HTTP Request Spoofing Vulnerability in h2o HTTP Server
CVE-2024-45397

7.5HIGH

Key Information:

Vendor
H2o
Status
H2o
Vendor
CVE Published:
11 October 2024

Summary

The H2O HTTP server implements an exposure through its handling of HTTP requests utilizing TLS/1.3 early data when combined with TCP Fast Open or QUIC 0-RTT packets. A significant security flaw arises when IP address-based access controls are configured, as the system fails to identify and deny HTTP requests sent from spoofed source addresses. This vulnerability poses a risk, allowing attackers to launch HTTP requests from addresses that would typically be blocked by the configuration. To mitigate the issue, users are advised to disable the use of TCP Fast Open and QUIC. The vulnerability has been addressed in commit 15ed15a.

Affected Version(s)

h2o < 15ed15a2efb83a77bb4baaa5a119e639c2f6898a

References

https://github.com/h2o/h2o/security/advisories/GHSA-jf2c-...
x_refsource_CONFIRM
https://github.com/h2o/h2o/commit/15ed15a2efb83a77bb4baaa...
x_refsource_MISC
https://h2o.examp1e.net/configure/http3_directives.html
x_refsource_MISC

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.
CVE-2024-45397 : HTTP Request Spoofing Vulnerability in h2o HTTP Server | SecurityVulnerability.io