v0.26.10,v0.27.7,v0.28.3,v0.29.0

Step up your Open Source Security Game with Mend here

stale[bot] commented 2 months ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.