golang / vulndb

[mirror] The Go Vulnerability Database
Other
565 stars 62 forks source link

x/vulndb: potential Go vuln in github.com/h2o/h2o: CVE-2024-45397 #3193

Closed GoVulnBot closed 1 month ago

GoVulnBot commented 1 month ago

Advisory CVE-2024-45397 references a vulnerability in the following Go modules:

Module
github.com/h2o/h2o

Description: h2o is an HTTP server with support for HTTP/1.x, HTTP/2 and HTTP/3. When an HTTP request using TLS/1.3 early data on top of TCP Fast Open or QUIC 0-RTT packets is received and the IP-address-based access control is used, the access control does not detect and prohibit HTTP requests conveyed by packets with a spoofed source address. This behavior allows attackers on the network to execute HTTP requests from addresses that are otherwise rejected by the address-based access control. The vulnerability has been addressed in commit 15ed15a. Users may disable the use of TCP FastOpen and QUIC to mitig...

References:

Cross references:

See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/h2o/h2o
      vulnerable_at: 2.2.6+incompatible
summary: CVE-2024-45397 in github.com/h2o/h2o
cves:
    - CVE-2024-45397
references:
    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-45397
    - fix: https://github.com/h2o/h2o/commit/15ed15a2efb83a77bb4baaa5a119e639c2f6898a
    - web: https://github.com/h2o/h2o/security/advisories/GHSA-jf2c-xjcp-wg4c
    - web: https://h2o.examp1e.net/configure/http3_directives.html
source:
    id: CVE-2024-45397
    created: 2024-10-11T16:01:30.457687025Z
review_status: UNREVIEWED
gopherbot commented 1 month ago

Change https://go.dev/cl/619698 mentions this issue: data/excluded: add 3 reports