GHSA-xpw8-rcwv-8f8p
ADVISORY - githubSummary
A client might overload the server by issue frequent RST frames. This can cause a massive amount of load on the remote system and so cause a DDOS attack.
Impact
This is a DDOS attack, any http2 server is affected and so you should update as soon as possible.
Patches
This is patched in version 4.1.100.Final.
Workarounds
A user can limit the amount of RST frames that are accepted per connection over a timeframe manually using either an own Http2FrameListener
implementation or an ChannelInboundHandler
implementation (depending which http2 API is used).
References
Common Weakness Enumeration (CWE)
Uncontrolled Resource Consumption
GitHub
3.9
CVSS SCORE
7.5highChainguard
CGA-3m72-vw57-x7x9
-
Chainguard
CGA-56pc-vp77-h999
-
Chainguard
CGA-62wq-3wv6-w78g
-
Chainguard
CGA-6774-f4f4-5fh3
-
Chainguard
CGA-765w-472h-4f7c
-
Chainguard
CGA-7f5m-mcvf-pjh3
-
Chainguard
CGA-f5mc-g9q8-mr85
-
Chainguard
CGA-gj3m-h2vc-j7mc
-
Chainguard
CGA-gph4-p2pw-xq8x
-
Chainguard
CGA-qjh4-gp5w-hg7r
-