cbcvebase.
CVE-2023-45288
published 2024-04-04

CVE-2023-45288: An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK…

PriorityP265high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
91.97%
99.8th percentile
An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed MaxHeaderBytes, no memory is allocated to store the excess headers, but they are still parsed. This permits an attacker to cause an HTTP/2 endpoint to read arbitrary amounts of header data, all associated with a request which is going to be rejected. These headers can include Huffman-encoded data which is significantly more expensive for the receiver to decode than for an attacker to send. The fix sets a limit on the amount of excess header frames we will process before closing a connection.

Affected

37 ranges· showing 25
VendorProductVersion rangeFixed in
debiangolang-1.15< golang-golang-x-net 1:0.23.0+dfsg- (forky)golang-golang-x-net 1:0.23.0+dfsg- (forky)
debiangolang-1.19< golang-golang-x-net 1:0.23.0+dfsg- (forky)golang-golang-x-net 1:0.23.0+dfsg- (forky)
debiangolang-golang-x-net< golang-golang-x-net 1:0.23.0+dfsg- (forky)golang-golang-x-net 1:0.23.0+dfsg- (forky)
github.comtraefik_traefik_v2>= 0 < 2.11.22.11.2
github.comtraefik_traefik_v3>= 3.0.0-rc1 < 3.0.0-rc53.0.0-rc5
github.comzitadel_zitadel-go_v3>= 3.0.0-next.1 < 3.0.0-next.33.0.0-next.3
go_standard_librarynet_http< 1.21.91.21.9
go_standard_librarynet_http>= 1.22.0-0 < 1.22.21.22.2
golang.orgx_net>= 0 < 0.23.00.23.0
golang.orgx_net_golang.org_x_net_http2< 0.23.00.23.0
golang.orgx_net_http2>= 0 < 0.23.00.23.0
msrcazl3_application-gateway-kubernetes-ingress_1.7.2-3
msrcazl3_application-gateway-kubernetes-ingress_1.7.7-1
msrcazl3_azcopy_10.24.0-1
msrcazl3_azcopy_10.25.1-1
msrcazl3_blobfuse2_2.1.0-4
msrcazl3_blobfuse2_2.3.0-1
msrcazl3_cert-manager_1.11.2-8
msrcazl3_cert-manager_1.12.12-1
msrcazl3_cf-cli_8.7.3-6
msrcazl3_cloud-provider-kubevirt_0.5.1-1
msrcazl3_containerd_1.7.13-6
msrcazl3_containerd_1.7.13-8
msrcazl3_containerized-data-importer_1.57.0-11
msrcazl3_containerized-data-importer_1.57.0-14

Detection & IOCsextracted from sources · hover to see the quote

  • Detect HTTP/2 CONTINUATION flood: monitor for an excessive number of CONTINUATION frames sent within a single HTTP/2 stream, which is the core attack vector for this DoS vulnerability.
  • Flag HTTP/2 connections where request headers exceed MaxHeaderBytes but CONTINUATION frames continue to be processed — the server parses excess headers without allocating memory, indicating exploitation in progress.
  • Look for Huffman-encoded header data in HTTP/2 CONTINUATION frames at high volume; the asymmetric cost (cheap to send, expensive to decode) is a key exploitation characteristic.
  • Scope detection to servers with HTTP/2 enabled; endpoints with HTTP/2 disabled are not vulnerable and can be excluded from alerting.
  • The ose-hyperkube (openshift-enterprise-hyperkube) container is externally accessible and therefore a higher-priority detection/patching target within OpenShift environments.
  • ·Exploitation requires HTTP/2 to be enabled on the server; environments where HTTP/2 is disabled by default or not supported are not affected and can reduce risk by disabling HTTP/2.
  • ·Only server-side implementations are vulnerable; client-only implementations of golang.org/net/http or golang.org/x/net/http2 are not affected.
  • ·Red Hat Ansible Automation Platform's Receptor component is rated Low impact because it uses QUIC (UDP-based, not HTTP/2) and x/net/ipv4/ipv6 packages which are unaffected.
  • ·Within Red Hat OpenShift Container Platform, the majority of vulnerable components are not externally accessible, requiring an attacker to already have container access to exploit.
  • ·After an attack ends, the system should return to normal operations on its own — no persistent compromise is expected from this DoS-class vulnerability.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
ghsa7.5HIGH
osv7.5HIGH
vendor_debian7.5HIGH
vendor_msrc7.5HIGH
vendor_oracle7.5HIGH
vendor_redhat7.5HIGH
vendor_ubuntu7.5HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.