cbcvebase.
CVE-2024-27983
published 2024-04-09

CVE-2024-27983: An attacker can make the Node.js HTTP/2 server completely unavailable by sending a small amount of HTTP/2 frames packets with a few HTTP/2 frames inside. It is…

high8.2CVSS 3.0
AVNACLPRNUINSUCNILAH
An attacker can make the Node.js HTTP/2 server completely unavailable by sending a small amount of HTTP/2 frames packets with a few HTTP/2 frames inside. It is possible to leave some data in nghttp2 memory after reset when headers with HTTP/2 CONTINUATION frame are sent to the server and then a TCP connection is abruptly closed by the client triggering the Http2Session destructor while header frames are still being processed (and stored in memory) causing a race condition.

Affected

30 ranges· showing 25
VendorProductVersion rangeFixed in
debiannodejs< nodejs 18.20.4+dfsg-1~deb12u1 (bookworm)nodejs 18.20.4+dfsg-1~deb12u1 (bookworm)
msrcazl3_nodejs_20.10.0-2_on_azure_linux_3.0
msrcazl3_nodejs_20.14.0-1_on_azure_linux_3.0
msrcazure_linux_3.0_arm
msrcazure_linux_3.0_x64
msrccbl2_nodejs18_18.18.2-7_on_cbl_mariner_2.0
msrccbl_mariner_2.0_arm
msrccbl_mariner_2.0_x64
nodejsnode>= 10.0 < 10.*10.*
nodejsnode>= 11.0 < 11.*11.*
nodejsnode>= 12.0 < 12.*12.*
nodejsnode>= 13.0 < 13.*13.*
nodejsnode>= 14.0 < 14.*14.*
nodejsnode>= 15.0 < 15.*15.*
nodejsnode>= 16.0 < 16.*16.*
nodejsnode>= 17.0 < 17.*17.*
nodejsnode>= 18.0 < 18.20.118.20.1
nodejsnode>= 19.0 < 19.*19.*
nodejsnode>= 20.0 < 20.12.120.12.1
nodejsnode>= 21.0 < 21.7.221.7.2
nodejsnode>= 4.0 < 4.*4.*
nodejsnode>= 5.0 < 5.*5.*
nodejsnode>= 6.0 < 6.*6.*
nodejsnode>= 7.0 < 7.*7.*
nodejsnode>= 8.0 < 8.*8.*

CVSS provenance

nvdv3.08.2HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
osv8.2HIGH