CVE-2024-45397

NameCVE-2024-45397
Descriptionh2o is an HTTP server with support for HTTP/1.x, HTTP/2 and HTTP/3. When an HTTP request using TLS/1.3 early data on top of TCP Fast Open or QUIC 0-RTT packets is received and the IP-address-based access control is used, the access control does not detect and prohibit HTTP requests conveyed by packets with a spoofed source address. This behavior allows attackers on the network to execute HTTP requests from addresses that are otherwise rejected by the address-based access control. The vulnerability has been addressed in commit 15ed15a. Users may disable the use of TCP FastOpen and QUIC to mitigate the issue.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1084984

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
h2o (PTS)buster (security), buster, buster (lts)2.2.5+dfsg2-2+deb10u2vulnerable
bullseye2.2.5+dfsg2-6vulnerable
bookworm2.2.5+dfsg2-7vulnerable
sid, trixie2.2.5+dfsg2-9vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
h2osourcebuster(unfixed)end-of-life
h2osource(unstable)(unfixed)1084984

Notes

[bookworm] - h2o <no-dsa> (Minor issue)
[bullseye] - h2o <postponed> (Minor issue; can be fixed in next update)
https://github.com/h2o/h2o/security/advisories/GHSA-jf2c-xjcp-wg4c
https://github.com/h2o/h2o/commit/15ed15a2efb83a77bb4baaa5a119e639c2f6898a
Search for package or bug name: Reporting problems