CVE-2023-43622
Severity
7.5HIGH
EPSS
61.3%
top 1.68%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedOct 23
Latest updateNov 22
Description
An attacker, opening a HTTP/2 connection with an initial window size of 0, was able to block handling of that connection indefinitely in Apache HTTP Server. This could be used to exhaust worker resources in the server, similar to the well known "slow loris" attack pattern.
This has been fixed in version 2.4.58, so that such connection are terminated properly after the configured connection timeout.
This issue affects Apache HTTP Server: from 2.4.55 through 2.4.57.
Users are recommended to upgr…
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6
Affected Packages4 packages
🔴Vulnerability Details
5OSV▶
CVE-2023-43622: An attacker, opening a HTTP/2 connection with an initial window size of 0, was able to block handling of that connection indefinitely in Apache HTTP S↗2023-10-23
GHSA▶
GHSA-w2qc-22jv-44g8: An attacker, opening a HTTP/2 connection with an initial window size of 0, was able to block handling of that connection indefinitely in Apache HTTP S↗2023-10-23
OSV▶
CVE-2023-43622: An attacker, opening a HTTP/2 connection with an initial window size of 0, was able to block handling of that connection indefinitely in Apache HTTP S↗2023-10-23
📋Vendor Advisories
4Debian▶
CVE-2023-43622: apache2 - An attacker, opening a HTTP/2 connection with an initial window size of 0, was a...↗2023