CVE-2023-30847
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2023-30847
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-30847.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2023-30847
- Aliases
-
- GHSA-p5hj-phwj-hrvx
- Downstream
- Published
- 2023-04-27T14:08:35.112Z
- Modified
- 2025-11-19T20:01:53.499271Z
- Severity
-
- 8.2 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H CVSS Calculator
- Summary
- H2O vulnerable to read from uninitialized pointer in the reverse proxy handler
- Details
-
H2O is an HTTP server. In versions 2.3.0-beta2 and prior, when the reverse proxy handler tries to processes a certain type of invalid HTTP request, it tries to build an upstream URL by reading from uninitialized pointer. This behavior can lead to crashes or leak of information to back end HTTP servers. Pull request number 3229 fixes the issue. The pull request has been merged to the
masterbranch in commit f010336. Users should upgrade to commit f010336 or later. - Database specific
{ "cwe_ids": [ "CWE-824" ] }- References
Affected packages
Git / github.com/h2o/h2o
Affected ranges
- Type
- GIT
- Repo
- https://github.com/h2o/h2o
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Affected versions
v0.*
v0.9.0
v0.9.1
v0.9.2
v1.*
v1.0.0
v1.0.1
v1.1.0
v1.1.1
v1.2.0
v1.3.0
v1.3.0-beta1
v1.3.1
v1.4.0
v1.4.1
v1.4.2
v1.5.0
v1.5.0-beta1
v1.5.0-beta2
v1.5.0-beta3
v1.5.0-beta4
v1.5.1
v1.5.2
v1.5.3
v1.6.0
v1.6.0-beta1
v1.6.0-beta2
v1.7.0
v1.7.0-beta1
v1.7.0-beta2
v1.7.0-beta3
v1.7.0-beta4
v1.7.0-beta5
v2.*
v2.1.0-beta1
v2.1.0-beta2
v2.1.0-beta3
v2.2.0
v2.2.0-beta1
v2.2.0-beta2
v2.2.0-beta3