CVE-2023-43622

HIGH7.5EPSS 59.5%

Apache HTTP Server: DoS in HTTP/2 with initial windows size 0

發布日:2023/10/23修改日:2025/5/20

也稱為:ALPINE-CVE-2023-43622BIT-apache-2023-43622

描述

An attacker, opening a HTTP/2 connection with an initial window size of 0, was able to block handling of that connection indefinitely in Apache HTTP Server. This could be used to exhaust worker resources in the server, similar to the well known "slow loris" attack pattern. This has been fixed in version 2.4.58, so that such connection are terminated properly after the configured connection timeout. This issue affects Apache HTTP Server: from 2.4.55 through 2.4.57. Users are recommended to upgrade to version 2.4.58, which fixes the issue.

受影響套件(3)

Alpine/apache2from 0, < 2.4.58-r0
Bitnami/apache>= 2.4.55, < 2.4.58
Debian/apache2from 0, < 2.4.59-1~deb11u1

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 3.1	HIGH7.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

參考連結(5)

ADVISORYhttps://security.alpinelinux.org/vuln/CVE-2023-43622
ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2023-43622
WEBhttps://httpd.apache.org/security/vulnerabilities_24.html
WEBhttps://nvd.nist.gov/vuln/detail/CVE-2023-43622
WEBhttps://security.netapp.com/advisory/ntap-20231027-0011/