cve-2024-45397
Vulnerability from cvelistv5
Published
2024-10-11 14:24
Modified
2024-10-11 14:42
Severity ?
5.9 (Medium) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Summary
h2o is an HTTP server with support for HTTP/1.x, HTTP/2 and HTTP/3. When an HTTP request using TLS/1.3 early data on top of TCP Fast Open or QUIC 0-RTT packets is received and the IP-address-based access control is used, the access control does not detect and prohibit HTTP requests conveyed by packets with a spoofed source address. This behavior allows attackers on the network to execute HTTP requests from addresses that are otherwise rejected by the address-based access control. The vulnerability has been addressed in commit 15ed15a. Users may disable the use of TCP FastOpen and QUIC to mitigate the issue.
References
security-advisories@github.comhttps://github.com/h2o/h2o/commit/15ed15a2efb83a77bb4baaa5a119e639c2f6898aPatch
security-advisories@github.comhttps://github.com/h2o/h2o/security/advisories/GHSA-jf2c-xjcp-wg4cVendor Advisory
security-advisories@github.comhttps://h2o.examp1e.net/configure/http3_directives.htmlProduct
Impacted products
Vendor Product Version
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-45397",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-10-11T14:42:12.389414Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-10-11T14:42:24.963Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "h2o",
          "vendor": "h2o",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 15ed15a2efb83a77bb4baaa5a119e639c2f6898a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "h2o is an HTTP server with support for HTTP/1.x, HTTP/2 and HTTP/3. When an HTTP request using TLS/1.3 early data on top of TCP Fast Open or QUIC 0-RTT packets is received and the IP-address-based access control is used, the access control does not detect and prohibit HTTP requests conveyed by packets with a spoofed source address. This behavior allows attackers on the network to execute HTTP requests from addresses that are otherwise rejected by the address-based access control. The vulnerability has been addressed in commit 15ed15a. Users may disable the use of TCP FastOpen and QUIC to mitigate the issue."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.9,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-284",
              "description": "CWE-284: Improper Access Control",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-10-11T14:24:57.687Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/h2o/h2o/security/advisories/GHSA-jf2c-xjcp-wg4c",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/h2o/h2o/security/advisories/GHSA-jf2c-xjcp-wg4c"
        },
        {
          "name": "https://github.com/h2o/h2o/commit/15ed15a2efb83a77bb4baaa5a119e639c2f6898a",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/h2o/h2o/commit/15ed15a2efb83a77bb4baaa5a119e639c2f6898a"
        },
        {
          "name": "https://h2o.examp1e.net/configure/http3_directives.html",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://h2o.examp1e.net/configure/http3_directives.html"
        }
      ],
      "source": {
        "advisory": "GHSA-jf2c-xjcp-wg4c",
        "discovery": "UNKNOWN"
      },
      "title": "H2O alllows bypassing address-based access control with 0-RTT"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2024-45397",
    "datePublished": "2024-10-11T14:24:57.687Z",
    "dateReserved": "2024-08-28T20:21:32.802Z",
    "dateUpdated": "2024-10-11T14:42:24.963Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:dena:h2o:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"2024-10-10\", \"matchCriteriaId\": \"A7760480-4001-4F10-B91B-CF59236F1427\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"h2o is an HTTP server with support for HTTP/1.x, HTTP/2 and HTTP/3. When an HTTP request using TLS/1.3 early data on top of TCP Fast Open or QUIC 0-RTT packets is received and the IP-address-based access control is used, the access control does not detect and prohibit HTTP requests conveyed by packets with a spoofed source address. This behavior allows attackers on the network to execute HTTP requests from addresses that are otherwise rejected by the address-based access control. The vulnerability has been addressed in commit 15ed15a. Users may disable the use of TCP FastOpen and QUIC to mitigate the issue.\"}, {\"lang\": \"es\", \"value\": \"h2o es un servidor HTTP compatible con HTTP/1.x, HTTP/2 y HTTP/3. Cuando se recibe una solicitud HTTP que utiliza datos tempranos TLS/1.3 sobre paquetes TCP Fast Open o QUIC 0-RTT y se utiliza el control de acceso basado en direcciones IP, el control de acceso no detecta ni proh\\u00edbe las solicitudes HTTP transmitidas por paquetes con una direcci\\u00f3n de origen falsificada. Este comportamiento permite a los atacantes de la red ejecutar solicitudes HTTP desde direcciones que, de otro modo, ser\\u00edan rechazadas por el control de acceso basado en direcciones. La vulnerabilidad se ha abordado en el commit 15ed15a. Los usuarios pueden desactivar el uso de TCP FastOpen y QUIC para mitigar el problema.\"}]",
      "id": "CVE-2024-45397",
      "lastModified": "2024-11-12T20:14:25.083",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N\", \"baseScore\": 5.9, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 2.2, \"impactScore\": 3.6}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\", \"baseScore\": 7.5, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 3.6}]}",
      "published": "2024-10-11T15:15:04.690",
      "references": "[{\"url\": \"https://github.com/h2o/h2o/commit/15ed15a2efb83a77bb4baaa5a119e639c2f6898a\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Patch\"]}, {\"url\": \"https://github.com/h2o/h2o/security/advisories/GHSA-jf2c-xjcp-wg4c\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"https://h2o.examp1e.net/configure/http3_directives.html\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Product\"]}]",
      "sourceIdentifier": "security-advisories@github.com",
      "vulnStatus": "Analyzed",
      "weaknesses": "[{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-284\"}]}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-290\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-45397\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2024-10-11T15:15:04.690\",\"lastModified\":\"2024-11-12T20:14:25.083\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"h2o is an HTTP server with support for HTTP/1.x, HTTP/2 and HTTP/3. When an HTTP request using TLS/1.3 early data on top of TCP Fast Open or QUIC 0-RTT packets is received and the IP-address-based access control is used, the access control does not detect and prohibit HTTP requests conveyed by packets with a spoofed source address. This behavior allows attackers on the network to execute HTTP requests from addresses that are otherwise rejected by the address-based access control. The vulnerability has been addressed in commit 15ed15a. Users may disable the use of TCP FastOpen and QUIC to mitigate the issue.\"},{\"lang\":\"es\",\"value\":\"h2o es un servidor HTTP compatible con HTTP/1.x, HTTP/2 y HTTP/3. Cuando se recibe una solicitud HTTP que utiliza datos tempranos TLS/1.3 sobre paquetes TCP Fast Open o QUIC 0-RTT y se utiliza el control de acceso basado en direcciones IP, el control de acceso no detecta ni proh\u00edbe las solicitudes HTTP transmitidas por paquetes con una direcci\u00f3n de origen falsificada. Este comportamiento permite a los atacantes de la red ejecutar solicitudes HTTP desde direcciones que, de otro modo, ser\u00edan rechazadas por el control de acceso basado en direcciones. La vulnerabilidad se ha abordado en el commit 15ed15a. Los usuarios pueden desactivar el uso de TCP FastOpen y QUIC para mitigar el problema.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N\",\"baseScore\":5.9,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.2,\"impactScore\":3.6},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-284\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-290\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:dena:h2o:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"2024-10-10\",\"matchCriteriaId\":\"A7760480-4001-4F10-B91B-CF59236F1427\"}]}]}],\"references\":[{\"url\":\"https://github.com/h2o/h2o/commit/15ed15a2efb83a77bb4baaa5a119e639c2f6898a\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/h2o/h2o/security/advisories/GHSA-jf2c-xjcp-wg4c\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://h2o.examp1e.net/configure/http3_directives.html\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Product\"]}]}}",
    "vulnrichment": {
      "containers": "{\"cna\": {\"title\": \"H2O alllows bypassing address-based access control with 0-RTT\", \"problemTypes\": [{\"descriptions\": [{\"cweId\": \"CWE-284\", \"lang\": \"en\", \"description\": \"CWE-284: Improper Access Control\", \"type\": \"CWE\"}]}], \"metrics\": [{\"cvssV3_1\": {\"attackComplexity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"availabilityImpact\": \"NONE\", \"baseScore\": 5.9, \"baseSeverity\": \"MEDIUM\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"scope\": \"UNCHANGED\", \"userInteraction\": \"NONE\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N\", \"version\": \"3.1\"}}], \"references\": [{\"name\": \"https://github.com/h2o/h2o/security/advisories/GHSA-jf2c-xjcp-wg4c\", \"tags\": [\"x_refsource_CONFIRM\"], \"url\": \"https://github.com/h2o/h2o/security/advisories/GHSA-jf2c-xjcp-wg4c\"}, {\"name\": \"https://github.com/h2o/h2o/commit/15ed15a2efb83a77bb4baaa5a119e639c2f6898a\", \"tags\": [\"x_refsource_MISC\"], \"url\": \"https://github.com/h2o/h2o/commit/15ed15a2efb83a77bb4baaa5a119e639c2f6898a\"}, {\"name\": \"https://h2o.examp1e.net/configure/http3_directives.html\", \"tags\": [\"x_refsource_MISC\"], \"url\": \"https://h2o.examp1e.net/configure/http3_directives.html\"}], \"affected\": [{\"vendor\": \"h2o\", \"product\": \"h2o\", \"versions\": [{\"version\": \"\u003c 15ed15a2efb83a77bb4baaa5a119e639c2f6898a\", \"status\": \"affected\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2024-10-11T14:24:57.687Z\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"h2o is an HTTP server with support for HTTP/1.x, HTTP/2 and HTTP/3. When an HTTP request using TLS/1.3 early data on top of TCP Fast Open or QUIC 0-RTT packets is received and the IP-address-based access control is used, the access control does not detect and prohibit HTTP requests conveyed by packets with a spoofed source address. This behavior allows attackers on the network to execute HTTP requests from addresses that are otherwise rejected by the address-based access control. The vulnerability has been addressed in commit 15ed15a. Users may disable the use of TCP FastOpen and QUIC to mitigate the issue.\"}], \"source\": {\"advisory\": \"GHSA-jf2c-xjcp-wg4c\", \"discovery\": \"UNKNOWN\"}}, \"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-45397\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-10-11T14:42:12.389414Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-10-11T14:42:19.203Z\"}}]}",
      "cveMetadata": "{\"cveId\": \"CVE-2024-45397\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"state\": \"PUBLISHED\", \"assignerShortName\": \"GitHub_M\", \"dateReserved\": \"2024-08-28T20:21:32.802Z\", \"datePublished\": \"2024-10-11T14:24:57.687Z\", \"dateUpdated\": \"2024-10-11T14:42:24.963Z\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.