CVE-2023-44487: Uncontrolled Resource Consumption
(updated )
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
References
- arstechnica.com/security/2023/10/how-ddosers-used-the-http-2-protocol-to-deliver-attacks-of-unprecedented-size/
- blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/
- blog.cloudflare.com/zero-day-rapid-reset-http2-record-breaking-ddos-attack/
- blog.litespeedtech.com/2023/10/11/rapid-reset-http-2-vulnerablilty/
- blog.qualys.com/vulnerabilities-threat-research/2023/10/10/cve-2023-44487-http-2-rapid-reset-attack
- github.com/Azure/AKS/issues/3947
- github.com/advisories/GHSA-qppj-fm5r-hxr3
- github.com/advisories/GHSA-vx74-f528-fxqg
- github.com/advisories/GHSA-xpw8-rcwv-8f8p
- nvd.nist.gov/vuln/detail/CVE-2023-44487
Detect and mitigate CVE-2023-44487 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →