search

golang / vulndb

[mirror] The Go Vulnerability Database
Other
565 stars 61 forks source link

x/vulndb: potential Go vuln in github.com/h2o/h2o: CVE-2024-25622 #3192

Closed GoVulnBot closed 1 month ago

GoVulnBot commented 1 month ago

Advisory CVE-2024-25622 references a vulnerability in the following Go modules:

Module
github.com/h2o/h2o

Description: h2o is an HTTP server with support for HTTP/1.x, HTTP/2 and HTTP/3. The configuration directives provided by the headers handler allows users to modify the response headers being sent by h2o. The configuration file of h2o has scopes, and the inner scopes (e.g., path level) are expected to inherit the configuration defined in outer scopes (e.g., global level). However, if a header directive is used in the inner scope, all the definition in outer scopes are ignored. This can lead to headers not being modified as expected. Depending on the headers being added or removed unexpectedly, this behavio...

References:

Cross references:

See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/h2o/h2o
      vulnerable_at: 2.2.6+incompatible
summary: CVE-2024-25622 in github.com/h2o/h2o
cves:
    - CVE-2024-25622
references:
    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-25622
    - fix: https://github.com/h2o/h2o/commit/123f5e2b65dcdba8f7ef659a00d24bd1249141be
    - report: https://github.com/h2o/h2o/issues/3332
    - web: https://github.com/h2o/h2o/security/advisories/GHSA-5m7v-cj65-h6pj
source:
    id: CVE-2024-25622
    created: 2024-10-11T16:01:28.641132895Z
review_status: UNREVIEWED
gopherbot commented 1 month ago

Change https://go.dev/cl/619698 mentions this issue: data/excluded: add 3 reports