What is the vulnerability ID of this H2O vulnerability?

The vulnerability ID of this H2O vulnerability is CVE-2023-30847.

What is the severity of CVE-2023-30847?

The severity of CVE-2023-30847 is high with a CVSS score of 8.2.

What is the affected software for CVE-2023-30847?

The affected software for CVE-2023-30847 is H2O version 2.3.0-beta2 and prior.

How does CVE-2023-30847 affect H2O?

CVE-2023-30847 in H2O can lead to crashes or information leakage to the back-end HTTP server.

Are there any fixes or patches available for CVE-2023-30847?

Yes, fixes for CVE-2023-30847 are available. It is recommended to update to a version that includes the fix.

Vulnerability/
CVE-2023-30847

high

8.2

CWE

824

27/4/2023

2/8/2024

CVE-2023-30847: H2O vulnerable to read from uninitialized pointer in the reverse proxy handler

First published: Thu Apr 27 2023(Updated: )

H2O is an HTTP server. In versions 2.3.0-beta2 and prior, when the reverse proxy handler tries to processes a certain type of invalid HTTP request, it tries to build an upstream URL by reading from uninitialized pointer. This behavior can lead to crashes or leak of information to back end HTTP servers. Pull request number 3229 fixes the issue. The pull request has been merged to the `master` branch in commit f010336. Users should upgrade to commit f010336 or later.

Credit: security-advisories@github.com

Affected Software	Affected Version	How to fix
Dena H2o	<=2.2.6
Dena H2o	=2.3.0-beta1
Dena H2o	=2.3.0-beta2

Remedy

https://github.com/h2o/h2o/commit/f010336bab162839df43d9e87570897466c97e33

Remedy

https://github.com/h2o/h2o/security/advisories/GHSA-p5hj-phwj-hrvx

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is the vulnerability ID of this H2O vulnerability?
The vulnerability ID of this H2O vulnerability is CVE-2023-30847.
What is the severity of CVE-2023-30847?
The severity of CVE-2023-30847 is high with a CVSS score of 8.2.
What is the affected software for CVE-2023-30847?
The affected software for CVE-2023-30847 is H2O version 2.3.0-beta2 and prior.
How does CVE-2023-30847 affect H2O?
CVE-2023-30847 in H2O can lead to crashes or information leakage to the back-end HTTP server.
Are there any fixes or patches available for CVE-2023-30847?
Yes, fixes for CVE-2023-30847 are available. It is recommended to update to a version that includes the fix.

agent/type
agent/remedy
collector/nvd-index
agent/software-canonical-lookup-request
agent/weakness
agent/references
agent/author
agent/softwarecombine
agent/description
collector/mitre-cve
source/MITRE
agent/severity
agent/last-modified-date
agent/title
agent/first-publish-date
agent/event
agent/tags
vendor/dena
canonical/dena h2o
version/dena h2o/2.2.6
version/dena h2o/2.3.0-beta1
version/dena h2o/2.3.0-beta2

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co

By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.