GHSA-q6cp-qfwq-4gcv
Suggest an improvement- Source
- https://github.com/advisories/GHSA-q6cp-qfwq-4gcv
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/04/GHSA-q6cp-qfwq-4gcv/GHSA-q6cp-qfwq-4gcv.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-q6cp-qfwq-4gcv
- Aliases
- Related
- Published
- 2024-04-05T15:05:32Z
- Modified
- 2024-04-11T16:41:43.668809Z
- Severity
-
- 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVSS Calculator
- Summary
- h2 servers vulnerable to degradation of service with CONTINUATION Flood
- Details
-
An attacker can send a flood of CONTINUATION frames, causing
h2to process them indefinitely. This results in an increase in CPU usage.Tokio task budget helps prevent this from a complete denial-of-service, as the server can still respond to legitimate requests, albeit with increased latency.
More details at https://seanmonstar.com/blog/hyper-http2-continuation-flood/.
Patches available for 0.4.x and 0.3.x versions.
- Database specific
{ "github_reviewed_at": "2024-04-05T15:05:32Z", "github_reviewed": true, "severity": "MODERATE", "nvd_published_at": null, "cwe_ids": [ "CWE-400", "CWE-770" ] }- References
Affected packages
crates.io / h2
Package
- Name
- h2
- View open source insights on deps.dev
- Purl
- pkg:cargo/h2
crates.io / h2
Package
- Name
- h2
- View open source insights on deps.dev
- Purl
- pkg:cargo/h2