CVE-2023-45288
published 2024-04-04CVE-2023-45288: An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK…
PriorityP265high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
91.97%
99.8th percentile
An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed MaxHeaderBytes, no memory is allocated to store the excess headers, but they are still parsed. This permits an attacker to cause an HTTP/2 endpoint to read arbitrary amounts of header data, all associated with a request which is going to be rejected. These headers can include Huffman-encoded data which is significantly more expensive for the receiver to decode than for an attacker to send. The fix sets a limit on the amount of excess header frames we will process before closing a connection.
Affected
37 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | golang-1.15 | < golang-golang-x-net 1:0.23.0+dfsg- (forky) | golang-golang-x-net 1:0.23.0+dfsg- (forky) |
| debian | golang-1.19 | < golang-golang-x-net 1:0.23.0+dfsg- (forky) | golang-golang-x-net 1:0.23.0+dfsg- (forky) |
| debian | golang-golang-x-net | < golang-golang-x-net 1:0.23.0+dfsg- (forky) | golang-golang-x-net 1:0.23.0+dfsg- (forky) |
| github.com | traefik_traefik_v2 | >= 0 < 2.11.2 | 2.11.2 |
| github.com | traefik_traefik_v3 | >= 3.0.0-rc1 < 3.0.0-rc5 | 3.0.0-rc5 |
| github.com | zitadel_zitadel-go_v3 | >= 3.0.0-next.1 < 3.0.0-next.3 | 3.0.0-next.3 |
| go_standard_library | net_http | < 1.21.9 | 1.21.9 |
| go_standard_library | net_http | >= 1.22.0-0 < 1.22.2 | 1.22.2 |
| golang.org | x_net | >= 0 < 0.23.0 | 0.23.0 |
| golang.org | x_net_golang.org_x_net_http2 | < 0.23.0 | 0.23.0 |
| golang.org | x_net_http2 | >= 0 < 0.23.0 | 0.23.0 |
| msrc | azl3_application-gateway-kubernetes-ingress_1.7.2-3 | — | — |
| msrc | azl3_application-gateway-kubernetes-ingress_1.7.7-1 | — | — |
| msrc | azl3_azcopy_10.24.0-1 | — | — |
| msrc | azl3_azcopy_10.25.1-1 | — | — |
| msrc | azl3_blobfuse2_2.1.0-4 | — | — |
| msrc | azl3_blobfuse2_2.3.0-1 | — | — |
| msrc | azl3_cert-manager_1.11.2-8 | — | — |
| msrc | azl3_cert-manager_1.12.12-1 | — | — |
| msrc | azl3_cf-cli_8.7.3-6 | — | — |
| msrc | azl3_cloud-provider-kubevirt_0.5.1-1 | — | — |
| msrc | azl3_containerd_1.7.13-6 | — | — |
| msrc | azl3_containerd_1.7.13-8 | — | — |
| msrc | azl3_containerized-data-importer_1.57.0-11 | — | — |
| msrc | azl3_containerized-data-importer_1.57.0-14 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect HTTP/2 CONTINUATION flood: monitor for an excessive number of CONTINUATION frames sent within a single HTTP/2 stream, which is the core attack vector for this DoS vulnerability. ↗
- →Flag HTTP/2 connections where request headers exceed MaxHeaderBytes but CONTINUATION frames continue to be processed — the server parses excess headers without allocating memory, indicating exploitation in progress. ↗
- →Look for Huffman-encoded header data in HTTP/2 CONTINUATION frames at high volume; the asymmetric cost (cheap to send, expensive to decode) is a key exploitation characteristic. ↗
- →Scope detection to servers with HTTP/2 enabled; endpoints with HTTP/2 disabled are not vulnerable and can be excluded from alerting. ↗
- →The ose-hyperkube (openshift-enterprise-hyperkube) container is externally accessible and therefore a higher-priority detection/patching target within OpenShift environments. ↗
- ·Exploitation requires HTTP/2 to be enabled on the server; environments where HTTP/2 is disabled by default or not supported are not affected and can reduce risk by disabling HTTP/2. ↗
- ·Only server-side implementations are vulnerable; client-only implementations of golang.org/net/http or golang.org/x/net/http2 are not affected. ↗
- ·Red Hat Ansible Automation Platform's Receptor component is rated Low impact because it uses QUIC (UDP-based, not HTTP/2) and x/net/ipv4/ipv6 packages which are unaffected. ↗
- ·Within Red Hat OpenShift Container Platform, the majority of vulnerable components are not externally accessible, requiring an attacker to already have container access to exploit. ↗
- ·After an attack ends, the system should return to normal operations on its own — no persistent compromise is expected from this DoS-class vulnerability. ↗
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
ghsa7.5HIGH
osv7.5HIGH
vendor_debian7.5HIGH
vendor_msrc7.5HIGH
vendor_oracle7.5HIGH
vendor_redhat7.5HIGH
vendor_ubuntu7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
Go vulnerabilities
vendor_ubuntu·2024-11-14·CVSS 7.5
CVE-2023-29405 [HIGH] Go vulnerabilities
Title: Go vulnerabilities
Summary: Several security issues were fixed in Go.
Philippe Antoine discovered that Go incorrectly handled crafted HTTP/2
streams. An attacker could possibly use this issue to cause a denial of
service. (CVE-2022-41723)
Marten Seemann discovered that Go did not properly manage memory under
certain circumstances. An attacker could possibly use this issue to cause
a panic resulting in a denial of service. (CVE-2022-41724)
Ameya Darshan and Jakob Ackermann discovered that Go did not properly
validate the amount of memory and disk files ReadForm can consume. An
attacker could possibly use this issue to cause a panic resulting in a
denial of service. (CVE-2022-41725)
Hunter Wittenborn discovered that Go incorrectly handled the sanitization
of environment variables
Ubuntu
Go vulnerabilities
vendor_ubuntu·2024-11-14·CVSS 7.5
CVE-2024-24791 [HIGH] Go vulnerabilities
Title: Go vulnerabilities
Summary: Several security issues were fixed in Go.
Philippe Antoine discovered that Go incorrectly handled crafted HTTP/2
streams. An attacker could possibly use this issue to cause a denial of
service. (CVE-2022-41723)
Marten Seemann discovered that Go did not properly manage memory under
certain circumstances. An attacker could possibly use this issue to cause
a panic resulting in a denial of service. (CVE-2022-41724)
Ameya Darshan and Jakob Ackermann discovered that Go did not properly
validate the amount of memory and disk files ReadForm can consume. An
attacker could possibly use this issue to cause a panic resulting in a
denial of service. (CVE-2022-41725)
Jakob Ackermann discovered that Go incorrectly handled multipart
forms. An attacker could possibly
Oracle
Oracle Oracle Blockchain Platform Risk Matrix: Blockchain Cloud Service Console (Golang Go) — CVE-2023-45288
vendor_oracle·2024-10-15·CVSS 7.5
CVE-2023-45288 [HIGH] Oracle Oracle Blockchain Platform Risk Matrix: Blockchain Cloud Service Console (Golang Go) — CVE-2023-45288
Oracle Oracle Blockchain Platform Risk Matrix: Blockchain Cloud Service Console (Golang Go) vulnerability
CVE: CVE-2023-45288
CVSS: 7.5
Protocol: Multiple
Remote exploit: Yes
Affected versions: Network
Advisory: cpuoct2024 (OCT 2024)
Ubuntu
Go vulnerabilities
vendor_ubuntu·2024-07-09·CVSS 7.5
CVE-2023-45290 [HIGH] Go vulnerabilities
Title: Go vulnerabilities
Summary: Several security issues were fixed in Go.
It was discovered that the Go net/http module did not properly handle the
requests when request\'s headers exceed MaxHeaderBytes. An attacker could
possibly use this issue to cause a panic resulting into a denial of service.
This issue only affected Go 1.21 in Ubuntu 20.04 LTS and Ubuntu 22.04 LTS.
(CVE-2023-45288)
It was discovered that the Go net/http module did not properly validate the
subdomain match or exact match of the initial domain. An attacker could
possibly use this issue to read sensitive information. This issue only
affected Go 1.21 in Ubuntu 20.04 LTS and Ubuntu 22.04 LTS. (CVE-2023-45289)
It was discovered that the Go net/http module did not properly validate the
total size of the parsed form w
Microsoft
HTTP/2 CONTINUATION flood in net/http
vendor_msrc·2024-04-09·CVSS 7.5
CVE-2023-45288 [HIGH] CWE-400 HTTP/2 CONTINUATION flood in net/http
HTTP/2 CONTINUATION flood in net/http
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identified, we will update the CVE to reflect this.
Mariner: Mariner
Go: Go
Customer Action Required: Yes
Remediation: CBL-Mariner Releases
Reference: https://learn.microsoft.com/en-us/azu
Red Hat
golang: net/http, x/net/http2: unlimited number of CONTINUATION frames causes DoS
vendor_redhat·2024-04-03·CVSS 7.5
CVE-2023-45288 [HIGH] CWE-400 golang: net/http, x/net/http2: unlimited number of CONTINUATION frames causes DoS
golang: net/http, x/net/http2: unlimited number of CONTINUATION frames causes DoS
An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed MaxHeaderBytes, no memory is allocated to store the excess headers, but they are still parsed. This permits an attacker to cause an HTTP/2 endpoint to read arbitrary amounts of header data, all associated with a request which is going to be rejected. These headers can include Huffman-encoded data which is significantly more expensive for the receiver to decode than for an attacker to send. The fix sets a limit on the amount of excess h
Debian
CVE-2023-45288: golang-1.15 - An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header dat...
vendor_debian·2023·CVSS 7.5
CVE-2023-45288 [HIGH] CVE-2023-45288: golang-1.15 - An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header dat...
An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed MaxHeaderBytes, no memory is allocated to store the excess headers, but they are still parsed. This permits an attacker to cause an HTTP/2 endpoint to read arbitrary amounts of header data, all associated with a request which is going to be rejected. These headers can include Huffman-encoded data which is significantly more expensive for the receiver to decode than for an attacker to send. The fix sets a limit on the amount of excess header frames we will process before closing a connection.
Scope: local
bullseye: op
OSV
golang-1.17 vulnerabilities
osv·2024-11-14·CVSS 7.5
CVE-2022-41723 [HIGH] golang-1.17 vulnerabilities
golang-1.17 vulnerabilities
Philippe Antoine discovered that Go incorrectly handled crafted HTTP/2
streams. An attacker could possibly use this issue to cause a denial of
service. (CVE-2022-41723)
Marten Seemann discovered that Go did not properly manage memory under
certain circumstances. An attacker could possibly use this issue to cause
a panic resulting in a denial of service. (CVE-2022-41724)
Ameya Darshan and Jakob Ackermann discovered that Go did not properly
validate the amount of memory and disk files ReadForm can consume. An
attacker could possibly use this issue to cause a panic resulting in a
denial of service. (CVE-2022-41725)
Jakob Ackermann discovered that Go incorrectly handled multipart
forms. An attacker could possibly use this issue to consume an excessive
amount of
OSV
golang-1.18 vulnerabilities
osv·2024-11-14·CVSS 7.5
CVE-2022-41723 [HIGH] golang-1.18 vulnerabilities
golang-1.18 vulnerabilities
Philippe Antoine discovered that Go incorrectly handled crafted HTTP/2
streams. An attacker could possibly use this issue to cause a denial of
service. (CVE-2022-41723)
Marten Seemann discovered that Go did not properly manage memory under
certain circumstances. An attacker could possibly use this issue to cause
a panic resulting in a denial of service. (CVE-2022-41724)
Ameya Darshan and Jakob Ackermann discovered that Go did not properly
validate the amount of memory and disk files ReadForm can consume. An
attacker could possibly use this issue to cause a panic resulting in a
denial of service. (CVE-2022-41725)
Hunter Wittenborn discovered that Go incorrectly handled the sanitization
of environment variables. An attacker could possibly use this issue to run
OSV
ZITADEL Go's GRPC example code vulnerability - GO-2024-2687 HTTP/2 CONTINUATION flood in net/http
osv·2024-07-15·CVSS 7.5
CVE-2023-45288 [HIGH] ZITADEL Go's GRPC example code vulnerability - GO-2024-2687 HTTP/2 CONTINUATION flood in net/http
ZITADEL Go's GRPC example code vulnerability - GO-2024-2687 HTTP/2 CONTINUATION flood in net/http
### Summary
Applications using the `zitadel-go` `v3` library (`next` branch) might be impacted by package vulnerabilities.
The output of `govulncheck` suggests that only `example` code seems to be impacted, based on 1 of the 3 potential vulnerabilities. This vulnerability is located in the transitive dependency `golang.org/x/net v0.19.0`, [CVE-2023-45288](https://www.cve.org/CVERecord?id=CVE-2023-45288)
### Patches
3.0.0-next versions are fixed on >= [3.0.0-next.3](https://github.com/zitadel/zitadel-go/releases/tag/v3.0.0-next.3)
ZITADEL recommends upgrading to the latest versions available in due course.
### Workarounds
If updating the zitadel-go library is not an option, updating the af
GHSA
ZITADEL Go's GRPC example code vulnerability - GO-2024-2687 HTTP/2 CONTINUATION flood in net/http
ghsa·2024-07-15·CVSS 7.5
CVE-2023-45288 [HIGH] ZITADEL Go's GRPC example code vulnerability - GO-2024-2687 HTTP/2 CONTINUATION flood in net/http
ZITADEL Go's GRPC example code vulnerability - GO-2024-2687 HTTP/2 CONTINUATION flood in net/http
### Summary
Applications using the `zitadel-go` `v3` library (`next` branch) might be impacted by package vulnerabilities.
The output of `govulncheck` suggests that only `example` code seems to be impacted, based on 1 of the 3 potential vulnerabilities. This vulnerability is located in the transitive dependency `golang.org/x/net v0.19.0`, [CVE-2023-45288](https://www.cve.org/CVERecord?id=CVE-2023-45288)
### Patches
3.0.0-next versions are fixed on >= [3.0.0-next.3](https://github.com/zitadel/zitadel-go/releases/tag/v3.0.0-next.3)
ZITADEL recommends upgrading to the latest versions available in due course.
### Workarounds
If updating the zitadel-go library is not an option, updating the af
OSV
golang-1.21, golang-1.22 vulnerabilities
osv·2024-07-09·CVSS 7.5
CVE-2023-45288 [HIGH] golang-1.21, golang-1.22 vulnerabilities
golang-1.21, golang-1.22 vulnerabilities
It was discovered that the Go net/http module did not properly handle the
requests when request\'s headers exceed MaxHeaderBytes. An attacker could
possibly use this issue to cause a panic resulting into a denial of service.
This issue only affected Go 1.21 in Ubuntu 20.04 LTS and Ubuntu 22.04 LTS.
(CVE-2023-45288)
It was discovered that the Go net/http module did not properly validate the
subdomain match or exact match of the initial domain. An attacker could
possibly use this issue to read sensitive information. This issue only
affected Go 1.21 in Ubuntu 20.04 LTS and Ubuntu 22.04 LTS. (CVE-2023-45289)
It was discovered that the Go net/http module did not properly validate the
total size of the parsed form when parsing a multipart form. An atta
GHSA
Traefik affected by HTTP/2 CONTINUATION flood in net/http
ghsa·2024-04-15·CVSS 7.5
CVE-2023-45288 [HIGH] Traefik affected by HTTP/2 CONTINUATION flood in net/http
Traefik affected by HTTP/2 CONTINUATION flood in net/http
There is a potential vulnerability in Traefik managing HTTP/2 connections.
More details in the [CVE-2023-45288](https://www.cve.org/CVERecord?id=CVE-2023-45288).
## Patches
- https://github.com/traefik/traefik/releases/tag/v2.11.2
- https://github.com/traefik/traefik/releases/tag/v3.0.0-rc5
## Workarounds
No workaround
## For more information
If you have any questions or comments about this advisory, please [open an issue](https://github.com/traefik/traefik/issues).
OSV
Traefik affected by HTTP/2 CONTINUATION flood in net/http
osv·2024-04-15·CVSS 7.5
CVE-2023-45288 [HIGH] Traefik affected by HTTP/2 CONTINUATION flood in net/http
Traefik affected by HTTP/2 CONTINUATION flood in net/http
There is a potential vulnerability in Traefik managing HTTP/2 connections.
More details in the [CVE-2023-45288](https://www.cve.org/CVERecord?id=CVE-2023-45288).
## Patches
- https://github.com/traefik/traefik/releases/tag/v2.11.2
- https://github.com/traefik/traefik/releases/tag/v3.0.0-rc5
## Workarounds
No workaround
## For more information
If you have any questions or comments about this advisory, please [open an issue](https://github.com/traefik/traefik/issues).
OSV
CVE-2023-45288: An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames
osv·2024-04-04·CVSS 7.5
CVE-2023-45288 [HIGH] CVE-2023-45288: An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames
An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed MaxHeaderBytes, no memory is allocated to store the excess headers, but they are still parsed. This permits an attacker to cause an HTTP/2 endpoint to read arbitrary amounts of header data, all associated with a request which is going to be rejected. These headers can include Huffman-encoded data which is significantly more expensive for the receiver to decode than for an attacker to send. The fix sets a limit on the amount of excess header frames we will process before closing a connection.
GHSA
net/http, x/net/http2: close connections when receiving too many headers
ghsa·2024-04-04
CVE-2023-45288 [MEDIUM] CWE-400 net/http, x/net/http2: close connections when receiving too many headers
net/http, x/net/http2: close connections when receiving too many headers
An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed MaxHeaderBytes, no memory is allocated to store the excess headers, but they are still parsed. This permits an attacker to cause an HTTP/2 endpoint to read arbitrary amounts of header data, all associated with a request which is going to be rejected. These headers can include Huffman-encoded data which is significantly more expensive for the receiver to decode than for an attacker to send. The fix sets a limit on the amount of excess header fra
OSV
net/http, x/net/http2: close connections when receiving too many headers
osv·2024-04-04
CVE-2023-45288 [MEDIUM] net/http, x/net/http2: close connections when receiving too many headers
net/http, x/net/http2: close connections when receiving too many headers
An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed MaxHeaderBytes, no memory is allocated to store the excess headers, but they are still parsed. This permits an attacker to cause an HTTP/2 endpoint to read arbitrary amounts of header data, all associated with a request which is going to be rejected. These headers can include Huffman-encoded data which is significantly more expensive for the receiver to decode than for an attacker to send. The fix sets a limit on the amount of excess header fra
OSV
HTTP/2 CONTINUATION flood in net/http
osv·2024-04-03
CVE-2023-45288 HTTP/2 CONTINUATION flood in net/http
HTTP/2 CONTINUATION flood in net/http
An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames.
Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed MaxHeaderBytes, no memory is allocated to store the excess headers, but they are still parsed.
This permits an attacker to cause an HTTP/2 endpoint to read arbitrary amounts of header data, all associated with a request which is going to be rejected. These headers can include Huffman-encoded data which is significantly more expensive for the receiver to decode than for an attacker to send.
The fix sets a limit on the amount of excess header frames we will process before closi
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2024-8421 golang.org/x/net/http2: Multiple HTTP/2 enabled web servers (Rapid Reset Attack)
bugzilla·2024-09-04·CVSS 7.5
CVE-2024-8421 [HIGH] CVE-2024-8421 golang.org/x/net/http2: Multiple HTTP/2 enabled web servers (Rapid Reset Attack)
CVE-2024-8421 golang.org/x/net/http2: Multiple HTTP/2 enabled web servers (Rapid Reset Attack)
A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded to the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a new request while the existing one is still executing.
Discussion:
https://pkg.go.dev/golang.org/x/net?tab=versions
Is it accurate to say that anything that has rebased golang x/net to >= 0.22.0 resolves this issue?
---
(In reply to Lon Hohberger from comment #6)
> https://pkg.go.dev/golang.org/x/net?tab=versions
>
> Is it accurate to say that anything that has rebased golang x/net to >=
> 0.22.0 reso
Bugzilla
CVE-2023-45288 golang: net/http, x/net/http2: unlimited number of CONTINUATION frames causes DoS
bugzilla·2024-03-06·CVSS 7.5
CVE-2023-45288 [HIGH] CVE-2023-45288 golang: net/http, x/net/http2: unlimited number of CONTINUATION frames causes DoS
CVE-2023-45288 golang: net/http, x/net/http2: unlimited number of CONTINUATION frames causes DoS
This description was provided in the disclosure from VINCE:
The Go packages net/http and golang.org/x/net/http2 packages do not limit the number of CONTINUATION frames read for an HTTP/2 request, which permits an attacker to provide an arbitrarily large set of headers for a single request, that will be read, decoded, and subsequently discarded, which may result in excessive CPU consumption.
Discussion:
Is this http and http2 or http2 only? The title says HTTP, but the description is all http2. If it's http2, then it's likely the container tools don't have an issue as we're HTTP based.
---
This issue has been addressed in the following products:
Red Hat OpenShift Container Platform 4.15
Bleepingcomputer
New HTTP/2 DoS attack can crash web servers with a single connection
blogs_bleepingcomputer·2024-04-04
New HTTP/2 DoS attack can crash web servers with a single connection
## New HTTP/2 DoS attack can crash web servers with a single connection
## Bill Toulas
Newly discovered HTTP/2 protocol vulnerabilities called "CONTINUATION Flood" can lead to denial of service (DoS) attacks, crashing web servers with a single TCP connection in some implementations.
HTTP/2 is an update to the HTTP protocol standardized in 2015, designed to improve web performance by introducing binary framing for efficient data transmission, multiplexing to allow multiple requests and responses over a single connection, and header compression to reduce overhead
The new CONTINUATION Flood vulnerabilities were discovered by researcher Barket Nowotarski , who says that it relates to the use of HTTP/2 CONTINUATION frames, which are not properly limited or checked in many implementations of
Wiz
CVE-2026-33413 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.8
CVE-2026-33413 [HIGH] CVE-2026-33413 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33413 :
etcd vulnerability analysis and mitigation
etcd is a distributed key-value store for the data of a distributed system. Prior to versions 3.4.42, 3.5.28, and 3.6.9, unauthorized users may bypass authentication or authorization checks and call certain etcd functions in clusters that expose the gRPC API to untrusted or partially trusted clients. In unpatched etcd clusters with etcd auth enabled, unauthorized users are able to call MemberList and learn cluster topology, including member IDs and advertised endpoints; call Alarm, which can be abused for operational disruption or denial of service; use Lease APIs, interfering with TTL-based keys and lease ownership; and/or trigger compaction, permanently removing historical revisions and disrupting watch, audit, and recovery
Wiz
CVE-2026-33343 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.5
CVE-2026-33343 [NONE] CVE-2026-33343 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33343 :
etcd vulnerability analysis and mitigation
etcd is a distributed key-value store for the data of a distributed system. Prior to versions 3.4.42, 3.5.28, and 3.6.9, an authenticated user with RBAC restricted permissions on key ranges can use nested transactions to bypass all key-level authorization. This allows any authenticated user with direct access to etcd to effectively ignore all key range restrictions, accessing the entire etcd data store. Kubernetes does not rely on etcd’s built-in authentication and authorization. Instead, the API server handles authentication and authorization itself, so typical Kubernetes deployments are not affected. Versions 3.4.42, 3.5.28, and 3.6.9 contain a patch. If upgrading is not immediately possible, reduce exposure by treating the
http://www.openwall.com/lists/oss-security/2024/04/03/16http://www.openwall.com/lists/oss-security/2024/04/05/4https://go.dev/cl/576155https://go.dev/issue/65051https://groups.google.com/g/golang-announce/c/YgW0sx8mN3Mhttps://lists.fedoraproject.org/archives/list/[email protected]/message/QRYFHIQ6XRKRYBI2F5UESH67BJBQXUPT/https://pkg.go.dev/vuln/GO-2024-2687https://security.netapp.com/advisory/ntap-20240419-0009/http://www.openwall.com/lists/oss-security/2024/04/03/16http://www.openwall.com/lists/oss-security/2024/04/05/4https://go.dev/cl/576155https://go.dev/issue/65051https://groups.google.com/g/golang-announce/c/YgW0sx8mN3Mhttps://lists.fedoraproject.org/archives/list/[email protected]/message/QRYFHIQ6XRKRYBI2F5UESH67BJBQXUPT/https://pkg.go.dev/vuln/GO-2024-2687https://security.netapp.com/advisory/ntap-20240419-0009/https://www.kb.cert.org/vuls/id/421644
2024-04-04
Published