GHSA-xpw8-rcwv-8f8p

ADVISORY - github

Summary

A client might overload the server by issue frequent RST frames. This can cause a massive amount of load on the remote system and so cause a DDOS attack.

Impact

This is a DDOS attack, any http2 server is affected and so you should update as soon as possible.

Patches

This is patched in version 4.1.100.Final.

Workarounds

A user can limit the amount of RST frames that are accepted per connection over a timeframe manually using either an own Http2FrameListener implementation or an ChannelInboundHandler implementation (depending which http2 API is used).

References

Common Weakness Enumeration (CWE)

ADVISORY - github

Uncontrolled Resource Consumption

ADVISORY - gitlab

OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities

Uncontrolled Resource Consumption

OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities

ADVISORY - gitlab

OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities

OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities


Sign in to Docker Scout

See which of your images are affected by this CVE and how to fix them by signing into Docker Scout.

Sign in