GHSA-9wmc-rg4h-28wv: github.com/kumahq/kuma affected by CVE-2023-44487
(updated )
Envoy and Go HTTP/2 protocol stack is vulnerable to the “Rapid Reset” class of exploits, which send a sequence of HEADERS frames optionally followed by RST_STREAM frames.
This can be exercised if you use the builtin gateway and receive untrusted http2 traffic.
References
- cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack
- github.com/advisories/GHSA-9wmc-rg4h-28wv
- github.com/advisories/GHSA-qppj-fm5r-hxr3
- github.com/envoyproxy/envoy/security/advisories/GHSA-jhv4-f7mr-xx76
- github.com/golang/go/issues/63417
- github.com/kumahq/kuma
- github.com/kumahq/kuma/pull/8001
- github.com/kumahq/kuma/pull/8023
- github.com/kumahq/kuma/pull/8034
- github.com/kumahq/kuma/security/advisories/GHSA-9wmc-rg4h-28wv
- www.envoyproxy.io/docs/envoy/latest/configuration/best_practices/edge
- www.nginx.com/blog/http-2-rapid-reset-attack-impacting-f5-nginx-products/?sf269548684=1
Code Behaviors & Features
Detect and mitigate GHSA-9wmc-rg4h-28wv with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →