CVE-2023-30847

Source
https://nvd.nist.gov/vuln/detail/CVE-2023-30847
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-30847.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2023-30847
Related
Published
2023-04-27T15:15:13Z
Modified
2025-01-15T04:51:53.597807Z
Severity
  • 8.2 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H CVSS Calculator
Summary
[none]
Details

H2O is an HTTP server. In versions 2.3.0-beta2 and prior, when the reverse proxy handler tries to processes a certain type of invalid HTTP request, it tries to build an upstream URL by reading from uninitialized pointer. This behavior can lead to crashes or leak of information to back end HTTP servers. Pull request number 3229 fixes the issue. The pull request has been merged to the master branch in commit f010336. Users should upgrade to commit f010336 or later.

References

Affected packages

Git / github.com/h2o/h2o

Affected ranges

Type
GIT
Repo
https://github.com/h2o/h2o
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Fixed

Affected versions

v0.*

v0.9.0
v0.9.1
v0.9.2

v1.*

v1.0.0
v1.0.1
v1.1.0
v1.1.1
v1.2.0
v1.3.0
v1.3.0-beta1
v1.3.1
v1.4.0
v1.4.1
v1.4.2
v1.5.0
v1.5.0-beta1
v1.5.0-beta2
v1.5.0-beta3
v1.5.0-beta4
v1.5.1
v1.5.2
v1.5.3
v1.6.0
v1.6.0-beta1
v1.6.0-beta2
v1.7.0
v1.7.0-beta1
v1.7.0-beta2
v1.7.0-beta3
v1.7.0-beta4
v1.7.0-beta5

v2.*

v2.1.0-beta1
v2.1.0-beta2
v2.1.0-beta3
v2.2.0
v2.2.0-beta1
v2.2.0-beta2
v2.2.0-beta3