Home > Vulnerability Database > CVE-2023-30847

Mend.io Vulnerability Database

CVE-2023-30847

Date: April 27, 2023

H2O is an HTTP server. In versions 2.3.0-beta2 and prior, when the reverse proxy handler tries to processes a certain type of invalid HTTP request, it tries to build an upstream URL by reading from uninitialized pointer. This behavior can lead to crashes or leak of information to back end HTTP servers. Pull request number 3229 fixes the issue. The pull request has been merged to the `master` branch in commit f010336. Users should upgrade to commit f010336 or later.

Language: C

Severity Score

8.2

Related Resources (6)

Url: https://github.com/h2o/h2o/commit/f010336bab162839df43d9e87570897466c97e33

Url: https://security-tracker.debian.org/tracker/CVE-2023-30847

Url: https://github.com/h2o/h2o/pull/3229

Url: https://nvd.nist.gov/vuln/detail/CVE-2023-30847

Url: https://github.com/h2o/h2o/security/advisories/GHSA-p5hj-phwj-hrvx

Url: https://www.mend.io/vulnerability-database/CVE-2023-30847

Severity Score

8.2

Weakness Type (CWE)

Access of Uninitialized Pointer

CWE-824

CVSS v3.1

Base Score:	8.2
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	LOW
Integrity (I):	NONE
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2023-30847

Date: April 27, 2023

Language: C

Severity Score

Related Resources (6)

Severity Score

Weakness Type (CWE)

CVSS v3.1

Do you need more information?