CVE-2016-4817
Published on: 06/18/2016 12:00:00 AM UTC
Last Modified on: 04/19/2021 02:01:00 PM UTC
Certain versions of H2o from Dena contain the following vulnerability:
lib/http2/connection.c in H2O before 1.7.3 and 2.x before 2.0.0-beta5 mishandles HTTP/2 disconnection, which allows remote attackers to cause a denial of service (use-after-free and application crash) or possibly execute arbitrary code via a crafted packet.
- CVE-2016-4817 has been assigned by [email protected] to track the vulnerability - currently rated as HIGH severity.
CVSS3 Score: 7.5 - HIGH
Attack Vector ⓘ |
Attack Complexity |
Privileges Required |
User Interaction |
---|---|---|---|
NETWORK | LOW | NONE | NONE |
Scope | Confidentiality Impact |
Integrity Impact |
Availability Impact |
UNCHANGED | NONE | NONE | HIGH |
CVSS2 Score: 5 - MEDIUM
Access Vector ⓘ |
Access Complexity |
Authentication |
---|---|---|
NETWORK | LOW | NONE |
Confidentiality Impact |
Integrity Impact |
Availability Impact |
NONE | NONE | PARTIAL |
CVE References
Description | Tags ⓘ | Link |
---|---|---|
fix use after free on premature connection close (CVE-2016-4817) by kazuho · Pull Request #920 · h2o/h2o · GitHub | Vendor Advisory github.com text/html | CONFIRM github.com/h2o/h2o/pull/920 |
h2: use after free on premature connection close #920 · h2o/h2o@1c0808d · GitHub | github.com text/html | CONFIRM github.com/h2o/h2o/commit/1c0808d580da09fdec5a9a74ff09e103ea058dd4 |
No Description Provided | Vendor Advisory jvndb.jvn.jp text/html | JVNDB JVNDB-2016-000091 |
JVN#87859762: H2O use-after-free vulnerability | Vendor Advisory jvn.jp text/xml | JVN JVN#87859762 |
There are currently no QIDs associated with this CVE
Known Affected Configurations (CPE V2.3)
Type | Vendor | Product | Version | Update | Edition | Language |
---|---|---|---|---|---|---|
Application | Dena | H2o | All | All | All | All |
Application | Dena | H2o | All | beta4 | All | All |
Application | H2o Project | H2o | All | All | All | All |
Application | H2o Project | H2o | All | beta4 | All | All |
- cpe:2.3:a:dena:h2o:*:*:*:*:*:*:*:*:
- cpe:2.3:a:dena:h2o:*:beta4:*:*:*:*:*:*:
- cpe:2.3:a:h2o_project:h2o:*:*:*:*:*:*:*:*:
- cpe:2.3:a:h2o_project:h2o:*:beta4:*:*:*:*:*:*:
No vendor comments have been submitted for this CVE