Denial-of-Service Vulnerability in H2O Web Server by H2O
CVE-2016-4864

7.5HIGH

Key Information:

Vendor: Kazuho Oku
Status: H2o
Vendor: CVE Published:; 12 May 2017

What is CVE-2016-4864?

H2O Web Server versions 2.0.3 and prior, as well as 2.1.0-beta2 and earlier, contain a vulnerability that allows remote attackers to exploit format string specifiers in template files. This can lead to denial-of-service conditions via mechanisms such as fastcgi, mruby, proxy, redirect, or reproxy, effectively incapacitating the server and disrupting service availability.

Affected Version(s)

H2O versions 2.0.3 and earlier

H2O versions 2.1.0-beta2 and earlier

References

https://github.com/h2o/h2o/issues/1077

x_refsource_CONFIRM

https://jvn.jp/en/jp/JVN94779084/index.html

third-party-advisoryx_refsource_JVN

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 12, 2017
Vulnerability Reserved
May 17, 2016

CVE-2016-4864 Data

JSON

Kazuho Oku

What is CVE-2016-4864?

Affected Version(s)

References

CVSS V3.1

Timeline