CVE-2024-45397 (GCVE-0-2024-45397)
Vulnerability from cvelistv5 – Published: 2024-10-11 14:24 – Updated: 2024-10-11 14:42
VLAI?
Title
H2O alllows bypassing address-based access control with 0-RTT
Summary
h2o is an HTTP server with support for HTTP/1.x, HTTP/2 and HTTP/3. When an HTTP request using TLS/1.3 early data on top of TCP Fast Open or QUIC 0-RTT packets is received and the IP-address-based access control is used, the access control does not detect and prohibit HTTP requests conveyed by packets with a spoofed source address. This behavior allows attackers on the network to execute HTTP requests from addresses that are otherwise rejected by the address-based access control. The vulnerability has been addressed in commit 15ed15a. Users may disable the use of TCP FastOpen and QUIC to mitigate the issue.
Severity ?
5.9 (Medium)
CWE
- CWE-284 - Improper Access Control
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-45397",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-11T14:42:12.389414Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-11T14:42:24.963Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "h2o",
"vendor": "h2o",
"versions": [
{
"status": "affected",
"version": "\u003c 15ed15a2efb83a77bb4baaa5a119e639c2f6898a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "h2o is an HTTP server with support for HTTP/1.x, HTTP/2 and HTTP/3. When an HTTP request using TLS/1.3 early data on top of TCP Fast Open or QUIC 0-RTT packets is received and the IP-address-based access control is used, the access control does not detect and prohibit HTTP requests conveyed by packets with a spoofed source address. This behavior allows attackers on the network to execute HTTP requests from addresses that are otherwise rejected by the address-based access control. The vulnerability has been addressed in commit 15ed15a. Users may disable the use of TCP FastOpen and QUIC to mitigate the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-11T14:24:57.687Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/h2o/h2o/security/advisories/GHSA-jf2c-xjcp-wg4c",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/h2o/h2o/security/advisories/GHSA-jf2c-xjcp-wg4c"
},
{
"name": "https://github.com/h2o/h2o/commit/15ed15a2efb83a77bb4baaa5a119e639c2f6898a",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/h2o/h2o/commit/15ed15a2efb83a77bb4baaa5a119e639c2f6898a"
},
{
"name": "https://h2o.examp1e.net/configure/http3_directives.html",
"tags": [
"x_refsource_MISC"
],
"url": "https://h2o.examp1e.net/configure/http3_directives.html"
}
],
"source": {
"advisory": "GHSA-jf2c-xjcp-wg4c",
"discovery": "UNKNOWN"
},
"title": "H2O alllows bypassing address-based access control with 0-RTT"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-45397",
"datePublished": "2024-10-11T14:24:57.687Z",
"dateReserved": "2024-08-28T20:21:32.802Z",
"dateUpdated": "2024-10-11T14:42:24.963Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"fkie_nvd": {
"configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:dena:h2o:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"2024-10-10\", \"matchCriteriaId\": \"A7760480-4001-4F10-B91B-CF59236F1427\"}]}]}]",
"descriptions": "[{\"lang\": \"en\", \"value\": \"h2o is an HTTP server with support for HTTP/1.x, HTTP/2 and HTTP/3. When an HTTP request using TLS/1.3 early data on top of TCP Fast Open or QUIC 0-RTT packets is received and the IP-address-based access control is used, the access control does not detect and prohibit HTTP requests conveyed by packets with a spoofed source address. This behavior allows attackers on the network to execute HTTP requests from addresses that are otherwise rejected by the address-based access control. The vulnerability has been addressed in commit 15ed15a. Users may disable the use of TCP FastOpen and QUIC to mitigate the issue.\"}, {\"lang\": \"es\", \"value\": \"h2o es un servidor HTTP compatible con HTTP/1.x, HTTP/2 y HTTP/3. Cuando se recibe una solicitud HTTP que utiliza datos tempranos TLS/1.3 sobre paquetes TCP Fast Open o QUIC 0-RTT y se utiliza el control de acceso basado en direcciones IP, el control de acceso no detecta ni proh\\u00edbe las solicitudes HTTP transmitidas por paquetes con una direcci\\u00f3n de origen falsificada. Este comportamiento permite a los atacantes de la red ejecutar solicitudes HTTP desde direcciones que, de otro modo, ser\\u00edan rechazadas por el control de acceso basado en direcciones. La vulnerabilidad se ha abordado en el commit 15ed15a. Los usuarios pueden desactivar el uso de TCP FastOpen y QUIC para mitigar el problema.\"}]",
"id": "CVE-2024-45397",
"lastModified": "2024-11-12T20:14:25.083",
"metrics": "{\"cvssMetricV31\": [{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N\", \"baseScore\": 5.9, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 2.2, \"impactScore\": 3.6}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\", \"baseScore\": 7.5, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 3.6}]}",
"published": "2024-10-11T15:15:04.690",
"references": "[{\"url\": \"https://github.com/h2o/h2o/commit/15ed15a2efb83a77bb4baaa5a119e639c2f6898a\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Patch\"]}, {\"url\": \"https://github.com/h2o/h2o/security/advisories/GHSA-jf2c-xjcp-wg4c\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"https://h2o.examp1e.net/configure/http3_directives.html\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Product\"]}]",
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": "[{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-284\"}]}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-290\"}]}]"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2024-45397\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2024-10-11T15:15:04.690\",\"lastModified\":\"2024-11-12T20:14:25.083\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"h2o is an HTTP server with support for HTTP/1.x, HTTP/2 and HTTP/3. When an HTTP request using TLS/1.3 early data on top of TCP Fast Open or QUIC 0-RTT packets is received and the IP-address-based access control is used, the access control does not detect and prohibit HTTP requests conveyed by packets with a spoofed source address. This behavior allows attackers on the network to execute HTTP requests from addresses that are otherwise rejected by the address-based access control. The vulnerability has been addressed in commit 15ed15a. Users may disable the use of TCP FastOpen and QUIC to mitigate the issue.\"},{\"lang\":\"es\",\"value\":\"h2o es un servidor HTTP compatible con HTTP/1.x, HTTP/2 y HTTP/3. Cuando se recibe una solicitud HTTP que utiliza datos tempranos TLS/1.3 sobre paquetes TCP Fast Open o QUIC 0-RTT y se utiliza el control de acceso basado en direcciones IP, el control de acceso no detecta ni proh\u00edbe las solicitudes HTTP transmitidas por paquetes con una direcci\u00f3n de origen falsificada. Este comportamiento permite a los atacantes de la red ejecutar solicitudes HTTP desde direcciones que, de otro modo, ser\u00edan rechazadas por el control de acceso basado en direcciones. La vulnerabilidad se ha abordado en el commit 15ed15a. Los usuarios pueden desactivar el uso de TCP FastOpen y QUIC para mitigar el problema.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N\",\"baseScore\":5.9,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.2,\"impactScore\":3.6},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-284\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-290\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:dena:h2o:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"2024-10-10\",\"matchCriteriaId\":\"A7760480-4001-4F10-B91B-CF59236F1427\"}]}]}],\"references\":[{\"url\":\"https://github.com/h2o/h2o/commit/15ed15a2efb83a77bb4baaa5a119e639c2f6898a\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/h2o/h2o/security/advisories/GHSA-jf2c-xjcp-wg4c\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://h2o.examp1e.net/configure/http3_directives.html\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Product\"]}]}}",
"vulnrichment": {
"containers": "{\"cna\": {\"title\": \"H2O alllows bypassing address-based access control with 0-RTT\", \"problemTypes\": [{\"descriptions\": [{\"cweId\": \"CWE-284\", \"lang\": \"en\", \"description\": \"CWE-284: Improper Access Control\", \"type\": \"CWE\"}]}], \"metrics\": [{\"cvssV3_1\": {\"attackComplexity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"availabilityImpact\": \"NONE\", \"baseScore\": 5.9, \"baseSeverity\": \"MEDIUM\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"scope\": \"UNCHANGED\", \"userInteraction\": \"NONE\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N\", \"version\": \"3.1\"}}], \"references\": [{\"name\": \"https://github.com/h2o/h2o/security/advisories/GHSA-jf2c-xjcp-wg4c\", \"tags\": [\"x_refsource_CONFIRM\"], \"url\": \"https://github.com/h2o/h2o/security/advisories/GHSA-jf2c-xjcp-wg4c\"}, {\"name\": \"https://github.com/h2o/h2o/commit/15ed15a2efb83a77bb4baaa5a119e639c2f6898a\", \"tags\": [\"x_refsource_MISC\"], \"url\": \"https://github.com/h2o/h2o/commit/15ed15a2efb83a77bb4baaa5a119e639c2f6898a\"}, {\"name\": \"https://h2o.examp1e.net/configure/http3_directives.html\", \"tags\": [\"x_refsource_MISC\"], \"url\": \"https://h2o.examp1e.net/configure/http3_directives.html\"}], \"affected\": [{\"vendor\": \"h2o\", \"product\": \"h2o\", \"versions\": [{\"version\": \"\u003c 15ed15a2efb83a77bb4baaa5a119e639c2f6898a\", \"status\": \"affected\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2024-10-11T14:24:57.687Z\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"h2o is an HTTP server with support for HTTP/1.x, HTTP/2 and HTTP/3. When an HTTP request using TLS/1.3 early data on top of TCP Fast Open or QUIC 0-RTT packets is received and the IP-address-based access control is used, the access control does not detect and prohibit HTTP requests conveyed by packets with a spoofed source address. This behavior allows attackers on the network to execute HTTP requests from addresses that are otherwise rejected by the address-based access control. The vulnerability has been addressed in commit 15ed15a. Users may disable the use of TCP FastOpen and QUIC to mitigate the issue.\"}], \"source\": {\"advisory\": \"GHSA-jf2c-xjcp-wg4c\", \"discovery\": \"UNKNOWN\"}}, \"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-45397\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-10-11T14:42:12.389414Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-10-11T14:42:19.203Z\"}}]}",
"cveMetadata": "{\"cveId\": \"CVE-2024-45397\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"state\": \"PUBLISHED\", \"assignerShortName\": \"GitHub_M\", \"dateReserved\": \"2024-08-28T20:21:32.802Z\", \"datePublished\": \"2024-10-11T14:24:57.687Z\", \"dateUpdated\": \"2024-10-11T14:42:24.963Z\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…