Note:
This project will be discontinued after December 13, 2021. [more]
Product:
H2o
(Dena)| Repositories | https://github.com/h2o/h2o |
| #Vulnerabilities | 17 |
| Date | Id | Summary | Products | Score | Patch | Annotated |
|---|---|---|---|---|---|---|
| 2024-10-11 | CVE-2024-45403 | h2o is an HTTP server with support for HTTP/1.x, HTTP/2 and HTTP/3. When h2o is configured as a reverse proxy and HTTP/3 requests are cancelled by the client, h2o might crash due to an assertion failure. The crash can be exploited by an attacker to mount a Denial-of-Service attack. By default, the h2o standalone server automatically restarts, minimizing the impact. However, HTTP requests that were served concurrently will still be disrupted. The vulnerability has been addressed in commit... | H2o | 7.5 | ||
| 2017-12-22 | CVE-2017-10868 | H2O version 2.2.2 and earlier allows remote attackers to cause a denial of service in the server via specially crafted HTTP/1 header. | H2o | 7.5 | ||
| 2018-06-26 | CVE-2018-0608 | Buffer overflow in H2O version 2.2.4 and earlier allows remote attackers to execute arbitrary code or cause a denial of service (DoS) via unspecified vectors. | H2o | 9.8 | ||
| 2017-12-22 | CVE-2017-10908 | H2O version 2.2.3 and earlier allows remote attackers to cause a denial of service in the server via specially crafted HTTP/2 header. | H2o | 7.5 | ||
| 2017-12-22 | CVE-2017-10872 | H2O version 2.2.3 and earlier allows remote attackers to cause a denial of service in the server via unspecified vectors. | H2o | 6.5 | ||
| 2017-12-22 | CVE-2017-10869 | Buffer overflow in H2O version 2.2.2 and earlier allows remote attackers to cause a denial-of-service in the server via unspecified vectors. | H2o | 7.5 | ||
| 2017-06-09 | CVE-2016-7835 | Use-after-free vulnerability in H2O allows remote attackers to cause a denial-of-service (DoS) or obtain server certificate private keys and possibly other information. | H2o, H2o | 9.1 | ||
| 2016-06-19 | CVE-2016-4817 | lib/http2/connection.c in H2O before 1.7.3 and 2.x before 2.0.0-beta5 mishandles HTTP/2 disconnection, which allows remote attackers to cause a denial of service (use-after-free and application crash) or possibly execute arbitrary code via a crafted packet. | H2o | 7.5 | ||
| 2016-01-16 | CVE-2016-1133 | CRLF injection vulnerability in the on_req function in lib/handler/redirect.c in H2O before 1.6.2 and 1.7.x before 1.7.0-beta3 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via a crafted URI. | H2o | 3.7 | ||
| 2017-05-12 | CVE-2016-4864 | H2O versions 2.0.3 and earlier and 2.1.0-beta2 and earlier allows remote attackers to cause a denial-of-service (DoS) via format string specifiers in a template file via fastcgi, mruby, proxy, redirect or reproxy. | H2o | 7.5 |