Description

h2o is an open source http server. In code prior to the `8c0eca3` commit h2o may attempt to access uninitialized memory. When receiving QUIC frames in certain order, HTTP/3 server-side implementation of h2o can be misguided to treat uninitialized memory as HTTP/3 frames that have been received. When h2o is used as a reverse proxy, an attacker can abuse this vulnerability to send internal state of h2o to backend servers controlled by the attacker or third party. Also, if there is an HTTP endpoint that reflects the traffic sent from the client, an attacker can use that reflector to obtain internal state of h2o. This internal state includes traffic of other connections in unencrypted form and TLS session tickets. This vulnerability exists in h2o server with HTTP/3 support, between commit 93af138 and d1f0f65. None of the released versions of h2o are affected by this vulnerability. There are no known workarounds. Users of unreleased versions of h2o using HTTP/3 are advised to upgrade immediately.

Severity

 

CVSS Version 3.x CVSS Version 2.0

CVSS 3.x Severity and Metrics:

NIST: NVD

Base Score:  5.9 MEDIUM

Vector:  CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

CNA:  GitHub, Inc.

Base Score:  7.4 HIGH

Vector:  CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H

NVD Analysts use publicly available information to associate vector strings and CVSS scores. We also display any CVSS information provided within the CVE List from the CNA.

Note: It is possible that the NVD CVSS may not match that of the CNA. The most common reason for this is that publicly available information does not provide sufficient detail or that information simply was not available at the time the CVSS vector string was assigned.

CVSS 2.0 Severity and Metrics:

NIST: NVD

Base Score:  4.3 MEDIUM

Vector:  (AV:N/AC:M/Au:N/C:P/I:N/A:N)

NVD Analysts use publicly available information to associate vector strings and CVSS scores. We also display any CVSS information provided within the CVE List from the CNA.

Note: NVD Analysts have published a CVSS score for this CVE based on publicly available information at the time of analysis. The CNA has not provided a score within the CVE List.

References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to nvd@nist.gov.

Hyperlink	Resource
https://github.com/h2o/h2o/commit/8c0eca3	Patch  Third Party Advisory
https://github.com/h2o/h2o/security/advisories/GHSA-f9xw-j925-m4m4	Third Party Advisory

Weakness Enumeration

CWE-ID	CWE Name	Source
CWE-908	Use of Uninitialized Resource	GitHub, Inc.

Known Affected Software Configurations Switch to CPE 2.2

CPEs loading, please wait.

Denotes Vulnerable Software
Are we missing a CPE here? Please let us know.

Change History

1 change records found show changes

Initial Analysis by NIST 2/07/2022 4:11:22 PM

Action	Type	Old Value	New Value
Added	CPE Configuration		OR *cpe:2.3:a:dena:h2o:*:*:*:*:*:*:*:* versions up to (excluding) 2021-12-20
Added	CVSS V2		NIST (AV:N/AC:M/Au:N/C:P/I:N/A:N)
Added	CVSS V3.1		NIST AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Changed	Reference Type	https://github.com/h2o/h2o/commit/8c0eca3 No Types Assigned	https://github.com/h2o/h2o/commit/8c0eca3 Patch, Third Party Advisory
Changed	Reference Type	https://github.com/h2o/h2o/security/advisories/GHSA-f9xw-j925-m4m4 No Types Assigned	https://github.com/h2o/h2o/security/advisories/GHSA-f9xw-j925-m4m4 Third Party Advisory