Search

Find a vulnerability

Search criteria

    12 vulnerabilities found for swiftnio_http\/2 by apple

    CVE-2026-28898 (GCVE-0-2026-28898)

    Vulnerability from nvd – Published: 2026-06-25 18:36 – Updated: 2026-06-25 19:28
    VLAI
    Summary
    swift-nio-http2's HTTP/2-to-HTTP/1.1 codec did not validate pseudo-header values for control characters before placing them into the translated HTTP/1.1 message. swift-nio-http2 1.44.1 adds validation of all pseudo-header values (:path, :authority, :scheme, :method, and :status) at both the HPACK header validation layer and the HTTP/2-to-HTTP/1.1 translation layer. Requests or responses containing CR, LF, or NUL bytes in any pseudo-header value are now rejected with a connection error. This issue is fixed in swift-nio-http2 1.44.1.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • swift-nio-http2's HTTP/2-to-HTTP/1.1 codec did not validate pseudo-header values for control characters before placing them into the translated HTTP/1.1 message.
    • CWE-116 - Improper Encoding or Escaping of Output
    Assigner
    References
    Impacted products
    Vendor Product Version
    Apple swift-nio-http2 Affected: 0 , < 1.44.1 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 5.3,
                  "baseSeverity": "MEDIUM",
                  "confidentialityImpact": "LOW",
                  "integrityImpact": "NONE",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-28898",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-25T19:28:33.856470Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-116",
                    "description": "CWE-116 Improper Encoding or Escaping of Output",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-25T19:28:38.970Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "swift-nio-http2",
              "vendor": "Apple",
              "versions": [
                {
                  "lessThan": "1.44.1",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "swift-nio-http2\u0027s HTTP/2-to-HTTP/1.1 codec did not validate pseudo-header values for control characters before placing them into the translated HTTP/1.1 message. swift-nio-http2 1.44.1 adds validation of all pseudo-header values (:path, :authority, :scheme, :method, and :status) at both the HPACK header validation layer and the HTTP/2-to-HTTP/1.1 translation layer. Requests or responses containing CR, LF, or NUL bytes in any pseudo-header value are now rejected with a connection error. This issue is fixed in swift-nio-http2 1.44.1."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "swift-nio-http2\u0027s HTTP/2-to-HTTP/1.1 codec did not validate pseudo-header values for control characters before placing them into the translated HTTP/1.1 message.",
                  "lang": "en"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-25T18:36:54.046Z",
            "orgId": "286789f9-fbc2-4510-9f9a-43facdede74c",
            "shortName": "apple"
          },
          "references": [
            {
              "url": "https://github.com/advisories/GHSA-4px2-pw77-vc85"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "286789f9-fbc2-4510-9f9a-43facdede74c",
        "assignerShortName": "apple",
        "cveId": "CVE-2026-28898",
        "datePublished": "2026-06-25T18:36:54.046Z",
        "dateReserved": "2026-03-03T16:36:03.983Z",
        "dateUpdated": "2026-06-25T19:28:38.970Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2023-44487 (GCVE-0-2023-44487)

    Vulnerability from nvd – Published: 2023-10-10 00:00 – Updated: 2026-05-12 10:52
    VLAI CISA KEVIntel
    Summary
    The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
    SSVC
    Exploitation: active Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • n/a
    • CWE-400 - Uncontrolled Resource Consumption
    Assigner
    References
    URL Tags
    https://github.com/dotnet/core/blob/e4613450ea0da…
    https://blog.cloudflare.com/technical-breakdown-h…
    https://aws.amazon.com/security/security-bulletin…
    https://cloud.google.com/blog/products/identity-s…
    https://www.nginx.com/blog/http-2-rapid-reset-att…
    https://cloud.google.com/blog/products/identity-s…
    https://news.ycombinator.com/item?id=37831062
    https://blog.cloudflare.com/zero-day-rapid-reset-…
    https://www.phoronix.com/news/HTTP2-Rapid-Reset-Attack
    https://github.com/envoyproxy/envoy/pull/30055
    https://github.com/haproxy/haproxy/issues/2312
    https://github.com/eclipse/jetty.project/issues/10679
    https://forums.swift.org/t/swift-nio-http2-securi…
    https://github.com/nghttp2/nghttp2/pull/1961
    https://github.com/netty/netty/commit/58f75f665aa…
    https://github.com/alibaba/tengine/issues/1872
    https://github.com/apache/tomcat/tree/main/java/o…
    https://news.ycombinator.com/item?id=37830987
    https://news.ycombinator.com/item?id=37830998
    https://github.com/caddyserver/caddy/issues/5877
    https://www.bleepingcomputer.com/news/security/ne…
    https://github.com/bcdannyboy/CVE-2023-44487
    https://github.com/grpc/grpc-go/pull/6703
    https://github.com/icing/mod_h2/blob/0a864782af0a…
    https://github.com/nghttp2/nghttp2/releases/tag/v1.57.0
    https://mailman.nginx.org/pipermail/nginx-devel/2…
    https://my.f5.com/manage/s/article/K000137106
    https://msrc.microsoft.com/blog/2023/10/microsoft…
    https://bugzilla.proxmox.com/show_bug.cgi?id=4988
    https://cgit.freebsd.org/ports/commit/?id=c64c329…
    http://www.openwall.com/lists/oss-security/2023/10/10/7 mailing-list
    http://www.openwall.com/lists/oss-security/2023/10/10/6 mailing-list
    https://seanmonstar.com/post/730794151136935936/h…
    https://github.com/microsoft/CBL-Mariner/pull/6381
    https://groups.google.com/g/golang-announce/c/iNN…
    https://github.com/facebook/proxygen/pull/466
    https://gist.github.com/adulau/7c2bfb8e9cdbe4b35a…
    https://github.com/micrictor/http2-rst-stream
    https://edg.io/lp/blog/resets-leaks-ddos-and-the-…
    https://openssf.org/blog/2023/10/10/http-2-rapid-…
    https://github.com/h2o/h2o/security/advisories/GH…
    https://github.com/h2o/h2o/pull/3291
    https://github.com/nodejs/node/pull/50121
    https://github.com/dotnet/announcements/issues/277
    https://github.com/golang/go/issues/63417
    https://github.com/advisories/GHSA-vx74-f528-fxqg
    https://github.com/apache/trafficserver/pull/10564
    https://msrc.microsoft.com/update-guide/vulnerabi…
    https://tomcat.apache.org/security-10.html#Fixed_…
    https://lists.apache.org/thread/5py8h42mxfsn8l1wy…
    https://www.openwall.com/lists/oss-security/2023/…
    https://www.haproxy.com/blog/haproxy-is-not-affec…
    https://github.com/opensearch-project/data-preppe…
    https://github.com/kubernetes/kubernetes/pull/121120
    https://github.com/oqtane/oqtane.framework/discus…
    https://github.com/advisories/GHSA-xpw8-rcwv-8f8p
    https://netty.io/news/2023/10/10/4-1-100-Final.html
    https://www.cisa.gov/news-events/alerts/2023/10/1…
    https://www.theregister.com/2023/10/10/http2_rapi…
    https://blog.qualys.com/vulnerabilities-threat-re…
    https://news.ycombinator.com/item?id=37837043
    https://github.com/kazu-yamamoto/http2/issues/93
    https://martinthomson.github.io/h2-stream-limits/…
    https://github.com/kazu-yamamoto/http2/commit/f61…
    https://github.com/apache/httpd/blob/afcdbeebbff4…
    https://www.debian.org/security/2023/dsa-5522 vendor-advisory
    https://www.debian.org/security/2023/dsa-5521 vendor-advisory
    https://access.redhat.com/security/cve/cve-2023-44487
    https://github.com/ninenines/cowboy/issues/1615
    https://github.com/varnishcache/varnish-cache/iss…
    https://github.com/tempesta-tech/tempesta/issues/1986
    https://blog.vespa.ai/cve-2023-44487/
    https://github.com/etcd-io/etcd/issues/16740
    https://www.darkreading.com/cloud/internet-wide-z…
    https://istio.io/latest/news/security/istio-secur…
    https://github.com/junkurihara/rust-rpxy/issues/97
    https://bugzilla.suse.com/show_bug.cgi?id=1216123
    https://bugzilla.redhat.com/show_bug.cgi?id=2242803
    https://ubuntu.com/security/CVE-2023-44487
    https://community.traefik.io/t/is-traefik-vulnera…
    https://github.com/advisories/GHSA-qppj-fm5r-hxr3
    https://github.com/apache/httpd-site/pull/10
    https://github.com/projectcontour/contour/pull/5826
    https://github.com/linkerd/website/pull/1695/comm…
    https://github.com/line/armeria/pull/5232
    https://blog.litespeedtech.com/2023/10/11/rapid-r…
    https://security.paloaltonetworks.com/CVE-2023-44487
    https://github.com/akka/akka-http/issues/4323
    https://github.com/openresty/openresty/issues/930
    https://github.com/apache/apisix/issues/10320
    https://github.com/Azure/AKS/issues/3947
    https://github.com/Kong/kong/discussions/11741
    https://github.com/arkrwn/PoC/tree/main/CVE-2023-44487
    https://www.netlify.com/blog/netlify-successfully…
    https://github.com/caddyserver/caddy/releases/tag…
    https://lists.debian.org/debian-lts-announce/2023… mailing-list
    http://www.openwall.com/lists/oss-security/2023/10/13/4 mailing-list
    http://www.openwall.com/lists/oss-security/2023/10/13/9 mailing-list
    https://arstechnica.com/security/2023/10/how-ddos…
    https://lists.w3.org/Archives/Public/ietf-http-wg…
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisory
    https://linkerd.io/2023/10/12/linkerd-cve-2023-44487/
    https://lists.debian.org/debian-lts-announce/2023… mailing-list
    https://security.netapp.com/advisory/ntap-2023101…
    https://lists.debian.org/debian-lts-announce/2023… mailing-list
    http://www.openwall.com/lists/oss-security/2023/10/18/4 mailing-list
    http://www.openwall.com/lists/oss-security/2023/10/18/8 mailing-list
    http://www.openwall.com/lists/oss-security/2023/10/19/6 mailing-list
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisory
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisory
    http://www.openwall.com/lists/oss-security/2023/10/20/8 mailing-list
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisory
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisory
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisory
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisory
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisory
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisory
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisory
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisory
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisory
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisory
    https://lists.debian.org/debian-lts-announce/2023… mailing-list
    https://www.debian.org/security/2023/dsa-5540 vendor-advisory
    https://lists.debian.org/debian-lts-announce/2023… mailing-list
    https://discuss.hashicorp.com/t/hcsec-2023-32-vau…
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisory
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisory
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisory
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisory
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisory
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisory
    https://lists.debian.org/debian-lts-announce/2023… mailing-list
    https://www.debian.org/security/2023/dsa-5549 vendor-advisory
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisory
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisory
    https://www.debian.org/security/2023/dsa-5558 vendor-advisory
    https://lists.debian.org/debian-lts-announce/2023… mailing-list
    https://security.gentoo.org/glsa/202311-09 vendor-advisory
    https://www.debian.org/security/2023/dsa-5570 vendor-advisory
    https://security.netapp.com/advisory/ntap-2024042…
    https://security.netapp.com/advisory/ntap-2024062…
    https://security.netapp.com/advisory/ntap-2024062…
    https://github.com/grpc/grpc/releases/tag/v1.59.2
    https://sec.cloudapps.cisco.com/security/center/c…
    https://www.cisa.gov/known-exploited-vulnerabilit… government-resource
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisoryx_transferred
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisoryx_transferred
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisoryx_transferred
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisoryx_transferred
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisoryx_transferred
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisoryx_transferred
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisoryx_transferred
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisoryx_transferred
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisoryx_transferred
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisoryx_transferred
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisoryx_transferred
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisoryx_transferred
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisoryx_transferred
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisoryx_transferred
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisoryx_transferred
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisoryx_transferred
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisoryx_transferred
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisoryx_transferred
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisoryx_transferred
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisoryx_transferred
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisoryx_transferred
    https://www.vicarius.io/vsociety/posts/rapid-rese…
    http://www.openwall.com/lists/oss-security/2025/08/13/6
    https://cert-portal.siemens.com/productcert/html/…
    https://cert-portal.siemens.com/productcert/html/…
    https://cert-portal.siemens.com/productcert/html/…
    https://cert-portal.siemens.com/productcert/html/…
    https://cert-portal.siemens.com/productcert/html/…
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:ietf:http:2.0:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "http",
                "vendor": "ietf",
                "versions": [
                  {
                    "status": "affected",
                    "version": "2.0"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "HIGH",
                  "baseScore": 7.5,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "NONE",
                  "integrityImpact": "NONE",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-44487",
                    "options": [
                      {
                        "Exploitation": "active"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-07-23T20:34:21.334116Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              },
              {
                "other": {
                  "content": {
                    "dateAdded": "2023-10-10",
                    "reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-44487"
                  },
                  "type": "kev"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-400",
                    "description": "CWE-400 Uncontrolled Resource Consumption",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-10-21T23:05:35.187Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "government-resource"
                ],
                "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-44487"
              }
            ],
            "timeline": [
              {
                "lang": "en",
                "time": "2023-10-10T00:00:00.000Z",
                "value": "CVE-2023-44487 added to CISA KEV"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2025-11-04T21:08:27.383Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/dotnet/core/blob/e4613450ea0da7fd2fc6b61dfb2c1c1dec1ce9ec/release-notes/6.0/6.0.23/6.0.23.md?plain=1#L73"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://aws.amazon.com/security/security-bulletins/AWS-2023-011/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.nginx.com/blog/http-2-rapid-reset-attack-impacting-f5-nginx-products/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://cloud.google.com/blog/products/identity-security/google-cloud-mitigated-largest-ddos-attack-peaking-above-398-million-rps/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://news.ycombinator.com/item?id=37831062"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://blog.cloudflare.com/zero-day-rapid-reset-http2-record-breaking-ddos-attack/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.phoronix.com/news/HTTP2-Rapid-Reset-Attack"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/envoyproxy/envoy/pull/30055"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/haproxy/haproxy/issues/2312"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/eclipse/jetty.project/issues/10679"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://forums.swift.org/t/swift-nio-http2-security-update-cve-2023-44487-http-2-dos/67764"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/nghttp2/nghttp2/pull/1961"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/alibaba/tengine/issues/1872"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/apache/tomcat/tree/main/java/org/apache/coyote/http2"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://news.ycombinator.com/item?id=37830987"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://news.ycombinator.com/item?id=37830998"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/caddyserver/caddy/issues/5877"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.bleepingcomputer.com/news/security/new-http-2-rapid-reset-zero-day-attack-breaks-ddos-records/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/bcdannyboy/CVE-2023-44487"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/grpc/grpc-go/pull/6703"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/icing/mod_h2/blob/0a864782af0a942aa2ad4ed960a6b32cd35bcf0a/mod_http2/README.md?plain=1#L239-L244"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/nghttp2/nghttp2/releases/tag/v1.57.0"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://mailman.nginx.org/pipermail/nginx-devel/2023-October/S36Q5HBXR7CAIMPLLPRSSSYR4PCMWILK.html"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://my.f5.com/manage/s/article/K000137106"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://msrc.microsoft.com/blog/2023/10/microsoft-response-to-distributed-denial-of-service-ddos-attacks-against-http/2/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://bugzilla.proxmox.com/show_bug.cgi?id=4988"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://cgit.freebsd.org/ports/commit/?id=c64c329c2c1752f46b73e3e6ce9f4329be6629f9"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://seanmonstar.com/post/730794151136935936/hyper-http2-rapid-reset-unaffected"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/microsoft/CBL-Mariner/pull/6381"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://groups.google.com/g/golang-announce/c/iNNxDTCjZvo"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/facebook/proxygen/pull/466"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://gist.github.com/adulau/7c2bfb8e9cdbe4b35a5e131c66a0c088"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/micrictor/http2-rst-stream"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://edg.io/lp/blog/resets-leaks-ddos-and-the-tale-of-a-hidden-cve"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://openssf.org/blog/2023/10/10/http-2-rapid-reset-vulnerability-highlights-need-for-rapid-response/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/h2o/h2o/security/advisories/GHSA-2m7v-gc89-fjqf"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/h2o/h2o/pull/3291"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/nodejs/node/pull/50121"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/dotnet/announcements/issues/277"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/golang/go/issues/63417"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/advisories/GHSA-vx74-f528-fxqg"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/apache/trafficserver/pull/10564"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-44487"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.1.14"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread/5py8h42mxfsn8l1wy6o41xwhsjlsd87q"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.openwall.com/lists/oss-security/2023/10/10/6"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.haproxy.com/blog/haproxy-is-not-affected-by-the-http-2-rapid-reset-attack-cve-2023-44487"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/opensearch-project/data-prepper/issues/3474"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/kubernetes/kubernetes/pull/121120"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/oqtane/oqtane.framework/discussions/3367"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/advisories/GHSA-xpw8-rcwv-8f8p"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://netty.io/news/2023/10/10/4-1-100-Final.html"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.cisa.gov/news-events/alerts/2023/10/10/http2-rapid-reset-vulnerability-cve-2023-44487"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.theregister.com/2023/10/10/http2_rapid_reset_zeroday/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://blog.qualys.com/vulnerabilities-threat-research/2023/10/10/cve-2023-44487-http-2-rapid-reset-attack"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://news.ycombinator.com/item?id=37837043"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/kazu-yamamoto/http2/issues/93"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://martinthomson.github.io/h2-stream-limits/draft-thomson-httpbis-h2-stream-limits.html"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/kazu-yamamoto/http2/commit/f61d41a502bd0f60eb24e1ce14edc7b6df6722a1"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/apache/httpd/blob/afcdbeebbff4b0c50ea26cdd16e178c0d1f24152/modules/http2/h2_mplx.c#L1101-L1113"
              },
              {
                "name": "DSA-5522",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://www.debian.org/security/2023/dsa-5522"
              },
              {
                "name": "DSA-5521",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://www.debian.org/security/2023/dsa-5521"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/security/cve/cve-2023-44487"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/ninenines/cowboy/issues/1615"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/varnishcache/varnish-cache/issues/3996"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/tempesta-tech/tempesta/issues/1986"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://blog.vespa.ai/cve-2023-44487/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/etcd-io/etcd/issues/16740"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.darkreading.com/cloud/internet-wide-zero-day-bug-fuels-largest-ever-ddos-event"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://istio.io/latest/news/security/istio-security-2023-004/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/junkurihara/rust-rpxy/issues/97"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://bugzilla.suse.com/show_bug.cgi?id=1216123"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2242803"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://ubuntu.com/security/CVE-2023-44487"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://community.traefik.io/t/is-traefik-vulnerable-to-cve-2023-44487/20125"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/advisories/GHSA-qppj-fm5r-hxr3"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/apache/httpd-site/pull/10"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/projectcontour/contour/pull/5826"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/linkerd/website/pull/1695/commits/4b9c6836471bc8270ab48aae6fd2181bc73fd632"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/line/armeria/pull/5232"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://blog.litespeedtech.com/2023/10/11/rapid-reset-http-2-vulnerablilty/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://security.paloaltonetworks.com/CVE-2023-44487"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/akka/akka-http/issues/4323"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/openresty/openresty/issues/930"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/apache/apisix/issues/10320"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/Azure/AKS/issues/3947"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/Kong/kong/discussions/11741"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/arkrwn/PoC/tree/main/CVE-2023-44487"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.netlify.com/blog/netlify-successfully-mitigates-cve-2023-44487/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/caddyserver/caddy/releases/tag/v2.7.5"
              },
              {
                "name": "[debian-lts-announce] 20231013 [SECURITY] [DLA 3617-1] tomcat9 security update",
                "tags": [
                  "mailing-list",
                  "x_transferred"
                ],
                "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00020.html"
              },
              {
                "name": "[oss-security] 20231013 Re: CVE-2023-44487: HTTP/2 Rapid Reset attack against many implementations",
                "tags": [
                  "mailing-list",
                  "x_transferred"
                ],
                "url": "http://www.openwall.com/lists/oss-security/2023/10/13/4"
              },
              {
                "name": "[oss-security] 20231013 Re: CVE-2023-44487: HTTP/2 Rapid Reset attack against many implementations",
                "tags": [
                  "mailing-list",
                  "x_transferred"
                ],
                "url": "http://www.openwall.com/lists/oss-security/2023/10/13/9"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://arstechnica.com/security/2023/10/how-ddosers-used-the-http-2-protocol-to-deliver-attacks-of-unprecedented-size/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://lists.w3.org/Archives/Public/ietf-http-wg/2023OctDec/0025.html"
              },
              {
                "name": "FEDORA-2023-ed2642fd58",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JMEXY22BFG5Q64HQCM5CK2Q7KDKVV4TY/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://linkerd.io/2023/10/12/linkerd-cve-2023-44487/"
              },
              {
                "name": "[debian-lts-announce] 20231016 [SECURITY] [DLA 3621-1] nghttp2 security update",
                "tags": [
                  "mailing-list",
                  "x_transferred"
                ],
                "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00023.html"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://security.netapp.com/advisory/ntap-20231016-0001/"
              },
              {
                "name": "[debian-lts-announce] 20231016 [SECURITY] [DLA 3617-2] tomcat9 regression update",
                "tags": [
                  "mailing-list",
                  "x_transferred"
                ],
                "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00024.html"
              },
              {
                "name": "[oss-security] 20231018 Vulnerability in Jenkins",
                "tags": [
                  "mailing-list",
                  "x_transferred"
                ],
                "url": "http://www.openwall.com/lists/oss-security/2023/10/18/4"
              },
              {
                "name": "[oss-security] 20231018 Re: CVE-2023-44487: HTTP/2 Rapid Reset attack against many implementations",
                "tags": [
                  "mailing-list",
                  "x_transferred"
                ],
                "url": "http://www.openwall.com/lists/oss-security/2023/10/18/8"
              },
              {
                "name": "[oss-security] 20231019 CVE-2023-45802: Apache HTTP Server: HTTP/2 stream memory not reclaimed right away on RST",
                "tags": [
                  "mailing-list",
                  "x_transferred"
                ],
                "url": "http://www.openwall.com/lists/oss-security/2023/10/19/6"
              },
              {
                "name": "FEDORA-2023-54fadada12",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZKQSIKIAT5TJ3WSLU3RDBQ35YX4GY4V3/"
              },
              {
                "name": "FEDORA-2023-5ff7bf1dd8",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JIZSEFC3YKCGABA2BZW6ZJRMDZJMB7PJ/"
              },
              {
                "name": "[oss-security] 20231020 Re: CVE-2023-44487: HTTP/2 Rapid Reset attack against many implementations",
                "tags": [
                  "mailing-list",
                  "x_transferred"
                ],
                "url": "http://www.openwall.com/lists/oss-security/2023/10/20/8"
              },
              {
                "name": "FEDORA-2023-17efd3f2cd",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WLPRQ5TWUQQXYWBJM7ECYDAIL2YVKIUH/"
              },
              {
                "name": "FEDORA-2023-d5030c983c",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/E72T67UPDRXHIDLO3OROR25YAMN4GGW5/"
              },
              {
                "name": "FEDORA-2023-0259c3f26f",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BFQD3KUEMFBHPAPBGLWQC34L4OWL5HAZ/"
              },
              {
                "name": "FEDORA-2023-2a9214af5f",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZLU6U2R2IC2K64NDPNMV55AUAO65MAF4/"
              },
              {
                "name": "FEDORA-2023-e9c04d81c1",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X6QXN4ORIVF6XBW4WWFE7VNPVC74S45Y/"
              },
              {
                "name": "FEDORA-2023-f66fc0f62a",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LKYHSZQFDNR7RSA7LHVLLIAQMVYCUGBG/"
              },
              {
                "name": "FEDORA-2023-4d2fd884ea",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FNA62Q767CFAFHBCDKYNPBMZWB7TWYVU/"
              },
              {
                "name": "FEDORA-2023-b2c50535cb",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LNMZJCDHGLJJLXO4OXWJMTVQRNWOC7UL/"
              },
              {
                "name": "FEDORA-2023-fe53e13b5b",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KSEGD2IWKNUO3DWY4KQGUQM5BISRWHQE/"
              },
              {
                "name": "FEDORA-2023-4bf641255e",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CLB4TW7KALB3EEQWNWCN7OUIWWVWWCG2/"
              },
              {
                "name": "[debian-lts-announce] 20231030 [SECURITY] [DLA 3641-1] jetty9 security update",
                "tags": [
                  "mailing-list",
                  "x_transferred"
                ],
                "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00045.html"
              },
              {
                "name": "DSA-5540",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://www.debian.org/security/2023/dsa-5540"
              },
              {
                "name": "[debian-lts-announce] 20231031 [SECURITY] [DLA 3638-1] h2o security update",
                "tags": [
                  "mailing-list",
                  "x_transferred"
                ],
                "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00047.html"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://discuss.hashicorp.com/t/hcsec-2023-32-vault-consul-and-boundary-affected-by-http-2-rapid-reset-denial-of-service-vulnerability-cve-2023-44487/59715"
              },
              {
                "name": "FEDORA-2023-1caffb88af",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VHUHTSXLXGXS7JYKBXTA3VINUPHTNGVU/"
              },
              {
                "name": "FEDORA-2023-3f70b8d406",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VSRDIV77HNKUSM7SJC5BKE5JSHLHU2NK/"
              },
              {
                "name": "FEDORA-2023-7b52921cae",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3N4NJ7FR4X4FPZUGNTQAPSTVB2HB2Y4A/"
              },
              {
                "name": "FEDORA-2023-7934802344",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZB43REMKRQR62NJEI7I5NQ4FSXNLBKRT/"
              },
              {
                "name": "FEDORA-2023-dbe64661af",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HT7T2R4MQKLIF4ODV4BDLPARWFPCJ5CZ/"
              },
              {
                "name": "FEDORA-2023-822aab0a5a",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XFOIBB4YFICHDM7IBOP7PWXW3FX4HLL2/"
              },
              {
                "name": "[debian-lts-announce] 20231105 [SECURITY] [DLA 3645-1] trafficserver security update",
                "tags": [
                  "mailing-list",
                  "x_transferred"
                ],
                "url": "https://lists.debian.org/debian-lts-announce/2023/11/msg00001.html"
              },
              {
                "name": "DSA-5549",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://www.debian.org/security/2023/dsa-5549"
              },
              {
                "name": "FEDORA-2023-c0c6a91330",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2MBEPPC36UBVOZZNAXFHKLFGSLCMN5LI/"
              },
              {
                "name": "FEDORA-2023-492b7be466",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WE2I52RHNNU42PX6NZ2RBUHSFFJ2LVZX/"
              },
              {
                "name": "DSA-5558",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://www.debian.org/security/2023/dsa-5558"
              },
              {
                "name": "[debian-lts-announce] 20231119 [SECURITY] [DLA 3656-1] netty security update",
                "tags": [
                  "mailing-list",
                  "x_transferred"
                ],
                "url": "https://lists.debian.org/debian-lts-announce/2023/11/msg00012.html"
              },
              {
                "name": "GLSA-202311-09",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://security.gentoo.org/glsa/202311-09"
              },
              {
                "name": "DSA-5570",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://www.debian.org/security/2023/dsa-5570"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://security.netapp.com/advisory/ntap-20240426-0007/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://security.netapp.com/advisory/ntap-20240621-0006/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://security.netapp.com/advisory/ntap-20240621-0007/"
              },
              {
                "url": "https://www.vicarius.io/vsociety/posts/rapid-reset-cve-2023-44487-dos-in-http2-understanding-the-root-cause"
              },
              {
                "url": "http://www.openwall.com/lists/oss-security/2025/08/13/6"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "affected": [
              {
                "defaultStatus": "unknown",
                "product": "RUGGEDCOM APE1808",
                "vendor": "Siemens",
                "versions": [
                  {
                    "lessThan": "*",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              },
              {
                "defaultStatus": "unknown",
                "product": "SIMATIC S7-1500 CPU 1518-4 PN/DP MFP",
                "vendor": "Siemens",
                "versions": [
                  {
                    "lessThan": "*",
                    "status": "affected",
                    "version": "V3.1.5",
                    "versionType": "custom"
                  }
                ]
              },
              {
                "defaultStatus": "unknown",
                "product": "SIMATIC S7-1500 CPU 1518-4 PN/DP MFP",
                "vendor": "Siemens",
                "versions": [
                  {
                    "lessThan": "*",
                    "status": "affected",
                    "version": "V3.1.5",
                    "versionType": "custom"
                  }
                ]
              },
              {
                "defaultStatus": "unknown",
                "product": "SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP",
                "vendor": "Siemens",
                "versions": [
                  {
                    "lessThan": "*",
                    "status": "affected",
                    "version": "V3.1.5",
                    "versionType": "custom"
                  }
                ]
              },
              {
                "defaultStatus": "unknown",
                "product": "SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP",
                "vendor": "Siemens",
                "versions": [
                  {
                    "lessThan": "*",
                    "status": "affected",
                    "version": "V3.1.5",
                    "versionType": "custom"
                  }
                ]
              },
              {
                "defaultStatus": "unknown",
                "product": "SINEC NMS",
                "vendor": "Siemens",
                "versions": [
                  {
                    "lessThan": "V3.0",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              },
              {
                "defaultStatus": "unknown",
                "product": "SIPLUS S7-1500 CPU 1518-4 PN/DP MFP",
                "vendor": "Siemens",
                "versions": [
                  {
                    "lessThan": "*",
                    "status": "affected",
                    "version": "V3.1.5",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-12T10:52:23.784Z",
              "orgId": "0b142b55-0307-4c5a-b3c9-f314f3fb7c5e",
              "shortName": "siemens-SADP"
            },
            "references": [
              {
                "url": "https://cert-portal.siemens.com/productcert/html/ssa-832273.html"
              },
              {
                "url": "https://cert-portal.siemens.com/productcert/html/ssa-341067.html"
              },
              {
                "url": "https://cert-portal.siemens.com/productcert/html/ssa-784301.html"
              },
              {
                "url": "https://cert-portal.siemens.com/productcert/html/ssa-915275.html"
              },
              {
                "url": "https://cert-portal.siemens.com/productcert/html/ssa-082556.html"
              }
            ],
            "x_adpType": "supplier"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-06-07T20:05:34.376Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "url": "https://github.com/dotnet/core/blob/e4613450ea0da7fd2fc6b61dfb2c1c1dec1ce9ec/release-notes/6.0/6.0.23/6.0.23.md?plain=1#L73"
            },
            {
              "url": "https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/"
            },
            {
              "url": "https://aws.amazon.com/security/security-bulletins/AWS-2023-011/"
            },
            {
              "url": "https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack"
            },
            {
              "url": "https://www.nginx.com/blog/http-2-rapid-reset-attack-impacting-f5-nginx-products/"
            },
            {
              "url": "https://cloud.google.com/blog/products/identity-security/google-cloud-mitigated-largest-ddos-attack-peaking-above-398-million-rps/"
            },
            {
              "url": "https://news.ycombinator.com/item?id=37831062"
            },
            {
              "url": "https://blog.cloudflare.com/zero-day-rapid-reset-http2-record-breaking-ddos-attack/"
            },
            {
              "url": "https://www.phoronix.com/news/HTTP2-Rapid-Reset-Attack"
            },
            {
              "url": "https://github.com/envoyproxy/envoy/pull/30055"
            },
            {
              "url": "https://github.com/haproxy/haproxy/issues/2312"
            },
            {
              "url": "https://github.com/eclipse/jetty.project/issues/10679"
            },
            {
              "url": "https://forums.swift.org/t/swift-nio-http2-security-update-cve-2023-44487-http-2-dos/67764"
            },
            {
              "url": "https://github.com/nghttp2/nghttp2/pull/1961"
            },
            {
              "url": "https://github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61"
            },
            {
              "url": "https://github.com/alibaba/tengine/issues/1872"
            },
            {
              "url": "https://github.com/apache/tomcat/tree/main/java/org/apache/coyote/http2"
            },
            {
              "url": "https://news.ycombinator.com/item?id=37830987"
            },
            {
              "url": "https://news.ycombinator.com/item?id=37830998"
            },
            {
              "url": "https://github.com/caddyserver/caddy/issues/5877"
            },
            {
              "url": "https://www.bleepingcomputer.com/news/security/new-http-2-rapid-reset-zero-day-attack-breaks-ddos-records/"
            },
            {
              "url": "https://github.com/bcdannyboy/CVE-2023-44487"
            },
            {
              "url": "https://github.com/grpc/grpc-go/pull/6703"
            },
            {
              "url": "https://github.com/icing/mod_h2/blob/0a864782af0a942aa2ad4ed960a6b32cd35bcf0a/mod_http2/README.md?plain=1#L239-L244"
            },
            {
              "url": "https://github.com/nghttp2/nghttp2/releases/tag/v1.57.0"
            },
            {
              "url": "https://mailman.nginx.org/pipermail/nginx-devel/2023-October/S36Q5HBXR7CAIMPLLPRSSSYR4PCMWILK.html"
            },
            {
              "url": "https://my.f5.com/manage/s/article/K000137106"
            },
            {
              "url": "https://msrc.microsoft.com/blog/2023/10/microsoft-response-to-distributed-denial-of-service-ddos-attacks-against-http/2/"
            },
            {
              "url": "https://bugzilla.proxmox.com/show_bug.cgi?id=4988"
            },
            {
              "url": "https://cgit.freebsd.org/ports/commit/?id=c64c329c2c1752f46b73e3e6ce9f4329be6629f9"
            },
            {
              "name": "[oss-security] 20231010 Re: CVE-2023-44487: HTTP/2 Rapid Reset attack against many implementations",
              "tags": [
                "mailing-list"
              ],
              "url": "http://www.openwall.com/lists/oss-security/2023/10/10/7"
            },
            {
              "name": "[oss-security] 20231010 CVE-2023-44487: HTTP/2 Rapid Reset attack against many implementations",
              "tags": [
                "mailing-list"
              ],
              "url": "http://www.openwall.com/lists/oss-security/2023/10/10/6"
            },
            {
              "url": "https://seanmonstar.com/post/730794151136935936/hyper-http2-rapid-reset-unaffected"
            },
            {
              "url": "https://github.com/microsoft/CBL-Mariner/pull/6381"
            },
            {
              "url": "https://groups.google.com/g/golang-announce/c/iNNxDTCjZvo"
            },
            {
              "url": "https://github.com/facebook/proxygen/pull/466"
            },
            {
              "url": "https://gist.github.com/adulau/7c2bfb8e9cdbe4b35a5e131c66a0c088"
            },
            {
              "url": "https://github.com/micrictor/http2-rst-stream"
            },
            {
              "url": "https://edg.io/lp/blog/resets-leaks-ddos-and-the-tale-of-a-hidden-cve"
            },
            {
              "url": "https://openssf.org/blog/2023/10/10/http-2-rapid-reset-vulnerability-highlights-need-for-rapid-response/"
            },
            {
              "url": "https://github.com/h2o/h2o/security/advisories/GHSA-2m7v-gc89-fjqf"
            },
            {
              "url": "https://github.com/h2o/h2o/pull/3291"
            },
            {
              "url": "https://github.com/nodejs/node/pull/50121"
            },
            {
              "url": "https://github.com/dotnet/announcements/issues/277"
            },
            {
              "url": "https://github.com/golang/go/issues/63417"
            },
            {
              "url": "https://github.com/advisories/GHSA-vx74-f528-fxqg"
            },
            {
              "url": "https://github.com/apache/trafficserver/pull/10564"
            },
            {
              "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-44487"
            },
            {
              "url": "https://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.1.14"
            },
            {
              "url": "https://lists.apache.org/thread/5py8h42mxfsn8l1wy6o41xwhsjlsd87q"
            },
            {
              "url": "https://www.openwall.com/lists/oss-security/2023/10/10/6"
            },
            {
              "url": "https://www.haproxy.com/blog/haproxy-is-not-affected-by-the-http-2-rapid-reset-attack-cve-2023-44487"
            },
            {
              "url": "https://github.com/opensearch-project/data-prepper/issues/3474"
            },
            {
              "url": "https://github.com/kubernetes/kubernetes/pull/121120"
            },
            {
              "url": "https://github.com/oqtane/oqtane.framework/discussions/3367"
            },
            {
              "url": "https://github.com/advisories/GHSA-xpw8-rcwv-8f8p"
            },
            {
              "url": "https://netty.io/news/2023/10/10/4-1-100-Final.html"
            },
            {
              "url": "https://www.cisa.gov/news-events/alerts/2023/10/10/http2-rapid-reset-vulnerability-cve-2023-44487"
            },
            {
              "url": "https://www.theregister.com/2023/10/10/http2_rapid_reset_zeroday/"
            },
            {
              "url": "https://blog.qualys.com/vulnerabilities-threat-research/2023/10/10/cve-2023-44487-http-2-rapid-reset-attack"
            },
            {
              "url": "https://news.ycombinator.com/item?id=37837043"
            },
            {
              "url": "https://github.com/kazu-yamamoto/http2/issues/93"
            },
            {
              "url": "https://martinthomson.github.io/h2-stream-limits/draft-thomson-httpbis-h2-stream-limits.html"
            },
            {
              "url": "https://github.com/kazu-yamamoto/http2/commit/f61d41a502bd0f60eb24e1ce14edc7b6df6722a1"
            },
            {
              "url": "https://github.com/apache/httpd/blob/afcdbeebbff4b0c50ea26cdd16e178c0d1f24152/modules/http2/h2_mplx.c#L1101-L1113"
            },
            {
              "name": "DSA-5522",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.debian.org/security/2023/dsa-5522"
            },
            {
              "name": "DSA-5521",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.debian.org/security/2023/dsa-5521"
            },
            {
              "url": "https://access.redhat.com/security/cve/cve-2023-44487"
            },
            {
              "url": "https://github.com/ninenines/cowboy/issues/1615"
            },
            {
              "url": "https://github.com/varnishcache/varnish-cache/issues/3996"
            },
            {
              "url": "https://github.com/tempesta-tech/tempesta/issues/1986"
            },
            {
              "url": "https://blog.vespa.ai/cve-2023-44487/"
            },
            {
              "url": "https://github.com/etcd-io/etcd/issues/16740"
            },
            {
              "url": "https://www.darkreading.com/cloud/internet-wide-zero-day-bug-fuels-largest-ever-ddos-event"
            },
            {
              "url": "https://istio.io/latest/news/security/istio-security-2023-004/"
            },
            {
              "url": "https://github.com/junkurihara/rust-rpxy/issues/97"
            },
            {
              "url": "https://bugzilla.suse.com/show_bug.cgi?id=1216123"
            },
            {
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2242803"
            },
            {
              "url": "https://ubuntu.com/security/CVE-2023-44487"
            },
            {
              "url": "https://community.traefik.io/t/is-traefik-vulnerable-to-cve-2023-44487/20125"
            },
            {
              "url": "https://github.com/advisories/GHSA-qppj-fm5r-hxr3"
            },
            {
              "url": "https://github.com/apache/httpd-site/pull/10"
            },
            {
              "url": "https://github.com/projectcontour/contour/pull/5826"
            },
            {
              "url": "https://github.com/linkerd/website/pull/1695/commits/4b9c6836471bc8270ab48aae6fd2181bc73fd632"
            },
            {
              "url": "https://github.com/line/armeria/pull/5232"
            },
            {
              "url": "https://blog.litespeedtech.com/2023/10/11/rapid-reset-http-2-vulnerablilty/"
            },
            {
              "url": "https://security.paloaltonetworks.com/CVE-2023-44487"
            },
            {
              "url": "https://github.com/akka/akka-http/issues/4323"
            },
            {
              "url": "https://github.com/openresty/openresty/issues/930"
            },
            {
              "url": "https://github.com/apache/apisix/issues/10320"
            },
            {
              "url": "https://github.com/Azure/AKS/issues/3947"
            },
            {
              "url": "https://github.com/Kong/kong/discussions/11741"
            },
            {
              "url": "https://github.com/arkrwn/PoC/tree/main/CVE-2023-44487"
            },
            {
              "url": "https://www.netlify.com/blog/netlify-successfully-mitigates-cve-2023-44487/"
            },
            {
              "url": "https://github.com/caddyserver/caddy/releases/tag/v2.7.5"
            },
            {
              "name": "[debian-lts-announce] 20231013 [SECURITY] [DLA 3617-1] tomcat9 security update",
              "tags": [
                "mailing-list"
              ],
              "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00020.html"
            },
            {
              "name": "[oss-security] 20231013 Re: CVE-2023-44487: HTTP/2 Rapid Reset attack against many implementations",
              "tags": [
                "mailing-list"
              ],
              "url": "http://www.openwall.com/lists/oss-security/2023/10/13/4"
            },
            {
              "name": "[oss-security] 20231013 Re: CVE-2023-44487: HTTP/2 Rapid Reset attack against many implementations",
              "tags": [
                "mailing-list"
              ],
              "url": "http://www.openwall.com/lists/oss-security/2023/10/13/9"
            },
            {
              "url": "https://arstechnica.com/security/2023/10/how-ddosers-used-the-http-2-protocol-to-deliver-attacks-of-unprecedented-size/"
            },
            {
              "url": "https://lists.w3.org/Archives/Public/ietf-http-wg/2023OctDec/0025.html"
            },
            {
              "name": "FEDORA-2023-ed2642fd58",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JMEXY22BFG5Q64HQCM5CK2Q7KDKVV4TY/"
            },
            {
              "url": "https://linkerd.io/2023/10/12/linkerd-cve-2023-44487/"
            },
            {
              "name": "[debian-lts-announce] 20231016 [SECURITY] [DLA 3621-1] nghttp2 security update",
              "tags": [
                "mailing-list"
              ],
              "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00023.html"
            },
            {
              "url": "https://security.netapp.com/advisory/ntap-20231016-0001/"
            },
            {
              "name": "[debian-lts-announce] 20231016 [SECURITY] [DLA 3617-2] tomcat9 regression update",
              "tags": [
                "mailing-list"
              ],
              "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00024.html"
            },
            {
              "name": "[oss-security] 20231018 Vulnerability in Jenkins",
              "tags": [
                "mailing-list"
              ],
              "url": "http://www.openwall.com/lists/oss-security/2023/10/18/4"
            },
            {
              "name": "[oss-security] 20231018 Re: CVE-2023-44487: HTTP/2 Rapid Reset attack against many implementations",
              "tags": [
                "mailing-list"
              ],
              "url": "http://www.openwall.com/lists/oss-security/2023/10/18/8"
            },
            {
              "name": "[oss-security] 20231019 CVE-2023-45802: Apache HTTP Server: HTTP/2 stream memory not reclaimed right away on RST",
              "tags": [
                "mailing-list"
              ],
              "url": "http://www.openwall.com/lists/oss-security/2023/10/19/6"
            },
            {
              "name": "FEDORA-2023-54fadada12",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZKQSIKIAT5TJ3WSLU3RDBQ35YX4GY4V3/"
            },
            {
              "name": "FEDORA-2023-5ff7bf1dd8",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JIZSEFC3YKCGABA2BZW6ZJRMDZJMB7PJ/"
            },
            {
              "name": "[oss-security] 20231020 Re: CVE-2023-44487: HTTP/2 Rapid Reset attack against many implementations",
              "tags": [
                "mailing-list"
              ],
              "url": "http://www.openwall.com/lists/oss-security/2023/10/20/8"
            },
            {
              "name": "FEDORA-2023-17efd3f2cd",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WLPRQ5TWUQQXYWBJM7ECYDAIL2YVKIUH/"
            },
            {
              "name": "FEDORA-2023-d5030c983c",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/E72T67UPDRXHIDLO3OROR25YAMN4GGW5/"
            },
            {
              "name": "FEDORA-2023-0259c3f26f",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BFQD3KUEMFBHPAPBGLWQC34L4OWL5HAZ/"
            },
            {
              "name": "FEDORA-2023-2a9214af5f",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZLU6U2R2IC2K64NDPNMV55AUAO65MAF4/"
            },
            {
              "name": "FEDORA-2023-e9c04d81c1",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X6QXN4ORIVF6XBW4WWFE7VNPVC74S45Y/"
            },
            {
              "name": "FEDORA-2023-f66fc0f62a",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LKYHSZQFDNR7RSA7LHVLLIAQMVYCUGBG/"
            },
            {
              "name": "FEDORA-2023-4d2fd884ea",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FNA62Q767CFAFHBCDKYNPBMZWB7TWYVU/"
            },
            {
              "name": "FEDORA-2023-b2c50535cb",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LNMZJCDHGLJJLXO4OXWJMTVQRNWOC7UL/"
            },
            {
              "name": "FEDORA-2023-fe53e13b5b",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KSEGD2IWKNUO3DWY4KQGUQM5BISRWHQE/"
            },
            {
              "name": "FEDORA-2023-4bf641255e",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CLB4TW7KALB3EEQWNWCN7OUIWWVWWCG2/"
            },
            {
              "name": "[debian-lts-announce] 20231030 [SECURITY] [DLA 3641-1] jetty9 security update",
              "tags": [
                "mailing-list"
              ],
              "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00045.html"
            },
            {
              "name": "DSA-5540",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.debian.org/security/2023/dsa-5540"
            },
            {
              "name": "[debian-lts-announce] 20231031 [SECURITY] [DLA 3638-1] h2o security update",
              "tags": [
                "mailing-list"
              ],
              "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00047.html"
            },
            {
              "url": "https://discuss.hashicorp.com/t/hcsec-2023-32-vault-consul-and-boundary-affected-by-http-2-rapid-reset-denial-of-service-vulnerability-cve-2023-44487/59715"
            },
            {
              "name": "FEDORA-2023-1caffb88af",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VHUHTSXLXGXS7JYKBXTA3VINUPHTNGVU/"
            },
            {
              "name": "FEDORA-2023-3f70b8d406",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VSRDIV77HNKUSM7SJC5BKE5JSHLHU2NK/"
            },
            {
              "name": "FEDORA-2023-7b52921cae",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3N4NJ7FR4X4FPZUGNTQAPSTVB2HB2Y4A/"
            },
            {
              "name": "FEDORA-2023-7934802344",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZB43REMKRQR62NJEI7I5NQ4FSXNLBKRT/"
            },
            {
              "name": "FEDORA-2023-dbe64661af",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HT7T2R4MQKLIF4ODV4BDLPARWFPCJ5CZ/"
            },
            {
              "name": "FEDORA-2023-822aab0a5a",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XFOIBB4YFICHDM7IBOP7PWXW3FX4HLL2/"
            },
            {
              "name": "[debian-lts-announce] 20231105 [SECURITY] [DLA 3645-1] trafficserver security update",
              "tags": [
                "mailing-list"
              ],
              "url": "https://lists.debian.org/debian-lts-announce/2023/11/msg00001.html"
            },
            {
              "name": "DSA-5549",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.debian.org/security/2023/dsa-5549"
            },
            {
              "name": "FEDORA-2023-c0c6a91330",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2MBEPPC36UBVOZZNAXFHKLFGSLCMN5LI/"
            },
            {
              "name": "FEDORA-2023-492b7be466",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WE2I52RHNNU42PX6NZ2RBUHSFFJ2LVZX/"
            },
            {
              "name": "DSA-5558",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.debian.org/security/2023/dsa-5558"
            },
            {
              "name": "[debian-lts-announce] 20231119 [SECURITY] [DLA 3656-1] netty security update",
              "tags": [
                "mailing-list"
              ],
              "url": "https://lists.debian.org/debian-lts-announce/2023/11/msg00012.html"
            },
            {
              "name": "GLSA-202311-09",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://security.gentoo.org/glsa/202311-09"
            },
            {
              "name": "DSA-5570",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.debian.org/security/2023/dsa-5570"
            },
            {
              "url": "https://security.netapp.com/advisory/ntap-20240426-0007/"
            },
            {
              "url": "https://security.netapp.com/advisory/ntap-20240621-0006/"
            },
            {
              "url": "https://security.netapp.com/advisory/ntap-20240621-0007/"
            },
            {
              "url": "https://github.com/grpc/grpc/releases/tag/v1.59.2"
            },
            {
              "url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-http2-reset-d8Kf32vZ"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2023-44487",
        "datePublished": "2023-10-10T00:00:00.000Z",
        "dateReserved": "2023-09-29T00:00:00.000Z",
        "dateUpdated": "2026-05-12T10:52:23.784Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2022-0618 (GCVE-0-2022-0618)

    Vulnerability from nvd – Published: 2022-03-09 20:23 – Updated: 2024-08-02 23:32
    VLAI
    Summary
    A program using swift-nio-http2 is vulnerable to a denial of service attack, caused by a network peer sending a specially crafted HTTP/2 frame. This vulnerability is caused by a logical error when parsing a HTTP/2 HEADERS or HTTP/2 PUSH_PROMISE frame where the frame contains padding information without any other data. This logical error caused confusion about the size of the frame, leading to a parsing error. This parsing error immediately crashes the entire process. Sending a HEADERS frame or PUSH_PROMISE frame with HTTP/2 padding information does not require any special permission, so any HTTP/2 connection peer may send such a frame. For clients, this means any server to which they connect may launch this attack. For servers, anyone they allow to connect to them may launch such an attack. The attack is low-effort: it takes very little resources to send an appropriately crafted frame. The impact on availability is high: receiving the frame immediately crashes the server, dropping all in-flight connections and causing the service to need to restart. It is straightforward for an attacker to repeatedly send appropriately crafted frames, so attackers require very few resources to achieve a substantial denial of service. The attack does not have any confidentiality or integrity risks in and of itself: swift-nio-http2 is parsing the frame in memory-safe code, so the crash is safe. However, sudden process crashes can lead to violations of invariants in services, so it is possible that this attack can be used to trigger an error condition that has confidentiality or integrity risks. The risk can be mitigated if untrusted peers can be prevented from communicating with the service. This mitigation is not available to many services. The issue is fixed by rewriting the parsing code to correctly handle the condition. The issue was found by automated fuzzing by oss-fuzz.
    Severity
    No CVSS data available.
    CWE
    • CWE-130 - Improper Handling of Length Parameter Inconsistency
    Assigner
    References
    Impacted products
    Vendor Product Version
    Swift Project SwiftNIO HTTP2 Affected: 1.0.0 , < unspecified (custom)
    Affected: unspecified , ≤ 1.19.2 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T23:32:46.550Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/apple/swift-nio-http2/security/advisories/GHSA-q36x-r5x4-h4q6"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "SwiftNIO HTTP2",
              "vendor": "Swift Project",
              "versions": [
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "1.0.0",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "1.19.2",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A program using swift-nio-http2 is vulnerable to a denial of service attack, caused by a network peer sending a specially crafted HTTP/2 frame. This vulnerability is caused by a logical error when parsing a HTTP/2 HEADERS or HTTP/2 PUSH_PROMISE frame where the frame contains padding information without any other data. This logical error caused confusion about the size of the frame, leading to a parsing error. This parsing error immediately crashes the entire process. Sending a HEADERS frame or PUSH_PROMISE frame with HTTP/2 padding information does not require any special permission, so any HTTP/2 connection peer may send such a frame. For clients, this means any server to which they connect may launch this attack. For servers, anyone they allow to connect to them may launch such an attack. The attack is low-effort: it takes very little resources to send an appropriately crafted frame. The impact on availability is high: receiving the frame immediately crashes the server, dropping all in-flight connections and causing the service to need to restart. It is straightforward for an attacker to repeatedly send appropriately crafted frames, so attackers require very few resources to achieve a substantial denial of service. The attack does not have any confidentiality or integrity risks in and of itself: swift-nio-http2 is parsing the frame in memory-safe code, so the crash is safe. However, sudden process crashes can lead to violations of invariants in services, so it is possible that this attack can be used to trigger an error condition that has confidentiality or integrity risks. The risk can be mitigated if untrusted peers can be prevented from communicating with the service. This mitigation is not available to many services. The issue is fixed by rewriting the parsing code to correctly handle the condition. The issue was found by automated fuzzing by oss-fuzz."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-130",
                  "description": "CWE-130: Improper Handling of Length Parameter Inconsistency",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-03-09T20:23:38.000Z",
            "orgId": "e4a1ddda-f4f5-496e-96c8-82c37d06abd0",
            "shortName": "Swift"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/apple/swift-nio-http2/security/advisories/GHSA-q36x-r5x4-h4q6"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "cve@forums.swift.org",
              "ID": "CVE-2022-0618",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "SwiftNIO HTTP2",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003e=",
                                "version_value": "1.0.0"
                              },
                              {
                                "version_affected": "\u003c=",
                                "version_value": "1.19.2"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Swift Project"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "A program using swift-nio-http2 is vulnerable to a denial of service attack, caused by a network peer sending a specially crafted HTTP/2 frame. This vulnerability is caused by a logical error when parsing a HTTP/2 HEADERS or HTTP/2 PUSH_PROMISE frame where the frame contains padding information without any other data. This logical error caused confusion about the size of the frame, leading to a parsing error. This parsing error immediately crashes the entire process. Sending a HEADERS frame or PUSH_PROMISE frame with HTTP/2 padding information does not require any special permission, so any HTTP/2 connection peer may send such a frame. For clients, this means any server to which they connect may launch this attack. For servers, anyone they allow to connect to them may launch such an attack. The attack is low-effort: it takes very little resources to send an appropriately crafted frame. The impact on availability is high: receiving the frame immediately crashes the server, dropping all in-flight connections and causing the service to need to restart. It is straightforward for an attacker to repeatedly send appropriately crafted frames, so attackers require very few resources to achieve a substantial denial of service. The attack does not have any confidentiality or integrity risks in and of itself: swift-nio-http2 is parsing the frame in memory-safe code, so the crash is safe. However, sudden process crashes can lead to violations of invariants in services, so it is possible that this attack can be used to trigger an error condition that has confidentiality or integrity risks. The risk can be mitigated if untrusted peers can be prevented from communicating with the service. This mitigation is not available to many services. The issue is fixed by rewriting the parsing code to correctly handle the condition. The issue was found by automated fuzzing by oss-fuzz."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-130: Improper Handling of Length Parameter Inconsistency"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://github.com/apple/swift-nio-http2/security/advisories/GHSA-q36x-r5x4-h4q6",
                  "refsource": "MISC",
                  "url": "https://github.com/apple/swift-nio-http2/security/advisories/GHSA-q36x-r5x4-h4q6"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "e4a1ddda-f4f5-496e-96c8-82c37d06abd0",
        "assignerShortName": "Swift",
        "cveId": "CVE-2022-0618",
        "datePublished": "2022-03-09T20:23:38.000Z",
        "dateReserved": "2022-02-15T00:00:00.000Z",
        "dateUpdated": "2024-08-02T23:32:46.550Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2022-24668 (GCVE-0-2022-24668)

    Vulnerability from nvd – Published: 2022-02-09 22:05 – Updated: 2024-08-03 04:20
    VLAI
    Summary
    A program using swift-nio-http2 is vulnerable to a denial of service attack caused by a network peer sending ALTSVC or ORIGIN frames. This attack affects all swift-nio-http2 versions from 1.0.0 to 1.19.1. This vulnerability is caused by a logical error after frame parsing but before frame handling. ORIGIN and ALTSVC frames are not currently supported by swift-nio-http2, and should be ignored. However, one code path that encounters them has a deliberate trap instead. This was left behind from the original development process and was never removed. Sending an ALTSVC or ORIGIN frame does not require any special permission, so any HTTP/2 connection peer may send such a frame. For clients, this means any server to which they connect may launch this attack. For servers, anyone they allow to connect to them may launch such an attack. The attack is low-effort: it takes very little resources to send one of these frames. The impact on availability is high: receiving the frame immediately crashes the server, dropping all in-flight connections and causing the service to need to restart. It is straightforward for an attacker to repeatedly send these frames, so attackers require very few resources to achieve a substantial denial of service. The attack does not have any confidentiality or integrity risks in and of itself. This is a controlled, intentional crash. However, sudden process crashes can lead to violations of invariants in services, so it is possible that this attack can be used to trigger an error condition that has confidentiality or integrity risks. The risk can be mitigated if untrusted peers can be prevented from communicating with the service. This mitigation is not available to many services. The issue is fixed by rewriting the parsing code to correctly handle the condition. The issue was found by automated fuzzing by oss-fuzz.
    Severity
    No CVSS data available.
    CWE
    • CWE-241 - Improper Handling of Unexpected Data Type
    Assigner
    References
    Impacted products
    Vendor Product Version
    Swift Project SwiftNIO HTTP2 Affected: 1.0.0 , < unspecified (custom)
    Affected: unspecified , ≤ 1.19.1 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T04:20:49.138Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/apple/swift-nio-http2/security/advisories/GHSA-pgfx-g6rc-8cjv"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "SwiftNIO HTTP2",
              "vendor": "Swift Project",
              "versions": [
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "1.0.0",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "1.19.1",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A program using swift-nio-http2 is vulnerable to a denial of service attack caused by a network peer sending ALTSVC or ORIGIN frames. This attack affects all swift-nio-http2 versions from 1.0.0 to 1.19.1. This vulnerability is caused by a logical error after frame parsing but before frame handling. ORIGIN and ALTSVC frames are not currently supported by swift-nio-http2, and should be ignored. However, one code path that encounters them has a deliberate trap instead. This was left behind from the original development process and was never removed. Sending an ALTSVC or ORIGIN frame does not require any special permission, so any HTTP/2 connection peer may send such a frame. For clients, this means any server to which they connect may launch this attack. For servers, anyone they allow to connect to them may launch such an attack. The attack is low-effort: it takes very little resources to send one of these frames. The impact on availability is high: receiving the frame immediately crashes the server, dropping all in-flight connections and causing the service to need to restart. It is straightforward for an attacker to repeatedly send these frames, so attackers require very few resources to achieve a substantial denial of service. The attack does not have any confidentiality or integrity risks in and of itself. This is a controlled, intentional crash. However, sudden process crashes can lead to violations of invariants in services, so it is possible that this attack can be used to trigger an error condition that has confidentiality or integrity risks. The risk can be mitigated if untrusted peers can be prevented from communicating with the service. This mitigation is not available to many services. The issue is fixed by rewriting the parsing code to correctly handle the condition. The issue was found by automated fuzzing by oss-fuzz."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-241",
                  "description": "CWE-241: Improper Handling of Unexpected Data Type",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-02-09T22:05:18.000Z",
            "orgId": "e4a1ddda-f4f5-496e-96c8-82c37d06abd0",
            "shortName": "Swift"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/apple/swift-nio-http2/security/advisories/GHSA-pgfx-g6rc-8cjv"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "cve@forums.swift.org",
              "ID": "CVE-2022-24668",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "SwiftNIO HTTP2",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003e=",
                                "version_value": "1.0.0"
                              },
                              {
                                "version_affected": "\u003c=",
                                "version_value": "1.19.1"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Swift Project"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "A program using swift-nio-http2 is vulnerable to a denial of service attack caused by a network peer sending ALTSVC or ORIGIN frames. This attack affects all swift-nio-http2 versions from 1.0.0 to 1.19.1. This vulnerability is caused by a logical error after frame parsing but before frame handling. ORIGIN and ALTSVC frames are not currently supported by swift-nio-http2, and should be ignored. However, one code path that encounters them has a deliberate trap instead. This was left behind from the original development process and was never removed. Sending an ALTSVC or ORIGIN frame does not require any special permission, so any HTTP/2 connection peer may send such a frame. For clients, this means any server to which they connect may launch this attack. For servers, anyone they allow to connect to them may launch such an attack. The attack is low-effort: it takes very little resources to send one of these frames. The impact on availability is high: receiving the frame immediately crashes the server, dropping all in-flight connections and causing the service to need to restart. It is straightforward for an attacker to repeatedly send these frames, so attackers require very few resources to achieve a substantial denial of service. The attack does not have any confidentiality or integrity risks in and of itself. This is a controlled, intentional crash. However, sudden process crashes can lead to violations of invariants in services, so it is possible that this attack can be used to trigger an error condition that has confidentiality or integrity risks. The risk can be mitigated if untrusted peers can be prevented from communicating with the service. This mitigation is not available to many services. The issue is fixed by rewriting the parsing code to correctly handle the condition. The issue was found by automated fuzzing by oss-fuzz."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-241: Improper Handling of Unexpected Data Type"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://github.com/apple/swift-nio-http2/security/advisories/GHSA-pgfx-g6rc-8cjv",
                  "refsource": "MISC",
                  "url": "https://github.com/apple/swift-nio-http2/security/advisories/GHSA-pgfx-g6rc-8cjv"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "e4a1ddda-f4f5-496e-96c8-82c37d06abd0",
        "assignerShortName": "Swift",
        "cveId": "CVE-2022-24668",
        "datePublished": "2022-02-09T22:05:18.000Z",
        "dateReserved": "2022-02-07T00:00:00.000Z",
        "dateUpdated": "2024-08-03T04:20:49.138Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2022-24667 (GCVE-0-2022-24667)

    Vulnerability from nvd – Published: 2022-02-09 22:05 – Updated: 2024-08-03 04:20
    VLAI
    Summary
    A program using swift-nio-http2 is vulnerable to a denial of service attack, caused by a network peer sending a specially crafted HPACK-encoded header block. This attack affects all swift-nio-http2 versions from 1.0.0 to 1.19.1. There are a number of implementation errors in the parsing of HPACK-encoded header blocks that allow maliciously crafted HPACK header blocks to cause crashes in processes using swift-nio-http2. Each of these crashes is triggered instead of an integer overflow. A malicious HPACK header block could be sent on any of the HPACK-carrying frames in a HTTP/2 connection (HEADERS and PUSH_PROMISE), at any position. Sending a HPACK header block does not require any special permission, so any HTTP/2 connection peer may send one. For clients, this means any server to which they connect may launch this attack. For servers, anyone they allow to connect to them may launch such an attack. The attack is low-effort: it takes very little resources to send an appropriately crafted field block. The impact on availability is high: receiving a frame carrying this field block immediately crashes the server, dropping all in-flight connections and causing the service to need to restart. It is straightforward for an attacker to repeatedly send appropriately crafted field blocks, so attackers require very few resources to achieve a substantial denial of service. The attack does not have any confidentiality or integrity risks in and of itself: swift-nio-http2 is parsing the field block in memory-safe code and the crash is triggered instead of an integer overflow. However, sudden process crashes can lead to violations of invariants in services, so it is possible that this attack can be used to trigger an error condition that has confidentiality or integrity risks. The risk can be mitigated if untrusted peers can be prevented from communicating with the service. This mitigation is not available to many services. The issue is fixed by rewriting the parsing code to correctly handle all conditions in the function. The principal issue was found by automated fuzzing by oss-fuzz, but several associated bugs in the same code were found by code audit and fixed at the same time
    Severity
    No CVSS data available.
    CWE
    • CWE-190 - Integer Overflow or Wraparound
    Assigner
    References
    Impacted products
    Vendor Product Version
    Swift Project SwiftNIO HTTP2 Affected: 1.0.0 , < unspecified (custom)
    Affected: unspecified , ≤ 1.19.1 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T04:20:49.139Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/apple/swift-nio-http2/security/advisories/GHSA-w3f6-pc54-gfw7"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "SwiftNIO HTTP2",
              "vendor": "Swift Project",
              "versions": [
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "1.0.0",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "1.19.1",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A program using swift-nio-http2 is vulnerable to a denial of service attack, caused by a network peer sending a specially crafted HPACK-encoded header block. This attack affects all swift-nio-http2 versions from 1.0.0 to 1.19.1. There are a number of implementation errors in the parsing of HPACK-encoded header blocks that allow maliciously crafted HPACK header blocks to cause crashes in processes using swift-nio-http2. Each of these crashes is triggered instead of an integer overflow. A malicious HPACK header block could be sent on any of the HPACK-carrying frames in a HTTP/2 connection (HEADERS and PUSH_PROMISE), at any position. Sending a HPACK header block does not require any special permission, so any HTTP/2 connection peer may send one. For clients, this means any server to which they connect may launch this attack. For servers, anyone they allow to connect to them may launch such an attack. The attack is low-effort: it takes very little resources to send an appropriately crafted field block. The impact on availability is high: receiving a frame carrying this field block immediately crashes the server, dropping all in-flight connections and causing the service to need to restart. It is straightforward for an attacker to repeatedly send appropriately crafted field blocks, so attackers require very few resources to achieve a substantial denial of service. The attack does not have any confidentiality or integrity risks in and of itself: swift-nio-http2 is parsing the field block in memory-safe code and the crash is triggered instead of an integer overflow. However, sudden process crashes can lead to violations of invariants in services, so it is possible that this attack can be used to trigger an error condition that has confidentiality or integrity risks. The risk can be mitigated if untrusted peers can be prevented from communicating with the service. This mitigation is not available to many services. The issue is fixed by rewriting the parsing code to correctly handle all conditions in the function. The principal issue was found by automated fuzzing by oss-fuzz, but several associated bugs in the same code were found by code audit and fixed at the same time"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-190",
                  "description": "CWE-190: Integer Overflow or Wraparound",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-02-09T22:05:17.000Z",
            "orgId": "e4a1ddda-f4f5-496e-96c8-82c37d06abd0",
            "shortName": "Swift"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/apple/swift-nio-http2/security/advisories/GHSA-w3f6-pc54-gfw7"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "cve@forums.swift.org",
              "ID": "CVE-2022-24667",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "SwiftNIO HTTP2",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003e=",
                                "version_value": "1.0.0"
                              },
                              {
                                "version_affected": "\u003c=",
                                "version_value": "1.19.1"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Swift Project"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "A program using swift-nio-http2 is vulnerable to a denial of service attack, caused by a network peer sending a specially crafted HPACK-encoded header block. This attack affects all swift-nio-http2 versions from 1.0.0 to 1.19.1. There are a number of implementation errors in the parsing of HPACK-encoded header blocks that allow maliciously crafted HPACK header blocks to cause crashes in processes using swift-nio-http2. Each of these crashes is triggered instead of an integer overflow. A malicious HPACK header block could be sent on any of the HPACK-carrying frames in a HTTP/2 connection (HEADERS and PUSH_PROMISE), at any position. Sending a HPACK header block does not require any special permission, so any HTTP/2 connection peer may send one. For clients, this means any server to which they connect may launch this attack. For servers, anyone they allow to connect to them may launch such an attack. The attack is low-effort: it takes very little resources to send an appropriately crafted field block. The impact on availability is high: receiving a frame carrying this field block immediately crashes the server, dropping all in-flight connections and causing the service to need to restart. It is straightforward for an attacker to repeatedly send appropriately crafted field blocks, so attackers require very few resources to achieve a substantial denial of service. The attack does not have any confidentiality or integrity risks in and of itself: swift-nio-http2 is parsing the field block in memory-safe code and the crash is triggered instead of an integer overflow. However, sudden process crashes can lead to violations of invariants in services, so it is possible that this attack can be used to trigger an error condition that has confidentiality or integrity risks. The risk can be mitigated if untrusted peers can be prevented from communicating with the service. This mitigation is not available to many services. The issue is fixed by rewriting the parsing code to correctly handle all conditions in the function. The principal issue was found by automated fuzzing by oss-fuzz, but several associated bugs in the same code were found by code audit and fixed at the same time"
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-190: Integer Overflow or Wraparound"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://github.com/apple/swift-nio-http2/security/advisories/GHSA-w3f6-pc54-gfw7",
                  "refsource": "MISC",
                  "url": "https://github.com/apple/swift-nio-http2/security/advisories/GHSA-w3f6-pc54-gfw7"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "e4a1ddda-f4f5-496e-96c8-82c37d06abd0",
        "assignerShortName": "Swift",
        "cveId": "CVE-2022-24667",
        "datePublished": "2022-02-09T22:05:17.000Z",
        "dateReserved": "2022-02-07T00:00:00.000Z",
        "dateUpdated": "2024-08-03T04:20:49.139Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2022-24666 (GCVE-0-2022-24666)

    Vulnerability from nvd – Published: 2022-02-09 22:05 – Updated: 2024-08-03 04:20
    VLAI
    Summary
    A program using swift-nio-http2 is vulnerable to a denial of service attack, caused by a network peer sending a specially crafted HTTP/2 frame. This attack affects all swift-nio-http2 versions from 1.0.0 to 1.19.1. This vulnerability is caused by a logical error when parsing a HTTP/2 HEADERS frame where the frame contains priority information without any other data. This logical error caused confusion about the size of the frame, leading to a parsing error. This parsing error immediately crashes the entire process. Sending a HEADERS frame with HTTP/2 priority information does not require any special permission, so any HTTP/2 connection peer may send such a frame. For clients, this means any server to which they connect may launch this attack. For servers, anyone they allow to connect to them may launch such an attack. The attack is low-effort: it takes very little resources to send an appropriately crafted frame. The impact on availability is high: receiving the frame immediately crashes the server, dropping all in-flight connections and causing the service to need to restart. It is straightforward for an attacker to repeatedly send appropriately crafted frames, so attackers require very few resources to achieve a substantial denial of service. The attack does not have any confidentiality or integrity risks in and of itself: swift-nio-http2 is parsing the frame in memory-safe code, so the crash is safe. However, sudden process crashes can lead to violations of invariants in services, so it is possible that this attack can be used to trigger an error condition that has confidentiality or integrity risks. The risk can be mitigated if untrusted peers can be prevented from communicating with the service. This mitigation is not available to many services. The issue is fixed by rewriting the parsing code to correctly handle the condition. The issue was found by automated fuzzing by oss-fuzz.
    Severity
    No CVSS data available.
    CWE
    • CWE-130 - Improper Handling of Length Parameter Inconsistency
    Assigner
    References
    Impacted products
    Vendor Product Version
    Swift Project SwiftNIO HTTP2 Affected: 1.0.0 , < unspecified (custom)
    Affected: unspecified , ≤ 1.19.1 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T04:20:49.125Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/apple/swift-nio-http2/security/advisories/GHSA-ccw9-q5h2-8c2w"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "SwiftNIO HTTP2",
              "vendor": "Swift Project",
              "versions": [
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "1.0.0",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "1.19.1",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A program using swift-nio-http2 is vulnerable to a denial of service attack, caused by a network peer sending a specially crafted HTTP/2 frame. This attack affects all swift-nio-http2 versions from 1.0.0 to 1.19.1. This vulnerability is caused by a logical error when parsing a HTTP/2 HEADERS frame where the frame contains priority information without any other data. This logical error caused confusion about the size of the frame, leading to a parsing error. This parsing error immediately crashes the entire process. Sending a HEADERS frame with HTTP/2 priority information does not require any special permission, so any HTTP/2 connection peer may send such a frame. For clients, this means any server to which they connect may launch this attack. For servers, anyone they allow to connect to them may launch such an attack. The attack is low-effort: it takes very little resources to send an appropriately crafted frame. The impact on availability is high: receiving the frame immediately crashes the server, dropping all in-flight connections and causing the service to need to restart. It is straightforward for an attacker to repeatedly send appropriately crafted frames, so attackers require very few resources to achieve a substantial denial of service. The attack does not have any confidentiality or integrity risks in and of itself: swift-nio-http2 is parsing the frame in memory-safe code, so the crash is safe. However, sudden process crashes can lead to violations of invariants in services, so it is possible that this attack can be used to trigger an error condition that has confidentiality or integrity risks. The risk can be mitigated if untrusted peers can be prevented from communicating with the service. This mitigation is not available to many services. The issue is fixed by rewriting the parsing code to correctly handle the condition. The issue was found by automated fuzzing by oss-fuzz."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-130",
                  "description": "CWE-130: Improper Handling of Length Parameter Inconsistency",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-02-09T22:05:16.000Z",
            "orgId": "e4a1ddda-f4f5-496e-96c8-82c37d06abd0",
            "shortName": "Swift"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/apple/swift-nio-http2/security/advisories/GHSA-ccw9-q5h2-8c2w"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "cve@forums.swift.org",
              "ID": "CVE-2022-24666",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "SwiftNIO HTTP2",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003e=",
                                "version_value": "1.0.0"
                              },
                              {
                                "version_affected": "\u003c=",
                                "version_value": "1.19.1"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Swift Project"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "A program using swift-nio-http2 is vulnerable to a denial of service attack, caused by a network peer sending a specially crafted HTTP/2 frame. This attack affects all swift-nio-http2 versions from 1.0.0 to 1.19.1. This vulnerability is caused by a logical error when parsing a HTTP/2 HEADERS frame where the frame contains priority information without any other data. This logical error caused confusion about the size of the frame, leading to a parsing error. This parsing error immediately crashes the entire process. Sending a HEADERS frame with HTTP/2 priority information does not require any special permission, so any HTTP/2 connection peer may send such a frame. For clients, this means any server to which they connect may launch this attack. For servers, anyone they allow to connect to them may launch such an attack. The attack is low-effort: it takes very little resources to send an appropriately crafted frame. The impact on availability is high: receiving the frame immediately crashes the server, dropping all in-flight connections and causing the service to need to restart. It is straightforward for an attacker to repeatedly send appropriately crafted frames, so attackers require very few resources to achieve a substantial denial of service. The attack does not have any confidentiality or integrity risks in and of itself: swift-nio-http2 is parsing the frame in memory-safe code, so the crash is safe. However, sudden process crashes can lead to violations of invariants in services, so it is possible that this attack can be used to trigger an error condition that has confidentiality or integrity risks. The risk can be mitigated if untrusted peers can be prevented from communicating with the service. This mitigation is not available to many services. The issue is fixed by rewriting the parsing code to correctly handle the condition. The issue was found by automated fuzzing by oss-fuzz."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-130: Improper Handling of Length Parameter Inconsistency"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://github.com/apple/swift-nio-http2/security/advisories/GHSA-ccw9-q5h2-8c2w",
                  "refsource": "MISC",
                  "url": "https://github.com/apple/swift-nio-http2/security/advisories/GHSA-ccw9-q5h2-8c2w"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "e4a1ddda-f4f5-496e-96c8-82c37d06abd0",
        "assignerShortName": "Swift",
        "cveId": "CVE-2022-24666",
        "datePublished": "2022-02-09T22:05:16.000Z",
        "dateReserved": "2022-02-07T00:00:00.000Z",
        "dateUpdated": "2024-08-03T04:20:49.125Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2026-28898 (GCVE-0-2026-28898)

    Vulnerability from cvelistv5 – Published: 2026-06-25 18:36 – Updated: 2026-06-25 19:28
    VLAI
    Summary
    swift-nio-http2's HTTP/2-to-HTTP/1.1 codec did not validate pseudo-header values for control characters before placing them into the translated HTTP/1.1 message. swift-nio-http2 1.44.1 adds validation of all pseudo-header values (:path, :authority, :scheme, :method, and :status) at both the HPACK header validation layer and the HTTP/2-to-HTTP/1.1 translation layer. Requests or responses containing CR, LF, or NUL bytes in any pseudo-header value are now rejected with a connection error. This issue is fixed in swift-nio-http2 1.44.1.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • swift-nio-http2's HTTP/2-to-HTTP/1.1 codec did not validate pseudo-header values for control characters before placing them into the translated HTTP/1.1 message.
    • CWE-116 - Improper Encoding or Escaping of Output
    Assigner
    References
    Impacted products
    Vendor Product Version
    Apple swift-nio-http2 Affected: 0 , < 1.44.1 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 5.3,
                  "baseSeverity": "MEDIUM",
                  "confidentialityImpact": "LOW",
                  "integrityImpact": "NONE",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-28898",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-25T19:28:33.856470Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-116",
                    "description": "CWE-116 Improper Encoding or Escaping of Output",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-25T19:28:38.970Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "swift-nio-http2",
              "vendor": "Apple",
              "versions": [
                {
                  "lessThan": "1.44.1",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "swift-nio-http2\u0027s HTTP/2-to-HTTP/1.1 codec did not validate pseudo-header values for control characters before placing them into the translated HTTP/1.1 message. swift-nio-http2 1.44.1 adds validation of all pseudo-header values (:path, :authority, :scheme, :method, and :status) at both the HPACK header validation layer and the HTTP/2-to-HTTP/1.1 translation layer. Requests or responses containing CR, LF, or NUL bytes in any pseudo-header value are now rejected with a connection error. This issue is fixed in swift-nio-http2 1.44.1."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "swift-nio-http2\u0027s HTTP/2-to-HTTP/1.1 codec did not validate pseudo-header values for control characters before placing them into the translated HTTP/1.1 message.",
                  "lang": "en"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-25T18:36:54.046Z",
            "orgId": "286789f9-fbc2-4510-9f9a-43facdede74c",
            "shortName": "apple"
          },
          "references": [
            {
              "url": "https://github.com/advisories/GHSA-4px2-pw77-vc85"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "286789f9-fbc2-4510-9f9a-43facdede74c",
        "assignerShortName": "apple",
        "cveId": "CVE-2026-28898",
        "datePublished": "2026-06-25T18:36:54.046Z",
        "dateReserved": "2026-03-03T16:36:03.983Z",
        "dateUpdated": "2026-06-25T19:28:38.970Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2023-44487 (GCVE-0-2023-44487)

    Vulnerability from cvelistv5 – Published: 2023-10-10 00:00 – Updated: 2026-05-12 10:52
    VLAI CISA KEVIntel
    Summary
    The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
    SSVC
    Exploitation: active Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • n/a
    • CWE-400 - Uncontrolled Resource Consumption
    Assigner
    References
    URL Tags
    https://github.com/dotnet/core/blob/e4613450ea0da…
    https://blog.cloudflare.com/technical-breakdown-h…
    https://aws.amazon.com/security/security-bulletin…
    https://cloud.google.com/blog/products/identity-s…
    https://www.nginx.com/blog/http-2-rapid-reset-att…
    https://cloud.google.com/blog/products/identity-s…
    https://news.ycombinator.com/item?id=37831062
    https://blog.cloudflare.com/zero-day-rapid-reset-…
    https://www.phoronix.com/news/HTTP2-Rapid-Reset-Attack
    https://github.com/envoyproxy/envoy/pull/30055
    https://github.com/haproxy/haproxy/issues/2312
    https://github.com/eclipse/jetty.project/issues/10679
    https://forums.swift.org/t/swift-nio-http2-securi…
    https://github.com/nghttp2/nghttp2/pull/1961
    https://github.com/netty/netty/commit/58f75f665aa…
    https://github.com/alibaba/tengine/issues/1872
    https://github.com/apache/tomcat/tree/main/java/o…
    https://news.ycombinator.com/item?id=37830987
    https://news.ycombinator.com/item?id=37830998
    https://github.com/caddyserver/caddy/issues/5877
    https://www.bleepingcomputer.com/news/security/ne…
    https://github.com/bcdannyboy/CVE-2023-44487
    https://github.com/grpc/grpc-go/pull/6703
    https://github.com/icing/mod_h2/blob/0a864782af0a…
    https://github.com/nghttp2/nghttp2/releases/tag/v1.57.0
    https://mailman.nginx.org/pipermail/nginx-devel/2…
    https://my.f5.com/manage/s/article/K000137106
    https://msrc.microsoft.com/blog/2023/10/microsoft…
    https://bugzilla.proxmox.com/show_bug.cgi?id=4988
    https://cgit.freebsd.org/ports/commit/?id=c64c329…
    http://www.openwall.com/lists/oss-security/2023/10/10/7 mailing-list
    http://www.openwall.com/lists/oss-security/2023/10/10/6 mailing-list
    https://seanmonstar.com/post/730794151136935936/h…
    https://github.com/microsoft/CBL-Mariner/pull/6381
    https://groups.google.com/g/golang-announce/c/iNN…
    https://github.com/facebook/proxygen/pull/466
    https://gist.github.com/adulau/7c2bfb8e9cdbe4b35a…
    https://github.com/micrictor/http2-rst-stream
    https://edg.io/lp/blog/resets-leaks-ddos-and-the-…
    https://openssf.org/blog/2023/10/10/http-2-rapid-…
    https://github.com/h2o/h2o/security/advisories/GH…
    https://github.com/h2o/h2o/pull/3291
    https://github.com/nodejs/node/pull/50121
    https://github.com/dotnet/announcements/issues/277
    https://github.com/golang/go/issues/63417
    https://github.com/advisories/GHSA-vx74-f528-fxqg
    https://github.com/apache/trafficserver/pull/10564
    https://msrc.microsoft.com/update-guide/vulnerabi…
    https://tomcat.apache.org/security-10.html#Fixed_…
    https://lists.apache.org/thread/5py8h42mxfsn8l1wy…
    https://www.openwall.com/lists/oss-security/2023/…
    https://www.haproxy.com/blog/haproxy-is-not-affec…
    https://github.com/opensearch-project/data-preppe…
    https://github.com/kubernetes/kubernetes/pull/121120
    https://github.com/oqtane/oqtane.framework/discus…
    https://github.com/advisories/GHSA-xpw8-rcwv-8f8p
    https://netty.io/news/2023/10/10/4-1-100-Final.html
    https://www.cisa.gov/news-events/alerts/2023/10/1…
    https://www.theregister.com/2023/10/10/http2_rapi…
    https://blog.qualys.com/vulnerabilities-threat-re…
    https://news.ycombinator.com/item?id=37837043
    https://github.com/kazu-yamamoto/http2/issues/93
    https://martinthomson.github.io/h2-stream-limits/…
    https://github.com/kazu-yamamoto/http2/commit/f61…
    https://github.com/apache/httpd/blob/afcdbeebbff4…
    https://www.debian.org/security/2023/dsa-5522 vendor-advisory
    https://www.debian.org/security/2023/dsa-5521 vendor-advisory
    https://access.redhat.com/security/cve/cve-2023-44487
    https://github.com/ninenines/cowboy/issues/1615
    https://github.com/varnishcache/varnish-cache/iss…
    https://github.com/tempesta-tech/tempesta/issues/1986
    https://blog.vespa.ai/cve-2023-44487/
    https://github.com/etcd-io/etcd/issues/16740
    https://www.darkreading.com/cloud/internet-wide-z…
    https://istio.io/latest/news/security/istio-secur…
    https://github.com/junkurihara/rust-rpxy/issues/97
    https://bugzilla.suse.com/show_bug.cgi?id=1216123
    https://bugzilla.redhat.com/show_bug.cgi?id=2242803
    https://ubuntu.com/security/CVE-2023-44487
    https://community.traefik.io/t/is-traefik-vulnera…
    https://github.com/advisories/GHSA-qppj-fm5r-hxr3
    https://github.com/apache/httpd-site/pull/10
    https://github.com/projectcontour/contour/pull/5826
    https://github.com/linkerd/website/pull/1695/comm…
    https://github.com/line/armeria/pull/5232
    https://blog.litespeedtech.com/2023/10/11/rapid-r…
    https://security.paloaltonetworks.com/CVE-2023-44487
    https://github.com/akka/akka-http/issues/4323
    https://github.com/openresty/openresty/issues/930
    https://github.com/apache/apisix/issues/10320
    https://github.com/Azure/AKS/issues/3947
    https://github.com/Kong/kong/discussions/11741
    https://github.com/arkrwn/PoC/tree/main/CVE-2023-44487
    https://www.netlify.com/blog/netlify-successfully…
    https://github.com/caddyserver/caddy/releases/tag…
    https://lists.debian.org/debian-lts-announce/2023… mailing-list
    http://www.openwall.com/lists/oss-security/2023/10/13/4 mailing-list
    http://www.openwall.com/lists/oss-security/2023/10/13/9 mailing-list
    https://arstechnica.com/security/2023/10/how-ddos…
    https://lists.w3.org/Archives/Public/ietf-http-wg…
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisory
    https://linkerd.io/2023/10/12/linkerd-cve-2023-44487/
    https://lists.debian.org/debian-lts-announce/2023… mailing-list
    https://security.netapp.com/advisory/ntap-2023101…
    https://lists.debian.org/debian-lts-announce/2023… mailing-list
    http://www.openwall.com/lists/oss-security/2023/10/18/4 mailing-list
    http://www.openwall.com/lists/oss-security/2023/10/18/8 mailing-list
    http://www.openwall.com/lists/oss-security/2023/10/19/6 mailing-list
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisory
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisory
    http://www.openwall.com/lists/oss-security/2023/10/20/8 mailing-list
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisory
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisory
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisory
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisory
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisory
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisory
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisory
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisory
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisory
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisory
    https://lists.debian.org/debian-lts-announce/2023… mailing-list
    https://www.debian.org/security/2023/dsa-5540 vendor-advisory
    https://lists.debian.org/debian-lts-announce/2023… mailing-list
    https://discuss.hashicorp.com/t/hcsec-2023-32-vau…
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisory
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisory
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisory
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisory
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisory
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisory
    https://lists.debian.org/debian-lts-announce/2023… mailing-list
    https://www.debian.org/security/2023/dsa-5549 vendor-advisory
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisory
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisory
    https://www.debian.org/security/2023/dsa-5558 vendor-advisory
    https://lists.debian.org/debian-lts-announce/2023… mailing-list
    https://security.gentoo.org/glsa/202311-09 vendor-advisory
    https://www.debian.org/security/2023/dsa-5570 vendor-advisory
    https://security.netapp.com/advisory/ntap-2024042…
    https://security.netapp.com/advisory/ntap-2024062…
    https://security.netapp.com/advisory/ntap-2024062…
    https://github.com/grpc/grpc/releases/tag/v1.59.2
    https://sec.cloudapps.cisco.com/security/center/c…
    https://www.cisa.gov/known-exploited-vulnerabilit… government-resource
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisoryx_transferred
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisoryx_transferred
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisoryx_transferred
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisoryx_transferred
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisoryx_transferred
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisoryx_transferred
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisoryx_transferred
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisoryx_transferred
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisoryx_transferred
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisoryx_transferred
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisoryx_transferred
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisoryx_transferred
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisoryx_transferred
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisoryx_transferred
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisoryx_transferred
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisoryx_transferred
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisoryx_transferred
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisoryx_transferred
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisoryx_transferred
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisoryx_transferred
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisoryx_transferred
    https://www.vicarius.io/vsociety/posts/rapid-rese…
    http://www.openwall.com/lists/oss-security/2025/08/13/6
    https://cert-portal.siemens.com/productcert/html/…
    https://cert-portal.siemens.com/productcert/html/…
    https://cert-portal.siemens.com/productcert/html/…
    https://cert-portal.siemens.com/productcert/html/…
    https://cert-portal.siemens.com/productcert/html/…
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:ietf:http:2.0:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "http",
                "vendor": "ietf",
                "versions": [
                  {
                    "status": "affected",
                    "version": "2.0"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "HIGH",
                  "baseScore": 7.5,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "NONE",
                  "integrityImpact": "NONE",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-44487",
                    "options": [
                      {
                        "Exploitation": "active"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-07-23T20:34:21.334116Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              },
              {
                "other": {
                  "content": {
                    "dateAdded": "2023-10-10",
                    "reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-44487"
                  },
                  "type": "kev"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-400",
                    "description": "CWE-400 Uncontrolled Resource Consumption",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-10-21T23:05:35.187Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "government-resource"
                ],
                "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-44487"
              }
            ],
            "timeline": [
              {
                "lang": "en",
                "time": "2023-10-10T00:00:00.000Z",
                "value": "CVE-2023-44487 added to CISA KEV"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2025-11-04T21:08:27.383Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/dotnet/core/blob/e4613450ea0da7fd2fc6b61dfb2c1c1dec1ce9ec/release-notes/6.0/6.0.23/6.0.23.md?plain=1#L73"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://aws.amazon.com/security/security-bulletins/AWS-2023-011/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.nginx.com/blog/http-2-rapid-reset-attack-impacting-f5-nginx-products/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://cloud.google.com/blog/products/identity-security/google-cloud-mitigated-largest-ddos-attack-peaking-above-398-million-rps/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://news.ycombinator.com/item?id=37831062"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://blog.cloudflare.com/zero-day-rapid-reset-http2-record-breaking-ddos-attack/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.phoronix.com/news/HTTP2-Rapid-Reset-Attack"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/envoyproxy/envoy/pull/30055"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/haproxy/haproxy/issues/2312"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/eclipse/jetty.project/issues/10679"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://forums.swift.org/t/swift-nio-http2-security-update-cve-2023-44487-http-2-dos/67764"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/nghttp2/nghttp2/pull/1961"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/alibaba/tengine/issues/1872"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/apache/tomcat/tree/main/java/org/apache/coyote/http2"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://news.ycombinator.com/item?id=37830987"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://news.ycombinator.com/item?id=37830998"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/caddyserver/caddy/issues/5877"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.bleepingcomputer.com/news/security/new-http-2-rapid-reset-zero-day-attack-breaks-ddos-records/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/bcdannyboy/CVE-2023-44487"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/grpc/grpc-go/pull/6703"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/icing/mod_h2/blob/0a864782af0a942aa2ad4ed960a6b32cd35bcf0a/mod_http2/README.md?plain=1#L239-L244"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/nghttp2/nghttp2/releases/tag/v1.57.0"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://mailman.nginx.org/pipermail/nginx-devel/2023-October/S36Q5HBXR7CAIMPLLPRSSSYR4PCMWILK.html"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://my.f5.com/manage/s/article/K000137106"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://msrc.microsoft.com/blog/2023/10/microsoft-response-to-distributed-denial-of-service-ddos-attacks-against-http/2/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://bugzilla.proxmox.com/show_bug.cgi?id=4988"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://cgit.freebsd.org/ports/commit/?id=c64c329c2c1752f46b73e3e6ce9f4329be6629f9"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://seanmonstar.com/post/730794151136935936/hyper-http2-rapid-reset-unaffected"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/microsoft/CBL-Mariner/pull/6381"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://groups.google.com/g/golang-announce/c/iNNxDTCjZvo"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/facebook/proxygen/pull/466"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://gist.github.com/adulau/7c2bfb8e9cdbe4b35a5e131c66a0c088"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/micrictor/http2-rst-stream"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://edg.io/lp/blog/resets-leaks-ddos-and-the-tale-of-a-hidden-cve"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://openssf.org/blog/2023/10/10/http-2-rapid-reset-vulnerability-highlights-need-for-rapid-response/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/h2o/h2o/security/advisories/GHSA-2m7v-gc89-fjqf"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/h2o/h2o/pull/3291"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/nodejs/node/pull/50121"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/dotnet/announcements/issues/277"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/golang/go/issues/63417"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/advisories/GHSA-vx74-f528-fxqg"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/apache/trafficserver/pull/10564"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-44487"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.1.14"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread/5py8h42mxfsn8l1wy6o41xwhsjlsd87q"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.openwall.com/lists/oss-security/2023/10/10/6"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.haproxy.com/blog/haproxy-is-not-affected-by-the-http-2-rapid-reset-attack-cve-2023-44487"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/opensearch-project/data-prepper/issues/3474"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/kubernetes/kubernetes/pull/121120"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/oqtane/oqtane.framework/discussions/3367"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/advisories/GHSA-xpw8-rcwv-8f8p"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://netty.io/news/2023/10/10/4-1-100-Final.html"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.cisa.gov/news-events/alerts/2023/10/10/http2-rapid-reset-vulnerability-cve-2023-44487"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.theregister.com/2023/10/10/http2_rapid_reset_zeroday/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://blog.qualys.com/vulnerabilities-threat-research/2023/10/10/cve-2023-44487-http-2-rapid-reset-attack"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://news.ycombinator.com/item?id=37837043"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/kazu-yamamoto/http2/issues/93"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://martinthomson.github.io/h2-stream-limits/draft-thomson-httpbis-h2-stream-limits.html"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/kazu-yamamoto/http2/commit/f61d41a502bd0f60eb24e1ce14edc7b6df6722a1"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/apache/httpd/blob/afcdbeebbff4b0c50ea26cdd16e178c0d1f24152/modules/http2/h2_mplx.c#L1101-L1113"
              },
              {
                "name": "DSA-5522",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://www.debian.org/security/2023/dsa-5522"
              },
              {
                "name": "DSA-5521",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://www.debian.org/security/2023/dsa-5521"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/security/cve/cve-2023-44487"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/ninenines/cowboy/issues/1615"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/varnishcache/varnish-cache/issues/3996"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/tempesta-tech/tempesta/issues/1986"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://blog.vespa.ai/cve-2023-44487/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/etcd-io/etcd/issues/16740"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.darkreading.com/cloud/internet-wide-zero-day-bug-fuels-largest-ever-ddos-event"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://istio.io/latest/news/security/istio-security-2023-004/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/junkurihara/rust-rpxy/issues/97"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://bugzilla.suse.com/show_bug.cgi?id=1216123"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2242803"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://ubuntu.com/security/CVE-2023-44487"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://community.traefik.io/t/is-traefik-vulnerable-to-cve-2023-44487/20125"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/advisories/GHSA-qppj-fm5r-hxr3"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/apache/httpd-site/pull/10"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/projectcontour/contour/pull/5826"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/linkerd/website/pull/1695/commits/4b9c6836471bc8270ab48aae6fd2181bc73fd632"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/line/armeria/pull/5232"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://blog.litespeedtech.com/2023/10/11/rapid-reset-http-2-vulnerablilty/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://security.paloaltonetworks.com/CVE-2023-44487"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/akka/akka-http/issues/4323"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/openresty/openresty/issues/930"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/apache/apisix/issues/10320"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/Azure/AKS/issues/3947"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/Kong/kong/discussions/11741"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/arkrwn/PoC/tree/main/CVE-2023-44487"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.netlify.com/blog/netlify-successfully-mitigates-cve-2023-44487/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/caddyserver/caddy/releases/tag/v2.7.5"
              },
              {
                "name": "[debian-lts-announce] 20231013 [SECURITY] [DLA 3617-1] tomcat9 security update",
                "tags": [
                  "mailing-list",
                  "x_transferred"
                ],
                "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00020.html"
              },
              {
                "name": "[oss-security] 20231013 Re: CVE-2023-44487: HTTP/2 Rapid Reset attack against many implementations",
                "tags": [
                  "mailing-list",
                  "x_transferred"
                ],
                "url": "http://www.openwall.com/lists/oss-security/2023/10/13/4"
              },
              {
                "name": "[oss-security] 20231013 Re: CVE-2023-44487: HTTP/2 Rapid Reset attack against many implementations",
                "tags": [
                  "mailing-list",
                  "x_transferred"
                ],
                "url": "http://www.openwall.com/lists/oss-security/2023/10/13/9"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://arstechnica.com/security/2023/10/how-ddosers-used-the-http-2-protocol-to-deliver-attacks-of-unprecedented-size/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://lists.w3.org/Archives/Public/ietf-http-wg/2023OctDec/0025.html"
              },
              {
                "name": "FEDORA-2023-ed2642fd58",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JMEXY22BFG5Q64HQCM5CK2Q7KDKVV4TY/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://linkerd.io/2023/10/12/linkerd-cve-2023-44487/"
              },
              {
                "name": "[debian-lts-announce] 20231016 [SECURITY] [DLA 3621-1] nghttp2 security update",
                "tags": [
                  "mailing-list",
                  "x_transferred"
                ],
                "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00023.html"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://security.netapp.com/advisory/ntap-20231016-0001/"
              },
              {
                "name": "[debian-lts-announce] 20231016 [SECURITY] [DLA 3617-2] tomcat9 regression update",
                "tags": [
                  "mailing-list",
                  "x_transferred"
                ],
                "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00024.html"
              },
              {
                "name": "[oss-security] 20231018 Vulnerability in Jenkins",
                "tags": [
                  "mailing-list",
                  "x_transferred"
                ],
                "url": "http://www.openwall.com/lists/oss-security/2023/10/18/4"
              },
              {
                "name": "[oss-security] 20231018 Re: CVE-2023-44487: HTTP/2 Rapid Reset attack against many implementations",
                "tags": [
                  "mailing-list",
                  "x_transferred"
                ],
                "url": "http://www.openwall.com/lists/oss-security/2023/10/18/8"
              },
              {
                "name": "[oss-security] 20231019 CVE-2023-45802: Apache HTTP Server: HTTP/2 stream memory not reclaimed right away on RST",
                "tags": [
                  "mailing-list",
                  "x_transferred"
                ],
                "url": "http://www.openwall.com/lists/oss-security/2023/10/19/6"
              },
              {
                "name": "FEDORA-2023-54fadada12",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZKQSIKIAT5TJ3WSLU3RDBQ35YX4GY4V3/"
              },
              {
                "name": "FEDORA-2023-5ff7bf1dd8",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JIZSEFC3YKCGABA2BZW6ZJRMDZJMB7PJ/"
              },
              {
                "name": "[oss-security] 20231020 Re: CVE-2023-44487: HTTP/2 Rapid Reset attack against many implementations",
                "tags": [
                  "mailing-list",
                  "x_transferred"
                ],
                "url": "http://www.openwall.com/lists/oss-security/2023/10/20/8"
              },
              {
                "name": "FEDORA-2023-17efd3f2cd",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WLPRQ5TWUQQXYWBJM7ECYDAIL2YVKIUH/"
              },
              {
                "name": "FEDORA-2023-d5030c983c",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/E72T67UPDRXHIDLO3OROR25YAMN4GGW5/"
              },
              {
                "name": "FEDORA-2023-0259c3f26f",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BFQD3KUEMFBHPAPBGLWQC34L4OWL5HAZ/"
              },
              {
                "name": "FEDORA-2023-2a9214af5f",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZLU6U2R2IC2K64NDPNMV55AUAO65MAF4/"
              },
              {
                "name": "FEDORA-2023-e9c04d81c1",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X6QXN4ORIVF6XBW4WWFE7VNPVC74S45Y/"
              },
              {
                "name": "FEDORA-2023-f66fc0f62a",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LKYHSZQFDNR7RSA7LHVLLIAQMVYCUGBG/"
              },
              {
                "name": "FEDORA-2023-4d2fd884ea",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FNA62Q767CFAFHBCDKYNPBMZWB7TWYVU/"
              },
              {
                "name": "FEDORA-2023-b2c50535cb",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LNMZJCDHGLJJLXO4OXWJMTVQRNWOC7UL/"
              },
              {
                "name": "FEDORA-2023-fe53e13b5b",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KSEGD2IWKNUO3DWY4KQGUQM5BISRWHQE/"
              },
              {
                "name": "FEDORA-2023-4bf641255e",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CLB4TW7KALB3EEQWNWCN7OUIWWVWWCG2/"
              },
              {
                "name": "[debian-lts-announce] 20231030 [SECURITY] [DLA 3641-1] jetty9 security update",
                "tags": [
                  "mailing-list",
                  "x_transferred"
                ],
                "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00045.html"
              },
              {
                "name": "DSA-5540",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://www.debian.org/security/2023/dsa-5540"
              },
              {
                "name": "[debian-lts-announce] 20231031 [SECURITY] [DLA 3638-1] h2o security update",
                "tags": [
                  "mailing-list",
                  "x_transferred"
                ],
                "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00047.html"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://discuss.hashicorp.com/t/hcsec-2023-32-vault-consul-and-boundary-affected-by-http-2-rapid-reset-denial-of-service-vulnerability-cve-2023-44487/59715"
              },
              {
                "name": "FEDORA-2023-1caffb88af",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VHUHTSXLXGXS7JYKBXTA3VINUPHTNGVU/"
              },
              {
                "name": "FEDORA-2023-3f70b8d406",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VSRDIV77HNKUSM7SJC5BKE5JSHLHU2NK/"
              },
              {
                "name": "FEDORA-2023-7b52921cae",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3N4NJ7FR4X4FPZUGNTQAPSTVB2HB2Y4A/"
              },
              {
                "name": "FEDORA-2023-7934802344",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZB43REMKRQR62NJEI7I5NQ4FSXNLBKRT/"
              },
              {
                "name": "FEDORA-2023-dbe64661af",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HT7T2R4MQKLIF4ODV4BDLPARWFPCJ5CZ/"
              },
              {
                "name": "FEDORA-2023-822aab0a5a",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XFOIBB4YFICHDM7IBOP7PWXW3FX4HLL2/"
              },
              {
                "name": "[debian-lts-announce] 20231105 [SECURITY] [DLA 3645-1] trafficserver security update",
                "tags": [
                  "mailing-list",
                  "x_transferred"
                ],
                "url": "https://lists.debian.org/debian-lts-announce/2023/11/msg00001.html"
              },
              {
                "name": "DSA-5549",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://www.debian.org/security/2023/dsa-5549"
              },
              {
                "name": "FEDORA-2023-c0c6a91330",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2MBEPPC36UBVOZZNAXFHKLFGSLCMN5LI/"
              },
              {
                "name": "FEDORA-2023-492b7be466",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WE2I52RHNNU42PX6NZ2RBUHSFFJ2LVZX/"
              },
              {
                "name": "DSA-5558",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://www.debian.org/security/2023/dsa-5558"
              },
              {
                "name": "[debian-lts-announce] 20231119 [SECURITY] [DLA 3656-1] netty security update",
                "tags": [
                  "mailing-list",
                  "x_transferred"
                ],
                "url": "https://lists.debian.org/debian-lts-announce/2023/11/msg00012.html"
              },
              {
                "name": "GLSA-202311-09",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://security.gentoo.org/glsa/202311-09"
              },
              {
                "name": "DSA-5570",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://www.debian.org/security/2023/dsa-5570"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://security.netapp.com/advisory/ntap-20240426-0007/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://security.netapp.com/advisory/ntap-20240621-0006/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://security.netapp.com/advisory/ntap-20240621-0007/"
              },
              {
                "url": "https://www.vicarius.io/vsociety/posts/rapid-reset-cve-2023-44487-dos-in-http2-understanding-the-root-cause"
              },
              {
                "url": "http://www.openwall.com/lists/oss-security/2025/08/13/6"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "affected": [
              {
                "defaultStatus": "unknown",
                "product": "RUGGEDCOM APE1808",
                "vendor": "Siemens",
                "versions": [
                  {
                    "lessThan": "*",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              },
              {
                "defaultStatus": "unknown",
                "product": "SIMATIC S7-1500 CPU 1518-4 PN/DP MFP",
                "vendor": "Siemens",
                "versions": [
                  {
                    "lessThan": "*",
                    "status": "affected",
                    "version": "V3.1.5",
                    "versionType": "custom"
                  }
                ]
              },
              {
                "defaultStatus": "unknown",
                "product": "SIMATIC S7-1500 CPU 1518-4 PN/DP MFP",
                "vendor": "Siemens",
                "versions": [
                  {
                    "lessThan": "*",
                    "status": "affected",
                    "version": "V3.1.5",
                    "versionType": "custom"
                  }
                ]
              },
              {
                "defaultStatus": "unknown",
                "product": "SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP",
                "vendor": "Siemens",
                "versions": [
                  {
                    "lessThan": "*",
                    "status": "affected",
                    "version": "V3.1.5",
                    "versionType": "custom"
                  }
                ]
              },
              {
                "defaultStatus": "unknown",
                "product": "SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP",
                "vendor": "Siemens",
                "versions": [
                  {
                    "lessThan": "*",
                    "status": "affected",
                    "version": "V3.1.5",
                    "versionType": "custom"
                  }
                ]
              },
              {
                "defaultStatus": "unknown",
                "product": "SINEC NMS",
                "vendor": "Siemens",
                "versions": [
                  {
                    "lessThan": "V3.0",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              },
              {
                "defaultStatus": "unknown",
                "product": "SIPLUS S7-1500 CPU 1518-4 PN/DP MFP",
                "vendor": "Siemens",
                "versions": [
                  {
                    "lessThan": "*",
                    "status": "affected",
                    "version": "V3.1.5",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-12T10:52:23.784Z",
              "orgId": "0b142b55-0307-4c5a-b3c9-f314f3fb7c5e",
              "shortName": "siemens-SADP"
            },
            "references": [
              {
                "url": "https://cert-portal.siemens.com/productcert/html/ssa-832273.html"
              },
              {
                "url": "https://cert-portal.siemens.com/productcert/html/ssa-341067.html"
              },
              {
                "url": "https://cert-portal.siemens.com/productcert/html/ssa-784301.html"
              },
              {
                "url": "https://cert-portal.siemens.com/productcert/html/ssa-915275.html"
              },
              {
                "url": "https://cert-portal.siemens.com/productcert/html/ssa-082556.html"
              }
            ],
            "x_adpType": "supplier"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-06-07T20:05:34.376Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "url": "https://github.com/dotnet/core/blob/e4613450ea0da7fd2fc6b61dfb2c1c1dec1ce9ec/release-notes/6.0/6.0.23/6.0.23.md?plain=1#L73"
            },
            {
              "url": "https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/"
            },
            {
              "url": "https://aws.amazon.com/security/security-bulletins/AWS-2023-011/"
            },
            {
              "url": "https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack"
            },
            {
              "url": "https://www.nginx.com/blog/http-2-rapid-reset-attack-impacting-f5-nginx-products/"
            },
            {
              "url": "https://cloud.google.com/blog/products/identity-security/google-cloud-mitigated-largest-ddos-attack-peaking-above-398-million-rps/"
            },
            {
              "url": "https://news.ycombinator.com/item?id=37831062"
            },
            {
              "url": "https://blog.cloudflare.com/zero-day-rapid-reset-http2-record-breaking-ddos-attack/"
            },
            {
              "url": "https://www.phoronix.com/news/HTTP2-Rapid-Reset-Attack"
            },
            {
              "url": "https://github.com/envoyproxy/envoy/pull/30055"
            },
            {
              "url": "https://github.com/haproxy/haproxy/issues/2312"
            },
            {
              "url": "https://github.com/eclipse/jetty.project/issues/10679"
            },
            {
              "url": "https://forums.swift.org/t/swift-nio-http2-security-update-cve-2023-44487-http-2-dos/67764"
            },
            {
              "url": "https://github.com/nghttp2/nghttp2/pull/1961"
            },
            {
              "url": "https://github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61"
            },
            {
              "url": "https://github.com/alibaba/tengine/issues/1872"
            },
            {
              "url": "https://github.com/apache/tomcat/tree/main/java/org/apache/coyote/http2"
            },
            {
              "url": "https://news.ycombinator.com/item?id=37830987"
            },
            {
              "url": "https://news.ycombinator.com/item?id=37830998"
            },
            {
              "url": "https://github.com/caddyserver/caddy/issues/5877"
            },
            {
              "url": "https://www.bleepingcomputer.com/news/security/new-http-2-rapid-reset-zero-day-attack-breaks-ddos-records/"
            },
            {
              "url": "https://github.com/bcdannyboy/CVE-2023-44487"
            },
            {
              "url": "https://github.com/grpc/grpc-go/pull/6703"
            },
            {
              "url": "https://github.com/icing/mod_h2/blob/0a864782af0a942aa2ad4ed960a6b32cd35bcf0a/mod_http2/README.md?plain=1#L239-L244"
            },
            {
              "url": "https://github.com/nghttp2/nghttp2/releases/tag/v1.57.0"
            },
            {
              "url": "https://mailman.nginx.org/pipermail/nginx-devel/2023-October/S36Q5HBXR7CAIMPLLPRSSSYR4PCMWILK.html"
            },
            {
              "url": "https://my.f5.com/manage/s/article/K000137106"
            },
            {
              "url": "https://msrc.microsoft.com/blog/2023/10/microsoft-response-to-distributed-denial-of-service-ddos-attacks-against-http/2/"
            },
            {
              "url": "https://bugzilla.proxmox.com/show_bug.cgi?id=4988"
            },
            {
              "url": "https://cgit.freebsd.org/ports/commit/?id=c64c329c2c1752f46b73e3e6ce9f4329be6629f9"
            },
            {
              "name": "[oss-security] 20231010 Re: CVE-2023-44487: HTTP/2 Rapid Reset attack against many implementations",
              "tags": [
                "mailing-list"
              ],
              "url": "http://www.openwall.com/lists/oss-security/2023/10/10/7"
            },
            {
              "name": "[oss-security] 20231010 CVE-2023-44487: HTTP/2 Rapid Reset attack against many implementations",
              "tags": [
                "mailing-list"
              ],
              "url": "http://www.openwall.com/lists/oss-security/2023/10/10/6"
            },
            {
              "url": "https://seanmonstar.com/post/730794151136935936/hyper-http2-rapid-reset-unaffected"
            },
            {
              "url": "https://github.com/microsoft/CBL-Mariner/pull/6381"
            },
            {
              "url": "https://groups.google.com/g/golang-announce/c/iNNxDTCjZvo"
            },
            {
              "url": "https://github.com/facebook/proxygen/pull/466"
            },
            {
              "url": "https://gist.github.com/adulau/7c2bfb8e9cdbe4b35a5e131c66a0c088"
            },
            {
              "url": "https://github.com/micrictor/http2-rst-stream"
            },
            {
              "url": "https://edg.io/lp/blog/resets-leaks-ddos-and-the-tale-of-a-hidden-cve"
            },
            {
              "url": "https://openssf.org/blog/2023/10/10/http-2-rapid-reset-vulnerability-highlights-need-for-rapid-response/"
            },
            {
              "url": "https://github.com/h2o/h2o/security/advisories/GHSA-2m7v-gc89-fjqf"
            },
            {
              "url": "https://github.com/h2o/h2o/pull/3291"
            },
            {
              "url": "https://github.com/nodejs/node/pull/50121"
            },
            {
              "url": "https://github.com/dotnet/announcements/issues/277"
            },
            {
              "url": "https://github.com/golang/go/issues/63417"
            },
            {
              "url": "https://github.com/advisories/GHSA-vx74-f528-fxqg"
            },
            {
              "url": "https://github.com/apache/trafficserver/pull/10564"
            },
            {
              "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-44487"
            },
            {
              "url": "https://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.1.14"
            },
            {
              "url": "https://lists.apache.org/thread/5py8h42mxfsn8l1wy6o41xwhsjlsd87q"
            },
            {
              "url": "https://www.openwall.com/lists/oss-security/2023/10/10/6"
            },
            {
              "url": "https://www.haproxy.com/blog/haproxy-is-not-affected-by-the-http-2-rapid-reset-attack-cve-2023-44487"
            },
            {
              "url": "https://github.com/opensearch-project/data-prepper/issues/3474"
            },
            {
              "url": "https://github.com/kubernetes/kubernetes/pull/121120"
            },
            {
              "url": "https://github.com/oqtane/oqtane.framework/discussions/3367"
            },
            {
              "url": "https://github.com/advisories/GHSA-xpw8-rcwv-8f8p"
            },
            {
              "url": "https://netty.io/news/2023/10/10/4-1-100-Final.html"
            },
            {
              "url": "https://www.cisa.gov/news-events/alerts/2023/10/10/http2-rapid-reset-vulnerability-cve-2023-44487"
            },
            {
              "url": "https://www.theregister.com/2023/10/10/http2_rapid_reset_zeroday/"
            },
            {
              "url": "https://blog.qualys.com/vulnerabilities-threat-research/2023/10/10/cve-2023-44487-http-2-rapid-reset-attack"
            },
            {
              "url": "https://news.ycombinator.com/item?id=37837043"
            },
            {
              "url": "https://github.com/kazu-yamamoto/http2/issues/93"
            },
            {
              "url": "https://martinthomson.github.io/h2-stream-limits/draft-thomson-httpbis-h2-stream-limits.html"
            },
            {
              "url": "https://github.com/kazu-yamamoto/http2/commit/f61d41a502bd0f60eb24e1ce14edc7b6df6722a1"
            },
            {
              "url": "https://github.com/apache/httpd/blob/afcdbeebbff4b0c50ea26cdd16e178c0d1f24152/modules/http2/h2_mplx.c#L1101-L1113"
            },
            {
              "name": "DSA-5522",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.debian.org/security/2023/dsa-5522"
            },
            {
              "name": "DSA-5521",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.debian.org/security/2023/dsa-5521"
            },
            {
              "url": "https://access.redhat.com/security/cve/cve-2023-44487"
            },
            {
              "url": "https://github.com/ninenines/cowboy/issues/1615"
            },
            {
              "url": "https://github.com/varnishcache/varnish-cache/issues/3996"
            },
            {
              "url": "https://github.com/tempesta-tech/tempesta/issues/1986"
            },
            {
              "url": "https://blog.vespa.ai/cve-2023-44487/"
            },
            {
              "url": "https://github.com/etcd-io/etcd/issues/16740"
            },
            {
              "url": "https://www.darkreading.com/cloud/internet-wide-zero-day-bug-fuels-largest-ever-ddos-event"
            },
            {
              "url": "https://istio.io/latest/news/security/istio-security-2023-004/"
            },
            {
              "url": "https://github.com/junkurihara/rust-rpxy/issues/97"
            },
            {
              "url": "https://bugzilla.suse.com/show_bug.cgi?id=1216123"
            },
            {
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2242803"
            },
            {
              "url": "https://ubuntu.com/security/CVE-2023-44487"
            },
            {
              "url": "https://community.traefik.io/t/is-traefik-vulnerable-to-cve-2023-44487/20125"
            },
            {
              "url": "https://github.com/advisories/GHSA-qppj-fm5r-hxr3"
            },
            {
              "url": "https://github.com/apache/httpd-site/pull/10"
            },
            {
              "url": "https://github.com/projectcontour/contour/pull/5826"
            },
            {
              "url": "https://github.com/linkerd/website/pull/1695/commits/4b9c6836471bc8270ab48aae6fd2181bc73fd632"
            },
            {
              "url": "https://github.com/line/armeria/pull/5232"
            },
            {
              "url": "https://blog.litespeedtech.com/2023/10/11/rapid-reset-http-2-vulnerablilty/"
            },
            {
              "url": "https://security.paloaltonetworks.com/CVE-2023-44487"
            },
            {
              "url": "https://github.com/akka/akka-http/issues/4323"
            },
            {
              "url": "https://github.com/openresty/openresty/issues/930"
            },
            {
              "url": "https://github.com/apache/apisix/issues/10320"
            },
            {
              "url": "https://github.com/Azure/AKS/issues/3947"
            },
            {
              "url": "https://github.com/Kong/kong/discussions/11741"
            },
            {
              "url": "https://github.com/arkrwn/PoC/tree/main/CVE-2023-44487"
            },
            {
              "url": "https://www.netlify.com/blog/netlify-successfully-mitigates-cve-2023-44487/"
            },
            {
              "url": "https://github.com/caddyserver/caddy/releases/tag/v2.7.5"
            },
            {
              "name": "[debian-lts-announce] 20231013 [SECURITY] [DLA 3617-1] tomcat9 security update",
              "tags": [
                "mailing-list"
              ],
              "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00020.html"
            },
            {
              "name": "[oss-security] 20231013 Re: CVE-2023-44487: HTTP/2 Rapid Reset attack against many implementations",
              "tags": [
                "mailing-list"
              ],
              "url": "http://www.openwall.com/lists/oss-security/2023/10/13/4"
            },
            {
              "name": "[oss-security] 20231013 Re: CVE-2023-44487: HTTP/2 Rapid Reset attack against many implementations",
              "tags": [
                "mailing-list"
              ],
              "url": "http://www.openwall.com/lists/oss-security/2023/10/13/9"
            },
            {
              "url": "https://arstechnica.com/security/2023/10/how-ddosers-used-the-http-2-protocol-to-deliver-attacks-of-unprecedented-size/"
            },
            {
              "url": "https://lists.w3.org/Archives/Public/ietf-http-wg/2023OctDec/0025.html"
            },
            {
              "name": "FEDORA-2023-ed2642fd58",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JMEXY22BFG5Q64HQCM5CK2Q7KDKVV4TY/"
            },
            {
              "url": "https://linkerd.io/2023/10/12/linkerd-cve-2023-44487/"
            },
            {
              "name": "[debian-lts-announce] 20231016 [SECURITY] [DLA 3621-1] nghttp2 security update",
              "tags": [
                "mailing-list"
              ],
              "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00023.html"
            },
            {
              "url": "https://security.netapp.com/advisory/ntap-20231016-0001/"
            },
            {
              "name": "[debian-lts-announce] 20231016 [SECURITY] [DLA 3617-2] tomcat9 regression update",
              "tags": [
                "mailing-list"
              ],
              "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00024.html"
            },
            {
              "name": "[oss-security] 20231018 Vulnerability in Jenkins",
              "tags": [
                "mailing-list"
              ],
              "url": "http://www.openwall.com/lists/oss-security/2023/10/18/4"
            },
            {
              "name": "[oss-security] 20231018 Re: CVE-2023-44487: HTTP/2 Rapid Reset attack against many implementations",
              "tags": [
                "mailing-list"
              ],
              "url": "http://www.openwall.com/lists/oss-security/2023/10/18/8"
            },
            {
              "name": "[oss-security] 20231019 CVE-2023-45802: Apache HTTP Server: HTTP/2 stream memory not reclaimed right away on RST",
              "tags": [
                "mailing-list"
              ],
              "url": "http://www.openwall.com/lists/oss-security/2023/10/19/6"
            },
            {
              "name": "FEDORA-2023-54fadada12",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZKQSIKIAT5TJ3WSLU3RDBQ35YX4GY4V3/"
            },
            {
              "name": "FEDORA-2023-5ff7bf1dd8",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JIZSEFC3YKCGABA2BZW6ZJRMDZJMB7PJ/"
            },
            {
              "name": "[oss-security] 20231020 Re: CVE-2023-44487: HTTP/2 Rapid Reset attack against many implementations",
              "tags": [
                "mailing-list"
              ],
              "url": "http://www.openwall.com/lists/oss-security/2023/10/20/8"
            },
            {
              "name": "FEDORA-2023-17efd3f2cd",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WLPRQ5TWUQQXYWBJM7ECYDAIL2YVKIUH/"
            },
            {
              "name": "FEDORA-2023-d5030c983c",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/E72T67UPDRXHIDLO3OROR25YAMN4GGW5/"
            },
            {
              "name": "FEDORA-2023-0259c3f26f",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BFQD3KUEMFBHPAPBGLWQC34L4OWL5HAZ/"
            },
            {
              "name": "FEDORA-2023-2a9214af5f",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZLU6U2R2IC2K64NDPNMV55AUAO65MAF4/"
            },
            {
              "name": "FEDORA-2023-e9c04d81c1",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X6QXN4ORIVF6XBW4WWFE7VNPVC74S45Y/"
            },
            {
              "name": "FEDORA-2023-f66fc0f62a",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LKYHSZQFDNR7RSA7LHVLLIAQMVYCUGBG/"
            },
            {
              "name": "FEDORA-2023-4d2fd884ea",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FNA62Q767CFAFHBCDKYNPBMZWB7TWYVU/"
            },
            {
              "name": "FEDORA-2023-b2c50535cb",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LNMZJCDHGLJJLXO4OXWJMTVQRNWOC7UL/"
            },
            {
              "name": "FEDORA-2023-fe53e13b5b",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KSEGD2IWKNUO3DWY4KQGUQM5BISRWHQE/"
            },
            {
              "name": "FEDORA-2023-4bf641255e",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CLB4TW7KALB3EEQWNWCN7OUIWWVWWCG2/"
            },
            {
              "name": "[debian-lts-announce] 20231030 [SECURITY] [DLA 3641-1] jetty9 security update",
              "tags": [
                "mailing-list"
              ],
              "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00045.html"
            },
            {
              "name": "DSA-5540",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.debian.org/security/2023/dsa-5540"
            },
            {
              "name": "[debian-lts-announce] 20231031 [SECURITY] [DLA 3638-1] h2o security update",
              "tags": [
                "mailing-list"
              ],
              "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00047.html"
            },
            {
              "url": "https://discuss.hashicorp.com/t/hcsec-2023-32-vault-consul-and-boundary-affected-by-http-2-rapid-reset-denial-of-service-vulnerability-cve-2023-44487/59715"
            },
            {
              "name": "FEDORA-2023-1caffb88af",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VHUHTSXLXGXS7JYKBXTA3VINUPHTNGVU/"
            },
            {
              "name": "FEDORA-2023-3f70b8d406",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VSRDIV77HNKUSM7SJC5BKE5JSHLHU2NK/"
            },
            {
              "name": "FEDORA-2023-7b52921cae",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3N4NJ7FR4X4FPZUGNTQAPSTVB2HB2Y4A/"
            },
            {
              "name": "FEDORA-2023-7934802344",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZB43REMKRQR62NJEI7I5NQ4FSXNLBKRT/"
            },
            {
              "name": "FEDORA-2023-dbe64661af",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HT7T2R4MQKLIF4ODV4BDLPARWFPCJ5CZ/"
            },
            {
              "name": "FEDORA-2023-822aab0a5a",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XFOIBB4YFICHDM7IBOP7PWXW3FX4HLL2/"
            },
            {
              "name": "[debian-lts-announce] 20231105 [SECURITY] [DLA 3645-1] trafficserver security update",
              "tags": [
                "mailing-list"
              ],
              "url": "https://lists.debian.org/debian-lts-announce/2023/11/msg00001.html"
            },
            {
              "name": "DSA-5549",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.debian.org/security/2023/dsa-5549"
            },
            {
              "name": "FEDORA-2023-c0c6a91330",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2MBEPPC36UBVOZZNAXFHKLFGSLCMN5LI/"
            },
            {
              "name": "FEDORA-2023-492b7be466",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WE2I52RHNNU42PX6NZ2RBUHSFFJ2LVZX/"
            },
            {
              "name": "DSA-5558",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.debian.org/security/2023/dsa-5558"
            },
            {
              "name": "[debian-lts-announce] 20231119 [SECURITY] [DLA 3656-1] netty security update",
              "tags": [
                "mailing-list"
              ],
              "url": "https://lists.debian.org/debian-lts-announce/2023/11/msg00012.html"
            },
            {
              "name": "GLSA-202311-09",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://security.gentoo.org/glsa/202311-09"
            },
            {
              "name": "DSA-5570",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.debian.org/security/2023/dsa-5570"
            },
            {
              "url": "https://security.netapp.com/advisory/ntap-20240426-0007/"
            },
            {
              "url": "https://security.netapp.com/advisory/ntap-20240621-0006/"
            },
            {
              "url": "https://security.netapp.com/advisory/ntap-20240621-0007/"
            },
            {
              "url": "https://github.com/grpc/grpc/releases/tag/v1.59.2"
            },
            {
              "url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-http2-reset-d8Kf32vZ"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2023-44487",
        "datePublished": "2023-10-10T00:00:00.000Z",
        "dateReserved": "2023-09-29T00:00:00.000Z",
        "dateUpdated": "2026-05-12T10:52:23.784Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2022-0618 (GCVE-0-2022-0618)

    Vulnerability from cvelistv5 – Published: 2022-03-09 20:23 – Updated: 2024-08-02 23:32
    VLAI
    Summary
    A program using swift-nio-http2 is vulnerable to a denial of service attack, caused by a network peer sending a specially crafted HTTP/2 frame. This vulnerability is caused by a logical error when parsing a HTTP/2 HEADERS or HTTP/2 PUSH_PROMISE frame where the frame contains padding information without any other data. This logical error caused confusion about the size of the frame, leading to a parsing error. This parsing error immediately crashes the entire process. Sending a HEADERS frame or PUSH_PROMISE frame with HTTP/2 padding information does not require any special permission, so any HTTP/2 connection peer may send such a frame. For clients, this means any server to which they connect may launch this attack. For servers, anyone they allow to connect to them may launch such an attack. The attack is low-effort: it takes very little resources to send an appropriately crafted frame. The impact on availability is high: receiving the frame immediately crashes the server, dropping all in-flight connections and causing the service to need to restart. It is straightforward for an attacker to repeatedly send appropriately crafted frames, so attackers require very few resources to achieve a substantial denial of service. The attack does not have any confidentiality or integrity risks in and of itself: swift-nio-http2 is parsing the frame in memory-safe code, so the crash is safe. However, sudden process crashes can lead to violations of invariants in services, so it is possible that this attack can be used to trigger an error condition that has confidentiality or integrity risks. The risk can be mitigated if untrusted peers can be prevented from communicating with the service. This mitigation is not available to many services. The issue is fixed by rewriting the parsing code to correctly handle the condition. The issue was found by automated fuzzing by oss-fuzz.
    Severity
    No CVSS data available.
    CWE
    • CWE-130 - Improper Handling of Length Parameter Inconsistency
    Assigner
    References
    Impacted products
    Vendor Product Version
    Swift Project SwiftNIO HTTP2 Affected: 1.0.0 , < unspecified (custom)
    Affected: unspecified , ≤ 1.19.2 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T23:32:46.550Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/apple/swift-nio-http2/security/advisories/GHSA-q36x-r5x4-h4q6"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "SwiftNIO HTTP2",
              "vendor": "Swift Project",
              "versions": [
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "1.0.0",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "1.19.2",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A program using swift-nio-http2 is vulnerable to a denial of service attack, caused by a network peer sending a specially crafted HTTP/2 frame. This vulnerability is caused by a logical error when parsing a HTTP/2 HEADERS or HTTP/2 PUSH_PROMISE frame where the frame contains padding information without any other data. This logical error caused confusion about the size of the frame, leading to a parsing error. This parsing error immediately crashes the entire process. Sending a HEADERS frame or PUSH_PROMISE frame with HTTP/2 padding information does not require any special permission, so any HTTP/2 connection peer may send such a frame. For clients, this means any server to which they connect may launch this attack. For servers, anyone they allow to connect to them may launch such an attack. The attack is low-effort: it takes very little resources to send an appropriately crafted frame. The impact on availability is high: receiving the frame immediately crashes the server, dropping all in-flight connections and causing the service to need to restart. It is straightforward for an attacker to repeatedly send appropriately crafted frames, so attackers require very few resources to achieve a substantial denial of service. The attack does not have any confidentiality or integrity risks in and of itself: swift-nio-http2 is parsing the frame in memory-safe code, so the crash is safe. However, sudden process crashes can lead to violations of invariants in services, so it is possible that this attack can be used to trigger an error condition that has confidentiality or integrity risks. The risk can be mitigated if untrusted peers can be prevented from communicating with the service. This mitigation is not available to many services. The issue is fixed by rewriting the parsing code to correctly handle the condition. The issue was found by automated fuzzing by oss-fuzz."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-130",
                  "description": "CWE-130: Improper Handling of Length Parameter Inconsistency",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-03-09T20:23:38.000Z",
            "orgId": "e4a1ddda-f4f5-496e-96c8-82c37d06abd0",
            "shortName": "Swift"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/apple/swift-nio-http2/security/advisories/GHSA-q36x-r5x4-h4q6"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "cve@forums.swift.org",
              "ID": "CVE-2022-0618",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "SwiftNIO HTTP2",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003e=",
                                "version_value": "1.0.0"
                              },
                              {
                                "version_affected": "\u003c=",
                                "version_value": "1.19.2"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Swift Project"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "A program using swift-nio-http2 is vulnerable to a denial of service attack, caused by a network peer sending a specially crafted HTTP/2 frame. This vulnerability is caused by a logical error when parsing a HTTP/2 HEADERS or HTTP/2 PUSH_PROMISE frame where the frame contains padding information without any other data. This logical error caused confusion about the size of the frame, leading to a parsing error. This parsing error immediately crashes the entire process. Sending a HEADERS frame or PUSH_PROMISE frame with HTTP/2 padding information does not require any special permission, so any HTTP/2 connection peer may send such a frame. For clients, this means any server to which they connect may launch this attack. For servers, anyone they allow to connect to them may launch such an attack. The attack is low-effort: it takes very little resources to send an appropriately crafted frame. The impact on availability is high: receiving the frame immediately crashes the server, dropping all in-flight connections and causing the service to need to restart. It is straightforward for an attacker to repeatedly send appropriately crafted frames, so attackers require very few resources to achieve a substantial denial of service. The attack does not have any confidentiality or integrity risks in and of itself: swift-nio-http2 is parsing the frame in memory-safe code, so the crash is safe. However, sudden process crashes can lead to violations of invariants in services, so it is possible that this attack can be used to trigger an error condition that has confidentiality or integrity risks. The risk can be mitigated if untrusted peers can be prevented from communicating with the service. This mitigation is not available to many services. The issue is fixed by rewriting the parsing code to correctly handle the condition. The issue was found by automated fuzzing by oss-fuzz."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-130: Improper Handling of Length Parameter Inconsistency"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://github.com/apple/swift-nio-http2/security/advisories/GHSA-q36x-r5x4-h4q6",
                  "refsource": "MISC",
                  "url": "https://github.com/apple/swift-nio-http2/security/advisories/GHSA-q36x-r5x4-h4q6"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "e4a1ddda-f4f5-496e-96c8-82c37d06abd0",
        "assignerShortName": "Swift",
        "cveId": "CVE-2022-0618",
        "datePublished": "2022-03-09T20:23:38.000Z",
        "dateReserved": "2022-02-15T00:00:00.000Z",
        "dateUpdated": "2024-08-02T23:32:46.550Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2022-24668 (GCVE-0-2022-24668)

    Vulnerability from cvelistv5 – Published: 2022-02-09 22:05 – Updated: 2024-08-03 04:20
    VLAI
    Summary
    A program using swift-nio-http2 is vulnerable to a denial of service attack caused by a network peer sending ALTSVC or ORIGIN frames. This attack affects all swift-nio-http2 versions from 1.0.0 to 1.19.1. This vulnerability is caused by a logical error after frame parsing but before frame handling. ORIGIN and ALTSVC frames are not currently supported by swift-nio-http2, and should be ignored. However, one code path that encounters them has a deliberate trap instead. This was left behind from the original development process and was never removed. Sending an ALTSVC or ORIGIN frame does not require any special permission, so any HTTP/2 connection peer may send such a frame. For clients, this means any server to which they connect may launch this attack. For servers, anyone they allow to connect to them may launch such an attack. The attack is low-effort: it takes very little resources to send one of these frames. The impact on availability is high: receiving the frame immediately crashes the server, dropping all in-flight connections and causing the service to need to restart. It is straightforward for an attacker to repeatedly send these frames, so attackers require very few resources to achieve a substantial denial of service. The attack does not have any confidentiality or integrity risks in and of itself. This is a controlled, intentional crash. However, sudden process crashes can lead to violations of invariants in services, so it is possible that this attack can be used to trigger an error condition that has confidentiality or integrity risks. The risk can be mitigated if untrusted peers can be prevented from communicating with the service. This mitigation is not available to many services. The issue is fixed by rewriting the parsing code to correctly handle the condition. The issue was found by automated fuzzing by oss-fuzz.
    Severity
    No CVSS data available.
    CWE
    • CWE-241 - Improper Handling of Unexpected Data Type
    Assigner
    References
    Impacted products
    Vendor Product Version
    Swift Project SwiftNIO HTTP2 Affected: 1.0.0 , < unspecified (custom)
    Affected: unspecified , ≤ 1.19.1 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T04:20:49.138Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/apple/swift-nio-http2/security/advisories/GHSA-pgfx-g6rc-8cjv"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "SwiftNIO HTTP2",
              "vendor": "Swift Project",
              "versions": [
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "1.0.0",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "1.19.1",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A program using swift-nio-http2 is vulnerable to a denial of service attack caused by a network peer sending ALTSVC or ORIGIN frames. This attack affects all swift-nio-http2 versions from 1.0.0 to 1.19.1. This vulnerability is caused by a logical error after frame parsing but before frame handling. ORIGIN and ALTSVC frames are not currently supported by swift-nio-http2, and should be ignored. However, one code path that encounters them has a deliberate trap instead. This was left behind from the original development process and was never removed. Sending an ALTSVC or ORIGIN frame does not require any special permission, so any HTTP/2 connection peer may send such a frame. For clients, this means any server to which they connect may launch this attack. For servers, anyone they allow to connect to them may launch such an attack. The attack is low-effort: it takes very little resources to send one of these frames. The impact on availability is high: receiving the frame immediately crashes the server, dropping all in-flight connections and causing the service to need to restart. It is straightforward for an attacker to repeatedly send these frames, so attackers require very few resources to achieve a substantial denial of service. The attack does not have any confidentiality or integrity risks in and of itself. This is a controlled, intentional crash. However, sudden process crashes can lead to violations of invariants in services, so it is possible that this attack can be used to trigger an error condition that has confidentiality or integrity risks. The risk can be mitigated if untrusted peers can be prevented from communicating with the service. This mitigation is not available to many services. The issue is fixed by rewriting the parsing code to correctly handle the condition. The issue was found by automated fuzzing by oss-fuzz."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-241",
                  "description": "CWE-241: Improper Handling of Unexpected Data Type",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-02-09T22:05:18.000Z",
            "orgId": "e4a1ddda-f4f5-496e-96c8-82c37d06abd0",
            "shortName": "Swift"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/apple/swift-nio-http2/security/advisories/GHSA-pgfx-g6rc-8cjv"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "cve@forums.swift.org",
              "ID": "CVE-2022-24668",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "SwiftNIO HTTP2",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003e=",
                                "version_value": "1.0.0"
                              },
                              {
                                "version_affected": "\u003c=",
                                "version_value": "1.19.1"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Swift Project"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "A program using swift-nio-http2 is vulnerable to a denial of service attack caused by a network peer sending ALTSVC or ORIGIN frames. This attack affects all swift-nio-http2 versions from 1.0.0 to 1.19.1. This vulnerability is caused by a logical error after frame parsing but before frame handling. ORIGIN and ALTSVC frames are not currently supported by swift-nio-http2, and should be ignored. However, one code path that encounters them has a deliberate trap instead. This was left behind from the original development process and was never removed. Sending an ALTSVC or ORIGIN frame does not require any special permission, so any HTTP/2 connection peer may send such a frame. For clients, this means any server to which they connect may launch this attack. For servers, anyone they allow to connect to them may launch such an attack. The attack is low-effort: it takes very little resources to send one of these frames. The impact on availability is high: receiving the frame immediately crashes the server, dropping all in-flight connections and causing the service to need to restart. It is straightforward for an attacker to repeatedly send these frames, so attackers require very few resources to achieve a substantial denial of service. The attack does not have any confidentiality or integrity risks in and of itself. This is a controlled, intentional crash. However, sudden process crashes can lead to violations of invariants in services, so it is possible that this attack can be used to trigger an error condition that has confidentiality or integrity risks. The risk can be mitigated if untrusted peers can be prevented from communicating with the service. This mitigation is not available to many services. The issue is fixed by rewriting the parsing code to correctly handle the condition. The issue was found by automated fuzzing by oss-fuzz."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-241: Improper Handling of Unexpected Data Type"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://github.com/apple/swift-nio-http2/security/advisories/GHSA-pgfx-g6rc-8cjv",
                  "refsource": "MISC",
                  "url": "https://github.com/apple/swift-nio-http2/security/advisories/GHSA-pgfx-g6rc-8cjv"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "e4a1ddda-f4f5-496e-96c8-82c37d06abd0",
        "assignerShortName": "Swift",
        "cveId": "CVE-2022-24668",
        "datePublished": "2022-02-09T22:05:18.000Z",
        "dateReserved": "2022-02-07T00:00:00.000Z",
        "dateUpdated": "2024-08-03T04:20:49.138Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2022-24667 (GCVE-0-2022-24667)

    Vulnerability from cvelistv5 – Published: 2022-02-09 22:05 – Updated: 2024-08-03 04:20
    VLAI
    Summary
    A program using swift-nio-http2 is vulnerable to a denial of service attack, caused by a network peer sending a specially crafted HPACK-encoded header block. This attack affects all swift-nio-http2 versions from 1.0.0 to 1.19.1. There are a number of implementation errors in the parsing of HPACK-encoded header blocks that allow maliciously crafted HPACK header blocks to cause crashes in processes using swift-nio-http2. Each of these crashes is triggered instead of an integer overflow. A malicious HPACK header block could be sent on any of the HPACK-carrying frames in a HTTP/2 connection (HEADERS and PUSH_PROMISE), at any position. Sending a HPACK header block does not require any special permission, so any HTTP/2 connection peer may send one. For clients, this means any server to which they connect may launch this attack. For servers, anyone they allow to connect to them may launch such an attack. The attack is low-effort: it takes very little resources to send an appropriately crafted field block. The impact on availability is high: receiving a frame carrying this field block immediately crashes the server, dropping all in-flight connections and causing the service to need to restart. It is straightforward for an attacker to repeatedly send appropriately crafted field blocks, so attackers require very few resources to achieve a substantial denial of service. The attack does not have any confidentiality or integrity risks in and of itself: swift-nio-http2 is parsing the field block in memory-safe code and the crash is triggered instead of an integer overflow. However, sudden process crashes can lead to violations of invariants in services, so it is possible that this attack can be used to trigger an error condition that has confidentiality or integrity risks. The risk can be mitigated if untrusted peers can be prevented from communicating with the service. This mitigation is not available to many services. The issue is fixed by rewriting the parsing code to correctly handle all conditions in the function. The principal issue was found by automated fuzzing by oss-fuzz, but several associated bugs in the same code were found by code audit and fixed at the same time
    Severity
    No CVSS data available.
    CWE
    • CWE-190 - Integer Overflow or Wraparound
    Assigner
    References
    Impacted products
    Vendor Product Version
    Swift Project SwiftNIO HTTP2 Affected: 1.0.0 , < unspecified (custom)
    Affected: unspecified , ≤ 1.19.1 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T04:20:49.139Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/apple/swift-nio-http2/security/advisories/GHSA-w3f6-pc54-gfw7"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "SwiftNIO HTTP2",
              "vendor": "Swift Project",
              "versions": [
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "1.0.0",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "1.19.1",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A program using swift-nio-http2 is vulnerable to a denial of service attack, caused by a network peer sending a specially crafted HPACK-encoded header block. This attack affects all swift-nio-http2 versions from 1.0.0 to 1.19.1. There are a number of implementation errors in the parsing of HPACK-encoded header blocks that allow maliciously crafted HPACK header blocks to cause crashes in processes using swift-nio-http2. Each of these crashes is triggered instead of an integer overflow. A malicious HPACK header block could be sent on any of the HPACK-carrying frames in a HTTP/2 connection (HEADERS and PUSH_PROMISE), at any position. Sending a HPACK header block does not require any special permission, so any HTTP/2 connection peer may send one. For clients, this means any server to which they connect may launch this attack. For servers, anyone they allow to connect to them may launch such an attack. The attack is low-effort: it takes very little resources to send an appropriately crafted field block. The impact on availability is high: receiving a frame carrying this field block immediately crashes the server, dropping all in-flight connections and causing the service to need to restart. It is straightforward for an attacker to repeatedly send appropriately crafted field blocks, so attackers require very few resources to achieve a substantial denial of service. The attack does not have any confidentiality or integrity risks in and of itself: swift-nio-http2 is parsing the field block in memory-safe code and the crash is triggered instead of an integer overflow. However, sudden process crashes can lead to violations of invariants in services, so it is possible that this attack can be used to trigger an error condition that has confidentiality or integrity risks. The risk can be mitigated if untrusted peers can be prevented from communicating with the service. This mitigation is not available to many services. The issue is fixed by rewriting the parsing code to correctly handle all conditions in the function. The principal issue was found by automated fuzzing by oss-fuzz, but several associated bugs in the same code were found by code audit and fixed at the same time"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-190",
                  "description": "CWE-190: Integer Overflow or Wraparound",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-02-09T22:05:17.000Z",
            "orgId": "e4a1ddda-f4f5-496e-96c8-82c37d06abd0",
            "shortName": "Swift"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/apple/swift-nio-http2/security/advisories/GHSA-w3f6-pc54-gfw7"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "cve@forums.swift.org",
              "ID": "CVE-2022-24667",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "SwiftNIO HTTP2",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003e=",
                                "version_value": "1.0.0"
                              },
                              {
                                "version_affected": "\u003c=",
                                "version_value": "1.19.1"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Swift Project"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "A program using swift-nio-http2 is vulnerable to a denial of service attack, caused by a network peer sending a specially crafted HPACK-encoded header block. This attack affects all swift-nio-http2 versions from 1.0.0 to 1.19.1. There are a number of implementation errors in the parsing of HPACK-encoded header blocks that allow maliciously crafted HPACK header blocks to cause crashes in processes using swift-nio-http2. Each of these crashes is triggered instead of an integer overflow. A malicious HPACK header block could be sent on any of the HPACK-carrying frames in a HTTP/2 connection (HEADERS and PUSH_PROMISE), at any position. Sending a HPACK header block does not require any special permission, so any HTTP/2 connection peer may send one. For clients, this means any server to which they connect may launch this attack. For servers, anyone they allow to connect to them may launch such an attack. The attack is low-effort: it takes very little resources to send an appropriately crafted field block. The impact on availability is high: receiving a frame carrying this field block immediately crashes the server, dropping all in-flight connections and causing the service to need to restart. It is straightforward for an attacker to repeatedly send appropriately crafted field blocks, so attackers require very few resources to achieve a substantial denial of service. The attack does not have any confidentiality or integrity risks in and of itself: swift-nio-http2 is parsing the field block in memory-safe code and the crash is triggered instead of an integer overflow. However, sudden process crashes can lead to violations of invariants in services, so it is possible that this attack can be used to trigger an error condition that has confidentiality or integrity risks. The risk can be mitigated if untrusted peers can be prevented from communicating with the service. This mitigation is not available to many services. The issue is fixed by rewriting the parsing code to correctly handle all conditions in the function. The principal issue was found by automated fuzzing by oss-fuzz, but several associated bugs in the same code were found by code audit and fixed at the same time"
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-190: Integer Overflow or Wraparound"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://github.com/apple/swift-nio-http2/security/advisories/GHSA-w3f6-pc54-gfw7",
                  "refsource": "MISC",
                  "url": "https://github.com/apple/swift-nio-http2/security/advisories/GHSA-w3f6-pc54-gfw7"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "e4a1ddda-f4f5-496e-96c8-82c37d06abd0",
        "assignerShortName": "Swift",
        "cveId": "CVE-2022-24667",
        "datePublished": "2022-02-09T22:05:17.000Z",
        "dateReserved": "2022-02-07T00:00:00.000Z",
        "dateUpdated": "2024-08-03T04:20:49.139Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2022-24666 (GCVE-0-2022-24666)

    Vulnerability from cvelistv5 – Published: 2022-02-09 22:05 – Updated: 2024-08-03 04:20
    VLAI
    Summary
    A program using swift-nio-http2 is vulnerable to a denial of service attack, caused by a network peer sending a specially crafted HTTP/2 frame. This attack affects all swift-nio-http2 versions from 1.0.0 to 1.19.1. This vulnerability is caused by a logical error when parsing a HTTP/2 HEADERS frame where the frame contains priority information without any other data. This logical error caused confusion about the size of the frame, leading to a parsing error. This parsing error immediately crashes the entire process. Sending a HEADERS frame with HTTP/2 priority information does not require any special permission, so any HTTP/2 connection peer may send such a frame. For clients, this means any server to which they connect may launch this attack. For servers, anyone they allow to connect to them may launch such an attack. The attack is low-effort: it takes very little resources to send an appropriately crafted frame. The impact on availability is high: receiving the frame immediately crashes the server, dropping all in-flight connections and causing the service to need to restart. It is straightforward for an attacker to repeatedly send appropriately crafted frames, so attackers require very few resources to achieve a substantial denial of service. The attack does not have any confidentiality or integrity risks in and of itself: swift-nio-http2 is parsing the frame in memory-safe code, so the crash is safe. However, sudden process crashes can lead to violations of invariants in services, so it is possible that this attack can be used to trigger an error condition that has confidentiality or integrity risks. The risk can be mitigated if untrusted peers can be prevented from communicating with the service. This mitigation is not available to many services. The issue is fixed by rewriting the parsing code to correctly handle the condition. The issue was found by automated fuzzing by oss-fuzz.
    Severity
    No CVSS data available.
    CWE
    • CWE-130 - Improper Handling of Length Parameter Inconsistency
    Assigner
    References
    Impacted products
    Vendor Product Version
    Swift Project SwiftNIO HTTP2 Affected: 1.0.0 , < unspecified (custom)
    Affected: unspecified , ≤ 1.19.1 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T04:20:49.125Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/apple/swift-nio-http2/security/advisories/GHSA-ccw9-q5h2-8c2w"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "SwiftNIO HTTP2",
              "vendor": "Swift Project",
              "versions": [
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "1.0.0",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "1.19.1",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A program using swift-nio-http2 is vulnerable to a denial of service attack, caused by a network peer sending a specially crafted HTTP/2 frame. This attack affects all swift-nio-http2 versions from 1.0.0 to 1.19.1. This vulnerability is caused by a logical error when parsing a HTTP/2 HEADERS frame where the frame contains priority information without any other data. This logical error caused confusion about the size of the frame, leading to a parsing error. This parsing error immediately crashes the entire process. Sending a HEADERS frame with HTTP/2 priority information does not require any special permission, so any HTTP/2 connection peer may send such a frame. For clients, this means any server to which they connect may launch this attack. For servers, anyone they allow to connect to them may launch such an attack. The attack is low-effort: it takes very little resources to send an appropriately crafted frame. The impact on availability is high: receiving the frame immediately crashes the server, dropping all in-flight connections and causing the service to need to restart. It is straightforward for an attacker to repeatedly send appropriately crafted frames, so attackers require very few resources to achieve a substantial denial of service. The attack does not have any confidentiality or integrity risks in and of itself: swift-nio-http2 is parsing the frame in memory-safe code, so the crash is safe. However, sudden process crashes can lead to violations of invariants in services, so it is possible that this attack can be used to trigger an error condition that has confidentiality or integrity risks. The risk can be mitigated if untrusted peers can be prevented from communicating with the service. This mitigation is not available to many services. The issue is fixed by rewriting the parsing code to correctly handle the condition. The issue was found by automated fuzzing by oss-fuzz."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-130",
                  "description": "CWE-130: Improper Handling of Length Parameter Inconsistency",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-02-09T22:05:16.000Z",
            "orgId": "e4a1ddda-f4f5-496e-96c8-82c37d06abd0",
            "shortName": "Swift"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/apple/swift-nio-http2/security/advisories/GHSA-ccw9-q5h2-8c2w"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "cve@forums.swift.org",
              "ID": "CVE-2022-24666",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "SwiftNIO HTTP2",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003e=",
                                "version_value": "1.0.0"
                              },
                              {
                                "version_affected": "\u003c=",
                                "version_value": "1.19.1"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Swift Project"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "A program using swift-nio-http2 is vulnerable to a denial of service attack, caused by a network peer sending a specially crafted HTTP/2 frame. This attack affects all swift-nio-http2 versions from 1.0.0 to 1.19.1. This vulnerability is caused by a logical error when parsing a HTTP/2 HEADERS frame where the frame contains priority information without any other data. This logical error caused confusion about the size of the frame, leading to a parsing error. This parsing error immediately crashes the entire process. Sending a HEADERS frame with HTTP/2 priority information does not require any special permission, so any HTTP/2 connection peer may send such a frame. For clients, this means any server to which they connect may launch this attack. For servers, anyone they allow to connect to them may launch such an attack. The attack is low-effort: it takes very little resources to send an appropriately crafted frame. The impact on availability is high: receiving the frame immediately crashes the server, dropping all in-flight connections and causing the service to need to restart. It is straightforward for an attacker to repeatedly send appropriately crafted frames, so attackers require very few resources to achieve a substantial denial of service. The attack does not have any confidentiality or integrity risks in and of itself: swift-nio-http2 is parsing the frame in memory-safe code, so the crash is safe. However, sudden process crashes can lead to violations of invariants in services, so it is possible that this attack can be used to trigger an error condition that has confidentiality or integrity risks. The risk can be mitigated if untrusted peers can be prevented from communicating with the service. This mitigation is not available to many services. The issue is fixed by rewriting the parsing code to correctly handle the condition. The issue was found by automated fuzzing by oss-fuzz."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-130: Improper Handling of Length Parameter Inconsistency"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://github.com/apple/swift-nio-http2/security/advisories/GHSA-ccw9-q5h2-8c2w",
                  "refsource": "MISC",
                  "url": "https://github.com/apple/swift-nio-http2/security/advisories/GHSA-ccw9-q5h2-8c2w"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "e4a1ddda-f4f5-496e-96c8-82c37d06abd0",
        "assignerShortName": "Swift",
        "cveId": "CVE-2022-24666",
        "datePublished": "2022-02-09T22:05:16.000Z",
        "dateReserved": "2022-02-07T00:00:00.000Z",
        "dateUpdated": "2024-08-03T04:20:49.125Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }