CVE-2023-30847
First published: Thu Apr 27 2023(Updated: )
H2O is an HTTP server. In versions 2.3.0-beta2 and prior, when the reverse proxy handler tries to processes a certain type of invalid HTTP request, it tries to build an upstream URL by reading from uninitialized pointer. This behavior can lead to crashes or leak of information to back end HTTP servers. Pull request number 3229 fixes the issue. The pull request has been merged to the `master` branch in commit f010336. Users should upgrade to commit f010336 or later.
Credit: security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Dena H2o | <=2.2.6 | |
| Dena H2o | =2.3.0-beta1 | |
| Dena H2o | =2.3.0-beta2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the vulnerability ID of this H2O vulnerability?
The vulnerability ID of this H2O vulnerability is CVE-2023-30847.
What is the severity of CVE-2023-30847?
The severity of CVE-2023-30847 is high with a CVSS score of 8.2.
What is the affected software for CVE-2023-30847?
The affected software for CVE-2023-30847 is H2O version 2.3.0-beta2 and prior.
How does CVE-2023-30847 affect H2O?
CVE-2023-30847 in H2O can lead to crashes or information leakage to the back-end HTTP server.
Are there any fixes or patches available for CVE-2023-30847?
Yes, fixes for CVE-2023-30847 are available. It is recommended to update to a version that includes the fix.
- agent/severity
- agent/weakness
- agent/references
- agent/author
- agent/tags
- agent/type
- agent/event
- agent/description
- agent/remedy
- agent/last-modified-date
- agent/softwarecombine
- agent/first-publish-date
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/dena
- canonical/dena h2o
- version/dena h2o/2.2.6
- version/dena h2o/2.3.0-beta1
- version/dena h2o/2.3.0-beta2