From b89fc8e72c625cde9177464ed59802ae6d94c32e Mon Sep 17 00:00:00 2001 From: github-actions Date: Sun, 3 Aug 2025 13:16:36 +0000 Subject: [PATCH 1/2] chore: trivy security alert log --- .security-alert.log | 13 +++++++++++++ 1 file changed, 13 insertions(+) create mode 100644 .security-alert.log diff --git a/.security-alert.log b/.security-alert.log new file mode 100644 index 0000000000..9f57f7c849 --- /dev/null +++ b/.security-alert.log @@ -0,0 +1,13 @@ +* CVE-2023-39325 - golang.org/x/net (HIGH) +* GHSA-m425-mq94-257g - google.golang.org/grpc (HIGH) +* CVE-2024-45337 - golang.org/x/crypto (CRITICAL) +* CVE-2022-27191 - golang.org/x/crypto (HIGH) +* CVE-2025-22869 - golang.org/x/crypto (HIGH) +* CVE-2023-39325 - golang.org/x/net (HIGH) +* CVE-2025-22868 - golang.org/x/oauth2 (HIGH) +* GHSA-m425-mq94-257g - google.golang.org/grpc (HIGH) +* CVE-2024-45337 - golang.org/x/crypto (CRITICAL) +* CVE-2025-22869 - golang.org/x/crypto (HIGH) +* CVE-2023-39325 - golang.org/x/net (HIGH) +* CVE-2025-22868 - golang.org/x/oauth2 (HIGH) +* GHSA-m425-mq94-257g - google.golang.org/grpc (HIGH) From 49b214e27c0a1f666b145c945e664deeaee600f0 Mon Sep 17 00:00:00 2001 From: hsri-pf9 Date: Sun, 3 Aug 2025 13:16:36 +0000 Subject: [PATCH 2/2] =?UTF-8?q?chore:=20high/critical=20vulnerabilities=20?= =?UTF-8?q?detected=20=F0=9F=9A=A8?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- tmp/pr-body.md | 17 + tmp/trivy-report.json | 4766 +++++++++++++++++++++++++++++++++++++++++ 2 files changed, 4783 insertions(+) create mode 100644 tmp/pr-body.md create mode 100644 tmp/trivy-report.json diff --git a/tmp/pr-body.md b/tmp/pr-body.md new file mode 100644 index 0000000000..25e5ec89fc --- /dev/null +++ b/tmp/pr-body.md @@ -0,0 +1,17 @@ +# 🚨 Trivy Vulnerability Report (High/Critical) + +| Target | Package | Severity | Title | CVE | Installed | Fixed | +|--------|---------|----------|-------|-----|-----------|-------| +| api/v2/go.mod | golang.org/x/net | HIGH | golang: net/http, x/net/http2: rapid stream resets can cause excessive work (CVE-2023-44487) | CVE-2023-39325 | v0.7.0 | 0.17.0 | +| api/v2/go.mod | google.golang.org/grpc | HIGH | gRPC-Go HTTP/2 Rapid Reset vulnerability | GHSA-m425-mq94-257g | v1.47.0 | 1.56.3, 1.57.1, 1.58.3 | +| examples/go.mod | golang.org/x/crypto | CRITICAL | golang.org/x/crypto/ssh: Misuse of ServerConfig.PublicKeyCallback may cause authorization bypass in golang.org/x/crypto | CVE-2024-45337 | v0.0.0-20220112180741-5e0467b6c7ce | 0.31.0 | +| examples/go.mod | golang.org/x/crypto | HIGH | golang: crash in a golang.org/x/crypto/ssh server | CVE-2022-27191 | v0.0.0-20220112180741-5e0467b6c7ce | 0.0.0-20220314234659-1baeb1ce4c0b | +| examples/go.mod | golang.org/x/crypto | HIGH | golang.org/x/crypto/ssh: Denial of Service in the Key Exchange of golang.org/x/crypto/ssh | CVE-2025-22869 | v0.0.0-20220112180741-5e0467b6c7ce | 0.35.0 | +| examples/go.mod | golang.org/x/net | HIGH | golang: net/http, x/net/http2: rapid stream resets can cause excessive work (CVE-2023-44487) | CVE-2023-39325 | v0.7.0 | 0.17.0 | +| examples/go.mod | golang.org/x/oauth2 | HIGH | golang.org/x/oauth2/jws: Unexpected memory consumption during token parsing in golang.org/x/oauth2/jws | CVE-2025-22868 | v0.0.0-20211104180415-d3ed0bb246c8 | 0.27.0 | +| examples/go.mod | google.golang.org/grpc | HIGH | gRPC-Go HTTP/2 Rapid Reset vulnerability | GHSA-m425-mq94-257g | v1.43.0 | 1.56.3, 1.57.1, 1.58.3 | +| go.mod | golang.org/x/crypto | CRITICAL | golang.org/x/crypto/ssh: Misuse of ServerConfig.PublicKeyCallback may cause authorization bypass in golang.org/x/crypto | CVE-2024-45337 | v0.0.0-20220622213112-05595931fe9d | 0.31.0 | +| go.mod | golang.org/x/crypto | HIGH | golang.org/x/crypto/ssh: Denial of Service in the Key Exchange of golang.org/x/crypto/ssh | CVE-2025-22869 | v0.0.0-20220622213112-05595931fe9d | 0.35.0 | +| go.mod | golang.org/x/net | HIGH | golang: net/http, x/net/http2: rapid stream resets can cause excessive work (CVE-2023-44487) | CVE-2023-39325 | v0.7.0 | 0.17.0 | +| go.mod | golang.org/x/oauth2 | HIGH | golang.org/x/oauth2/jws: Unexpected memory consumption during token parsing in golang.org/x/oauth2/jws | CVE-2025-22868 | v0.0.0-20220822191816-0ebed06d0094 | 0.27.0 | +| go.mod | google.golang.org/grpc | HIGH | gRPC-Go HTTP/2 Rapid Reset vulnerability | GHSA-m425-mq94-257g | v1.49.0 | 1.56.3, 1.57.1, 1.58.3 | diff --git a/tmp/trivy-report.json b/tmp/trivy-report.json new file mode 100644 index 0000000000..0a26932891 --- /dev/null +++ b/tmp/trivy-report.json @@ -0,0 +1,4766 @@ +{ + "SchemaVersion": 2, + "CreatedAt": "2025-08-03T13:16:24.70893627Z", + "ArtifactName": ".", + "ArtifactType": "filesystem", + "Metadata": { + "RepoURL": "https://github.com/platform9/dex", + "Branch": "private/soc2", + "Commit": "9e88c5be0af574ae26ca4b5c1e1b733cbff8d0d6", + "CommitMsg": "changes in workflow", + "Author": "Harsh Srivastava \u003charshsrivastava@C02G82GRML7H.local\u003e", + "Committer": "Harsh Srivastava \u003charshsrivastava@C02G82GRML7H.local\u003e" + }, + "Results": [ + { + "Target": "api/v2/go.mod", + "Class": "lang-pkgs", + "Type": "gomod", + "Vulnerabilities": [ + { + "VulnerabilityID": "CVE-2023-39325", + "PkgID": "golang.org/x/net@v0.7.0", + "PkgName": "golang.org/x/net", + "PkgIdentifier": { + "PURL": "pkg:golang/golang.org/x/net@v0.7.0", + "UID": "2d04c9eb28132c6a" + }, + "InstalledVersion": "v0.7.0", + "FixedVersion": "0.17.0", + "Status": "fixed", + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2023-39325", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory Go", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Ago" + }, + "Title": "golang: net/http, x/net/http2: rapid stream resets can cause excessive work (CVE-2023-44487)", + "Description": "A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a new request while the existing one is still executing. With the fix applied, HTTP/2 servers now bound the number of simultaneously executing handler goroutines to the stream concurrency limit (MaxConcurrentStreams). New requests arriving when at the limit (which can only happen after the client has reset an existing, in-flight request) will be queued until a handler exits. If the request queue grows too large, the server will terminate the connection. This issue is also fixed in golang.org/x/net/http2 for users manually configuring HTTP/2. The default stream concurrency limit is 250 streams (requests) per HTTP/2 connection. This value may be adjusted using the golang.org/x/net/http2 package; see the Server.MaxConcurrentStreams setting and the ConfigureServer function.", + "Severity": "HIGH", + "CweIDs": [ + "CWE-770" + ], + "VendorSeverity": { + "alma": 2, + "amazon": 3, + "azure": 3, + "bitnami": 3, + "cbl-mariner": 3, + "ghsa": 3, + "nvd": 3, + "oracle-oval": 2, + "redhat": 3, + "rocky": 2, + "ubuntu": 2 + }, + "CVSS": { + "bitnami": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + }, + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + }, + "nvd": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + } + }, + "References": [ + "golang.org/x/net", + "https://access.redhat.com/errata/RHSA-2023:6077", + "https://access.redhat.com/security/cve/CVE-2023-39325", + "https://access.redhat.com/security/cve/CVE-2023-44487", + "https://bugzilla.redhat.com/2242803", + "https://bugzilla.redhat.com/2243296", + "https://bugzilla.redhat.com/show_bug.cgi?id=2242803", + "https://bugzilla.redhat.com/show_bug.cgi?id=2243296", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-39325", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-44487", + "https://errata.almalinux.org/9/ALSA-2023-6077.html", + "https://errata.rockylinux.org/RLSA-2023:6077", + "https://github.com/golang/go/commit/24ae2d927285c697440fdde3ad7f26028354bcf3 [golang- 1.21]", + "https://github.com/golang/go/commit/e175f27f58aa7b9cd4d79607ae65d2cd5baaee68 [golang-1.20]", + "https://github.com/golang/go/issues/63417", + "https://go.dev/cl/534215", + "https://go.dev/cl/534235", + "https://go.dev/issue/63417", + "https://groups.google.com/g/golang-announce/c/iNNxDTCjZvo/m/UDd7VKQuAAAJ", + "https://linux.oracle.com/cve/CVE-2023-39325.html", + "https://linux.oracle.com/errata/ELSA-2023-5867.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3OVW5V2DM5K5IC3H7O42YDUGNJ74J35O", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3OVW5V2DM5K5IC3H7O42YDUGNJ74J35O/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3SZN67IL7HMGMNAVLOTIXLIHUDXZK4LH", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3SZN67IL7HMGMNAVLOTIXLIHUDXZK4LH/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3WJ4QVX2AMUJ2F2S27POOAHRC4K3CHU4", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3WJ4QVX2AMUJ2F2S27POOAHRC4K3CHU4/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4BUK2ZIAGCULOOYDNH25JPU6JBES5NF2", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4BUK2ZIAGCULOOYDNH25JPU6JBES5NF2/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5RSKA2II6QTD4YUKUNDVJQSRYSFC4VFR", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5RSKA2II6QTD4YUKUNDVJQSRYSFC4VFR/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AVZDNSMVDAQJ64LJC5I5U5LDM5753647", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AVZDNSMVDAQJ64LJC5I5U5LDM5753647/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CHHITS4PUOZAKFIUBQAQZC7JWXMOYE4B", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CHHITS4PUOZAKFIUBQAQZC7JWXMOYE4B/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CLB4TW7KALB3EEQWNWCN7OUIWWVWWCG2", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CLB4TW7KALB3EEQWNWCN7OUIWWVWWCG2/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/D2BBIDR2ZMB3X5BC7SR4SLQMHRMVPY6L", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/D2BBIDR2ZMB3X5BC7SR4SLQMHRMVPY6L/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ECRC75BQJP6FJN2L7KCKYZW4DSBD7QSD", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ECRC75BQJP6FJN2L7KCKYZW4DSBD7QSD/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FTMJ3NJIDAZFWJQQSP3L22MUFJ3UP2PT", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FTMJ3NJIDAZFWJQQSP3L22MUFJ3UP2PT/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GSY7SXFFTPZFWDM6XELSDSHZLVW3AHK7", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GSY7SXFFTPZFWDM6XELSDSHZLVW3AHK7/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HZQIELEIRSZUYTFFH5KTH2YJ4IIQG2KE", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HZQIELEIRSZUYTFFH5KTH2YJ4IIQG2KE/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IPWCNYB5PQ5PCVZ4NJT6G56ZYFZ5QBU6", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IPWCNYB5PQ5PCVZ4NJT6G56ZYFZ5QBU6/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KEOTKBUPZXHE3F352JBYNTSNRXYLWD6P", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KEOTKBUPZXHE3F352JBYNTSNRXYLWD6P/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KSEGD2IWKNUO3DWY4KQGUQM5BISRWHQE", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KSEGD2IWKNUO3DWY4KQGUQM5BISRWHQE/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L5E5JSJBZLYXOTZWXHJKRVCIXIHVWKJ6", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L5E5JSJBZLYXOTZWXHJKRVCIXIHVWKJ6/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MZQYOOKHQDQ57LV2IAG6NRFOVXKHJJ3Z", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MZQYOOKHQDQ57LV2IAG6NRFOVXKHJJ3Z/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NG7IMPL55MVWU3LCI4JQJT3K2U5CHDV7", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NG7IMPL55MVWU3LCI4JQJT3K2U5CHDV7/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ODBY7RVMGZCBSTWF2OZGIZS57FNFUL67", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ODBY7RVMGZCBSTWF2OZGIZS57FNFUL67/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OXGWPQOJ3JNDW2XIYKIVJ7N7QUIFNM2Q", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OXGWPQOJ3JNDW2XIYKIVJ7N7QUIFNM2Q/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PJCUNGIQDUMZ4Z6HWVYIMR66A35F5S74", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PJCUNGIQDUMZ4Z6HWVYIMR66A35F5S74/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QF5QSYAOPDOWLY6DUHID56Q4HQFYB45I", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QF5QSYAOPDOWLY6DUHID56Q4HQFYB45I/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QXOU2JZUBEBP7GBKAYIJRPRBZSJCD7ST", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QXOU2JZUBEBP7GBKAYIJRPRBZSJCD7ST/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/R3UETKPUB3V5JS5TLZOF3SMTGT5K5APS", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/R3UETKPUB3V5JS5TLZOF3SMTGT5K5APS/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/REMHVVIBDNKSRKNOTV7EQSB7CYQWOUOU", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/REMHVVIBDNKSRKNOTV7EQSB7CYQWOUOU/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T7N5GV4CHH6WAGX3GFMDD3COEOVCZ4RI", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T7N5GV4CHH6WAGX3GFMDD3COEOVCZ4RI/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ULQQONMSCQSH5Z5OWFFQHCGEZ3NL4DRJ", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ULQQONMSCQSH5Z5OWFFQHCGEZ3NL4DRJ/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UTT7DG3QOF5ZNJLUGHDNLRUIN6OWZARP", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UTT7DG3QOF5ZNJLUGHDNLRUIN6OWZARP/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/W2LZSWTV4NV4SNQARNXG5T6LRHP26EW2", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/W2LZSWTV4NV4SNQARNXG5T6LRHP26EW2/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WCNCBYKZXLDFGAJUB7ZP5VLC3YTHJNVH", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WCNCBYKZXLDFGAJUB7ZP5VLC3YTHJNVH/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XFOIBB4YFICHDM7IBOP7PWXW3FX4HLL2", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XFOIBB4YFICHDM7IBOP7PWXW3FX4HLL2/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XTNLSL44Y5FB6JWADSZH6DCV4JJAAEQY", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XTNLSL44Y5FB6JWADSZH6DCV4JJAAEQY/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YJWHBLVZDM5KQSDFRBFRKU5KSSOLIRQ4", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YJWHBLVZDM5KQSDFRBFRKU5KSSOLIRQ4/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YRKEXKANQ7BKJW2YTAMP625LJUJZLJ4P", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YRKEXKANQ7BKJW2YTAMP625LJUJZLJ4P/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZSVEMQV5ROY5YW5QE3I57HT3ITWG5GCV", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZSVEMQV5ROY5YW5QE3I57HT3ITWG5GCV/", + "https://nvd.nist.gov/vuln/detail/CVE-2023-39325", + "https://pkg.go.dev/vuln/GO-2023-2102", + "https://security.gentoo.org/glsa/202311-09", + "https://security.netapp.com/advisory/ntap-20231110-0008", + "https://security.netapp.com/advisory/ntap-20231110-0008/", + "https://ubuntu.com/security/notices/USN-6574-1", + "https://ubuntu.com/security/notices/USN-7061-1", + "https://ubuntu.com/security/notices/USN-7109-1", + "https://www.cisa.gov/news-events/alerts/2023/10/10/http2-rapid-reset-vulnerability-cve-2023-44487", + "https://www.cve.org/CVERecord?id=CVE-2023-39325" + ], + "PublishedDate": "2023-10-11T22:15:09.88Z", + "LastModifiedDate": "2024-11-21T08:15:09.627Z" + }, + { + "VulnerabilityID": "CVE-2023-3978", + "PkgID": "golang.org/x/net@v0.7.0", + "PkgName": "golang.org/x/net", + "PkgIdentifier": { + "PURL": "pkg:golang/golang.org/x/net@v0.7.0", + "UID": "2d04c9eb28132c6a" + }, + "InstalledVersion": "v0.7.0", + "FixedVersion": "0.13.0", + "Status": "fixed", + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2023-3978", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory Go", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Ago" + }, + "Title": "golang.org/x/net/html: Cross site scripting", + "Description": "Text nodes not in the HTML namespace are incorrectly literally rendered, causing text which should be escaped to not be. This could lead to an XSS attack.", + "Severity": "MEDIUM", + "CweIDs": [ + "CWE-79" + ], + "VendorSeverity": { + "alma": 2, + "amazon": 2, + "azure": 2, + "cbl-mariner": 2, + "ghsa": 2, + "nvd": 2, + "oracle-oval": 2, + "redhat": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", + "V3Score": 6.1 + }, + "nvd": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", + "V3Score": 6.1 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", + "V3Score": 6.1 + } + }, + "References": [ + "https://access.redhat.com/errata/RHSA-2023:6474", + "https://access.redhat.com/security/cve/CVE-2023-3978", + "https://bugzilla.redhat.com/2174485", + "https://bugzilla.redhat.com/2178358", + "https://bugzilla.redhat.com/2178488", + "https://bugzilla.redhat.com/2178492", + "https://bugzilla.redhat.com/2184481", + "https://bugzilla.redhat.com/2184482", + "https://bugzilla.redhat.com/2184483", + "https://bugzilla.redhat.com/2184484", + "https://bugzilla.redhat.com/2196026", + "https://bugzilla.redhat.com/2196027", + "https://bugzilla.redhat.com/2196029", + "https://bugzilla.redhat.com/2222167", + "https://bugzilla.redhat.com/2228689", + "https://errata.almalinux.org/9/ALSA-2023-6474.html", + "https://go.dev/cl/514896", + "https://go.dev/issue/61615", + "https://linux.oracle.com/cve/CVE-2023-3978.html", + "https://linux.oracle.com/errata/ELSA-2023-6939.html", + "https://nvd.nist.gov/vuln/detail/CVE-2023-3978", + "https://pkg.go.dev/vuln/GO-2023-1988", + "https://www.cve.org/CVERecord?id=CVE-2023-3978" + ], + "PublishedDate": "2023-08-02T20:15:12.097Z", + "LastModifiedDate": "2024-11-21T08:18:27.68Z" + }, + { + "VulnerabilityID": "CVE-2023-44487", + "PkgID": "golang.org/x/net@v0.7.0", + "PkgName": "golang.org/x/net", + "PkgIdentifier": { + "PURL": "pkg:golang/golang.org/x/net@v0.7.0", + "UID": "2d04c9eb28132c6a" + }, + "InstalledVersion": "v0.7.0", + "FixedVersion": "0.17.0", + "Status": "fixed", + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2023-44487", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory Go", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Ago" + }, + "Title": "HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack)", + "Description": "The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.", + "Severity": "MEDIUM", + "CweIDs": [ + "CWE-400" + ], + "VendorSeverity": { + "alma": 3, + "amazon": 3, + "azure": 3, + "bitnami": 3, + "cbl-mariner": 3, + "ghsa": 2, + "nvd": 3, + "oracle-oval": 3, + "photon": 3, + "redhat": 3, + "rocky": 3, + "ubuntu": 3 + }, + "CVSS": { + "bitnami": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + }, + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "V3Score": 5.3 + }, + "nvd": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + } + }, + "References": [ + "http://www.openwall.com/lists/oss-security/2023/10/10/6", + "http://www.openwall.com/lists/oss-security/2023/10/10/7", + "http://www.openwall.com/lists/oss-security/2023/10/13/4", + "http://www.openwall.com/lists/oss-security/2023/10/13/9", + "http://www.openwall.com/lists/oss-security/2023/10/18/4", + "http://www.openwall.com/lists/oss-security/2023/10/18/8", + "http://www.openwall.com/lists/oss-security/2023/10/19/6", + "http://www.openwall.com/lists/oss-security/2023/10/20/8", + "https://access.redhat.com/errata/RHSA-2023:6746", + "https://access.redhat.com/security/cve/CVE-2023-44487", + "https://access.redhat.com/security/cve/cve-2023-44487", + "https://akka.io/security/akka-http-cve-2023-44487.html", + "https://arstechnica.com/security/2023/10/how-ddosers-used-the-http-2-protocol-to-deliver-attacks-of-unprecedented-size", + "https://arstechnica.com/security/2023/10/how-ddosers-used-the-http-2-protocol-to-deliver-attacks-of-unprecedented-size/", + "https://aws.amazon.com/security/security-bulletins/AWS-2023-011", + "https://aws.amazon.com/security/security-bulletins/AWS-2023-011/", + "https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack", + "https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/", + "https://blog.cloudflare.com/zero-day-rapid-reset-http2-record-breaking-ddos-attack", + "https://blog.cloudflare.com/zero-day-rapid-reset-http2-record-breaking-ddos-attack/", + "https://blog.litespeedtech.com/2023/10/11/rapid-reset-http-2-vulnerablilty", + "https://blog.litespeedtech.com/2023/10/11/rapid-reset-http-2-vulnerablilty/", + "https://blog.qualys.com/vulnerabilities-threat-research/2023/10/10/cve-2023-44487-http-2-rapid-reset-attack", + "https://blog.vespa.ai/cve-2023-44487", + "https://blog.vespa.ai/cve-2023-44487/", + "https://bugzilla.proxmox.com/show_bug.cgi?id=4988", + "https://bugzilla.redhat.com/2242803", + "https://bugzilla.redhat.com/show_bug.cgi?id=2242803", + "https://bugzilla.suse.com/show_bug.cgi?id=1216123", + "https://cgit.freebsd.org/ports/commit/?id=c64c329c2c1752f46b73e3e6ce9f4329be6629f9", + "https://chaos.social/@icing/111210915918780532", + "https://cloud.google.com/blog/products/identity-security/google-cloud-mitigated-largest-ddos-attack-peaking-above-398-million-rps", + "https://cloud.google.com/blog/products/identity-security/google-cloud-mitigated-largest-ddos-attack-peaking-above-398-million-rps/", + "https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack", + "https://community.traefik.io/t/is-traefik-vulnerable-to-cve-2023-44487/20125", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-44487", + "https://devblogs.microsoft.com/dotnet/october-2023-updates/", + "https://discuss.hashicorp.com/t/hcsec-2023-32-vault-consul-and-boundary-affected-by-http-2-rapid-reset-denial-of-service-vulnerability-cve-2023-44487/59715", + "https://edg.io/lp/blog/resets-leaks-ddos-and-the-tale-of-a-hidden-cve", + "https://errata.almalinux.org/9/ALSA-2023-6746.html", + "https://errata.rockylinux.org/RLSA-2023:5838", + "https://forums.swift.org/t/swift-nio-http2-security-update-cve-2023-44487-http-2-dos/67764", + "https://gist.github.com/adulau/7c2bfb8e9cdbe4b35a5e131c66a0c088", + "https://github.com/Azure/AKS/issues/3947", + "https://github.com/Kong/kong/discussions/11741", + "https://github.com/advisories/GHSA-qppj-fm5r-hxr3", + "https://github.com/advisories/GHSA-vx74-f528-fxqg", + "https://github.com/advisories/GHSA-xpw8-rcwv-8f8p", + "https://github.com/akka/akka-http/issues/4323", + "https://github.com/akka/akka-http/pull/4324", + "https://github.com/akka/akka-http/pull/4325", + "https://github.com/alibaba/tengine/issues/1872", + "https://github.com/apache/apisix/issues/10320", + "https://github.com/apache/httpd-site/pull/10", + "https://github.com/apache/httpd/blob/afcdbeebbff4b0c50ea26cdd16e178c0d1f24152/modules/http2/h2_mplx.c#L1101-L1113", + "https://github.com/apache/tomcat/commit/944332bb15bd2f3bf76ec2caeb1ff0a58a3bc628", + "https://github.com/apache/tomcat/tree/main/java/org/apache/coyote/http2", + "https://github.com/apache/trafficserver/pull/10564", + "https://github.com/apple/swift-nio-http2", + "https://github.com/apple/swift-nio-http2/security/advisories/GHSA-qppj-fm5r-hxr3", + "https://github.com/arkrwn/PoC/tree/main/CVE-2023-44487", + "https://github.com/bcdannyboy/CVE-2023-44487", + "https://github.com/caddyserver/caddy/issues/5877", + "https://github.com/caddyserver/caddy/releases/tag/v2.7.5", + "https://github.com/dotnet/announcements/issues/277", + "https://github.com/dotnet/core/blob/e4613450ea0da7fd2fc6b61dfb2c1c1dec1ce9ec/release-notes/6.0/6.0.23/6.0.23.md?plain=1#L73", + "https://github.com/eclipse/jetty.project/issues/10679", + "https://github.com/envoyproxy/envoy/pull/30055", + "https://github.com/etcd-io/etcd/issues/16740", + "https://github.com/facebook/proxygen/pull/466", + "https://github.com/golang/go/issues/63417", + "https://github.com/grpc/grpc-go/pull/6703", + "https://github.com/grpc/grpc-go/releases", + "https://github.com/grpc/grpc/releases/tag/v1.59.2", + "https://github.com/h2o/h2o/pull/3291", + "https://github.com/h2o/h2o/security/advisories/GHSA-2m7v-gc89-fjqf", + "https://github.com/haproxy/haproxy/issues/2312", + "https://github.com/hyperium/hyper/issues/3337", + "https://github.com/icing/mod_h2/blob/0a864782af0a942aa2ad4ed960a6b32cd35bcf0a/mod_http2/README.md?plain=1#L239-L244", + "https://github.com/junkurihara/rust-rpxy/issues/97", + "https://github.com/kazu-yamamoto/http2/commit/f61d41a502bd0f60eb24e1ce14edc7b6df6722a1", + "https://github.com/kazu-yamamoto/http2/issues/93", + "https://github.com/kubernetes/kubernetes/pull/121120", + "https://github.com/line/armeria/pull/5232", + "https://github.com/linkerd/website/pull/1695/commits/4b9c6836471bc8270ab48aae6fd2181bc73fd632", + "https://github.com/micrictor/http2-rst-stream", + "https://github.com/microsoft/CBL-Mariner/pull/6381", + "https://github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61", + "https://github.com/nghttp2/nghttp2/pull/1961", + "https://github.com/nghttp2/nghttp2/releases/tag/v1.57.0", + "https://github.com/ninenines/cowboy/issues/1615", + "https://github.com/nodejs/node/pull/50121", + "https://github.com/openresty/openresty/issues/930", + "https://github.com/opensearch-project/data-prepper/issues/3474", + "https://github.com/oqtane/oqtane.framework/discussions/3367", + "https://github.com/projectcontour/contour/pull/5826", + "https://github.com/tempesta-tech/tempesta/issues/1986", + "https://github.com/varnishcache/varnish-cache/issues/3996", + "https://go.dev/cl/534215", + "https://go.dev/cl/534235", + "https://go.dev/issue/63417", + "https://groups.google.com/g/golang-announce/c/iNNxDTCjZvo", + "https://groups.google.com/g/golang-announce/c/iNNxDTCjZvo/m/UDd7VKQuAAAJ", + "https://istio.io/latest/news/security/istio-security-2023-004", + "https://istio.io/latest/news/security/istio-security-2023-004/", + "https://linkerd.io/2023/10/12/linkerd-cve-2023-44487", + "https://linkerd.io/2023/10/12/linkerd-cve-2023-44487/", + "https://linux.oracle.com/cve/CVE-2023-44487.html", + "https://linux.oracle.com/errata/ELSA-2024-1444.html", + "https://lists.apache.org/thread/5py8h42mxfsn8l1wy6o41xwhsjlsd87q", + "https://lists.debian.org/debian-lts-announce/2023/10/msg00020.html", + "https://lists.debian.org/debian-lts-announce/2023/10/msg00023.html", + "https://lists.debian.org/debian-lts-announce/2023/10/msg00024.html", + "https://lists.debian.org/debian-lts-announce/2023/10/msg00045.html", + "https://lists.debian.org/debian-lts-announce/2023/10/msg00047.html", + "https://lists.debian.org/debian-lts-announce/2023/11/msg00001.html", + "https://lists.debian.org/debian-lts-announce/2023/11/msg00012.html", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2MBEPPC36UBVOZZNAXFHKLFGSLCMN5LI", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2MBEPPC36UBVOZZNAXFHKLFGSLCMN5LI/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3N4NJ7FR4X4FPZUGNTQAPSTVB2HB2Y4A", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3N4NJ7FR4X4FPZUGNTQAPSTVB2HB2Y4A/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BFQD3KUEMFBHPAPBGLWQC34L4OWL5HAZ", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BFQD3KUEMFBHPAPBGLWQC34L4OWL5HAZ/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CLB4TW7KALB3EEQWNWCN7OUIWWVWWCG2", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CLB4TW7KALB3EEQWNWCN7OUIWWVWWCG2/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/E72T67UPDRXHIDLO3OROR25YAMN4GGW5", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/E72T67UPDRXHIDLO3OROR25YAMN4GGW5/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FNA62Q767CFAFHBCDKYNPBMZWB7TWYVU", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FNA62Q767CFAFHBCDKYNPBMZWB7TWYVU/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HT7T2R4MQKLIF4ODV4BDLPARWFPCJ5CZ", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HT7T2R4MQKLIF4ODV4BDLPARWFPCJ5CZ/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JIZSEFC3YKCGABA2BZW6ZJRMDZJMB7PJ", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JIZSEFC3YKCGABA2BZW6ZJRMDZJMB7PJ/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JMEXY22BFG5Q64HQCM5CK2Q7KDKVV4TY", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JMEXY22BFG5Q64HQCM5CK2Q7KDKVV4TY/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KSEGD2IWKNUO3DWY4KQGUQM5BISRWHQE", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KSEGD2IWKNUO3DWY4KQGUQM5BISRWHQE/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LKYHSZQFDNR7RSA7LHVLLIAQMVYCUGBG", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LKYHSZQFDNR7RSA7LHVLLIAQMVYCUGBG/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LNMZJCDHGLJJLXO4OXWJMTVQRNWOC7UL", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LNMZJCDHGLJJLXO4OXWJMTVQRNWOC7UL/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VHUHTSXLXGXS7JYKBXTA3VINUPHTNGVU", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VHUHTSXLXGXS7JYKBXTA3VINUPHTNGVU/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VSRDIV77HNKUSM7SJC5BKE5JSHLHU2NK", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VSRDIV77HNKUSM7SJC5BKE5JSHLHU2NK/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WE2I52RHNNU42PX6NZ2RBUHSFFJ2LVZX", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WE2I52RHNNU42PX6NZ2RBUHSFFJ2LVZX/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WLPRQ5TWUQQXYWBJM7ECYDAIL2YVKIUH", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WLPRQ5TWUQQXYWBJM7ECYDAIL2YVKIUH/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X6QXN4ORIVF6XBW4WWFE7VNPVC74S45Y", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X6QXN4ORIVF6XBW4WWFE7VNPVC74S45Y/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XFOIBB4YFICHDM7IBOP7PWXW3FX4HLL2", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XFOIBB4YFICHDM7IBOP7PWXW3FX4HLL2/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZB43REMKRQR62NJEI7I5NQ4FSXNLBKRT", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZB43REMKRQR62NJEI7I5NQ4FSXNLBKRT/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZKQSIKIAT5TJ3WSLU3RDBQ35YX4GY4V3", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZKQSIKIAT5TJ3WSLU3RDBQ35YX4GY4V3/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZLU6U2R2IC2K64NDPNMV55AUAO65MAF4", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZLU6U2R2IC2K64NDPNMV55AUAO65MAF4/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2MBEPPC36UBVOZZNAXFHKLFGSLCMN5LI", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2MBEPPC36UBVOZZNAXFHKLFGSLCMN5LI/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3N4NJ7FR4X4FPZUGNTQAPSTVB2HB2Y4A", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3N4NJ7FR4X4FPZUGNTQAPSTVB2HB2Y4A/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BFQD3KUEMFBHPAPBGLWQC34L4OWL5HAZ", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BFQD3KUEMFBHPAPBGLWQC34L4OWL5HAZ/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CLB4TW7KALB3EEQWNWCN7OUIWWVWWCG2", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CLB4TW7KALB3EEQWNWCN7OUIWWVWWCG2/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/E72T67UPDRXHIDLO3OROR25YAMN4GGW5", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/E72T67UPDRXHIDLO3OROR25YAMN4GGW5/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FNA62Q767CFAFHBCDKYNPBMZWB7TWYVU", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FNA62Q767CFAFHBCDKYNPBMZWB7TWYVU/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HT7T2R4MQKLIF4ODV4BDLPARWFPCJ5CZ", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HT7T2R4MQKLIF4ODV4BDLPARWFPCJ5CZ/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JIZSEFC3YKCGABA2BZW6ZJRMDZJMB7PJ", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JIZSEFC3YKCGABA2BZW6ZJRMDZJMB7PJ/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JMEXY22BFG5Q64HQCM5CK2Q7KDKVV4TY", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JMEXY22BFG5Q64HQCM5CK2Q7KDKVV4TY/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KSEGD2IWKNUO3DWY4KQGUQM5BISRWHQE", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KSEGD2IWKNUO3DWY4KQGUQM5BISRWHQE/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LKYHSZQFDNR7RSA7LHVLLIAQMVYCUGBG", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LKYHSZQFDNR7RSA7LHVLLIAQMVYCUGBG/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LNMZJCDHGLJJLXO4OXWJMTVQRNWOC7UL", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LNMZJCDHGLJJLXO4OXWJMTVQRNWOC7UL/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VHUHTSXLXGXS7JYKBXTA3VINUPHTNGVU", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VHUHTSXLXGXS7JYKBXTA3VINUPHTNGVU/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VSRDIV77HNKUSM7SJC5BKE5JSHLHU2NK", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VSRDIV77HNKUSM7SJC5BKE5JSHLHU2NK/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WE2I52RHNNU42PX6NZ2RBUHSFFJ2LVZX", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WE2I52RHNNU42PX6NZ2RBUHSFFJ2LVZX/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WLPRQ5TWUQQXYWBJM7ECYDAIL2YVKIUH", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WLPRQ5TWUQQXYWBJM7ECYDAIL2YVKIUH/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X6QXN4ORIVF6XBW4WWFE7VNPVC74S45Y", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X6QXN4ORIVF6XBW4WWFE7VNPVC74S45Y/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XFOIBB4YFICHDM7IBOP7PWXW3FX4HLL2", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XFOIBB4YFICHDM7IBOP7PWXW3FX4HLL2/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZB43REMKRQR62NJEI7I5NQ4FSXNLBKRT", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZB43REMKRQR62NJEI7I5NQ4FSXNLBKRT/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZKQSIKIAT5TJ3WSLU3RDBQ35YX4GY4V3", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZKQSIKIAT5TJ3WSLU3RDBQ35YX4GY4V3/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZLU6U2R2IC2K64NDPNMV55AUAO65MAF4", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZLU6U2R2IC2K64NDPNMV55AUAO65MAF4/", + "https://lists.w3.org/Archives/Public/ietf-http-wg/2023OctDec/0025.html", + "https://mailman.nginx.org/pipermail/nginx-devel/2023-October/S36Q5HBXR7CAIMPLLPRSSSYR4PCMWILK.html", + "https://martinthomson.github.io/h2-stream-limits/draft-thomson-httpbis-h2-stream-limits.html", + "https://msrc.microsoft.com/blog/2023/10/microsoft-response-to-distributed-denial-of-service-ddos-attacks-against-http/2", + "https://msrc.microsoft.com/blog/2023/10/microsoft-response-to-distributed-denial-of-service-ddos-attacks-against-http/2/", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-44487", + "https://my.f5.com/manage/s/article/K000137106", + "https://netty.io/news/2023/10/10/4-1-100-Final.html", + "https://news.ycombinator.com/item?id=37830987", + "https://news.ycombinator.com/item?id=37830998", + "https://news.ycombinator.com/item?id=37831062", + "https://news.ycombinator.com/item?id=37837043", + "https://nodejs.org/en/blog/vulnerability/october-2023-security-releases", + "https://nvd.nist.gov/vuln/detail/CVE-2023-44487", + "https://openssf.org/blog/2023/10/10/http-2-rapid-reset-vulnerability-highlights-need-for-rapid-response", + "https://openssf.org/blog/2023/10/10/http-2-rapid-reset-vulnerability-highlights-need-for-rapid-response/", + "https://pkg.go.dev/vuln/GO-2023-2102", + "https://seanmonstar.com/post/730794151136935936/hyper-http2-rapid-reset-unaffected", + "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-http2-reset-d8Kf32vZ", + "https://security.gentoo.org/glsa/202311-09", + "https://security.netapp.com/advisory/ntap-20231016-0001", + "https://security.netapp.com/advisory/ntap-20231016-0001/", + "https://security.netapp.com/advisory/ntap-20240426-0007", + "https://security.netapp.com/advisory/ntap-20240426-0007/", + "https://security.netapp.com/advisory/ntap-20240621-0006", + "https://security.netapp.com/advisory/ntap-20240621-0006/", + "https://security.netapp.com/advisory/ntap-20240621-0007", + "https://security.netapp.com/advisory/ntap-20240621-0007/", + "https://security.paloaltonetworks.com/CVE-2023-44487", + "https://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.1.14", + "https://tomcat.apache.org/security-11.html#Fixed_in_Apache_Tomcat_11.0.0-M12", + "https://tomcat.apache.org/security-8.html", + "https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.94", + "https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.81", + "https://ubuntu.com/security/CVE-2023-44487", + "https://ubuntu.com/security/notices/USN-6427-1", + "https://ubuntu.com/security/notices/USN-6427-2", + "https://ubuntu.com/security/notices/USN-6438-1", + "https://ubuntu.com/security/notices/USN-6505-1", + "https://ubuntu.com/security/notices/USN-6574-1", + "https://ubuntu.com/security/notices/USN-6754-1", + "https://ubuntu.com/security/notices/USN-6994-1", + "https://ubuntu.com/security/notices/USN-7067-1", + "https://ubuntu.com/security/notices/USN-7410-1", + "https://ubuntu.com/security/notices/USN-7469-1", + "https://ubuntu.com/security/notices/USN-7469-2", + "https://ubuntu.com/security/notices/USN-7469-3", + "https://ubuntu.com/security/notices/USN-7469-4", + "https://www.bleepingcomputer.com/news/security/new-http-2-rapid-reset-zero-day-attack-breaks-ddos-records", + "https://www.bleepingcomputer.com/news/security/new-http-2-rapid-reset-zero-day-attack-breaks-ddos-records/", + "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", + "https://www.cisa.gov/news-events/alerts/2023/10/10/http2-rapid-reset-vulnerability-cve-2023-44487", + "https://www.cve.org/CVERecord?id=CVE-2023-44487", + "https://www.darkreading.com/cloud/internet-wide-zero-day-bug-fuels-largest-ever-ddos-event", + "https://www.debian.org/security/2023/dsa-5521", + "https://www.debian.org/security/2023/dsa-5522", + "https://www.debian.org/security/2023/dsa-5540", + "https://www.debian.org/security/2023/dsa-5549", + "https://www.debian.org/security/2023/dsa-5558", + "https://www.debian.org/security/2023/dsa-5570", + "https://www.eclipse.org/lists/jetty-announce/msg00181.html", + "https://www.haproxy.com/blog/haproxy-is-not-affected-by-the-http-2-rapid-reset-attack-cve-2023-44487", + "https://www.mail-archive.com/haproxy@formilux.org/msg44134.html", + "https://www.netlify.com/blog/netlify-successfully-mitigates-cve-2023-44487", + "https://www.netlify.com/blog/netlify-successfully-mitigates-cve-2023-44487/", + "https://www.nginx.com/blog/http-2-rapid-reset-attack-impacting-f5-nginx-products", + "https://www.nginx.com/blog/http-2-rapid-reset-attack-impacting-f5-nginx-products/", + "https://www.openwall.com/lists/oss-security/2023/10/10/6", + "https://www.phoronix.com/news/HTTP2-Rapid-Reset-Attack", + "https://www.theregister.com/2023/10/10/http2_rapid_reset_zeroday", + "https://www.theregister.com/2023/10/10/http2_rapid_reset_zeroday/", + "https://www.vicarius.io/vsociety/posts/rapid-reset-cve-2023-44487-dos-in-http2-understanding-the-root-cause" + ], + "PublishedDate": "2023-10-10T14:15:10.883Z", + "LastModifiedDate": "2025-06-11T17:29:54.137Z" + }, + { + "VulnerabilityID": "CVE-2023-45288", + "PkgID": "golang.org/x/net@v0.7.0", + "PkgName": "golang.org/x/net", + "PkgIdentifier": { + "PURL": "pkg:golang/golang.org/x/net@v0.7.0", + "UID": "2d04c9eb28132c6a" + }, + "InstalledVersion": "v0.7.0", + "FixedVersion": "0.23.0", + "Status": "fixed", + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2023-45288", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory Go", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Ago" + }, + "Title": "golang: net/http, x/net/http2: unlimited number of CONTINUATION frames causes DoS", + "Description": "An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed MaxHeaderBytes, no memory is allocated to store the excess headers, but they are still parsed. This permits an attacker to cause an HTTP/2 endpoint to read arbitrary amounts of header data, all associated with a request which is going to be rejected. These headers can include Huffman-encoded data which is significantly more expensive for the receiver to decode than for an attacker to send. The fix sets a limit on the amount of excess header frames we will process before closing a connection.", + "Severity": "MEDIUM", + "VendorSeverity": { + "alma": 3, + "amazon": 2, + "azure": 3, + "bitnami": 3, + "cbl-mariner": 3, + "ghsa": 2, + "oracle-oval": 3, + "photon": 3, + "redhat": 3, + "rocky": 3, + "ubuntu": 2 + }, + "CVSS": { + "bitnami": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + }, + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "V3Score": 5.3 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + } + }, + "References": [ + "http://www.openwall.com/lists/oss-security/2024/04/03/16", + "http://www.openwall.com/lists/oss-security/2024/04/05/4", + "https://access.redhat.com/errata/RHSA-2024:2724", + "https://access.redhat.com/security/cve/CVE-2023-45288", + "https://bugzilla.redhat.com/2268017", + "https://bugzilla.redhat.com/2268018", + "https://bugzilla.redhat.com/2268019", + "https://bugzilla.redhat.com/2268273", + "https://bugzilla.redhat.com/show_bug.cgi?id=2268017", + "https://bugzilla.redhat.com/show_bug.cgi?id=2268018", + "https://bugzilla.redhat.com/show_bug.cgi?id=2268019", + "https://bugzilla.redhat.com/show_bug.cgi?id=2268273", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-45288", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-45289", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-45290", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-24783", + "https://errata.almalinux.org/9/ALSA-2024-2724.html", + "https://errata.rockylinux.org/RLSA-2024:2724", + "https://go.dev/cl/576155", + "https://go.dev/issue/65051", + "https://groups.google.com/g/golang-announce/c/YgW0sx8mN3M", + "https://kb.cert.org/vuls/id/421644", + "https://linux.oracle.com/cve/CVE-2023-45288.html", + "https://linux.oracle.com/errata/ELSA-2024-3346.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QRYFHIQ6XRKRYBI2F5UESH67BJBQXUPT", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QRYFHIQ6XRKRYBI2F5UESH67BJBQXUPT/", + "https://nowotarski.info/http2-continuation-flood-technical-details", + "https://nowotarski.info/http2-continuation-flood/", + "https://nvd.nist.gov/vuln/detail/CVE-2023-45288", + "https://pkg.go.dev/vuln/GO-2024-2687", + "https://security.netapp.com/advisory/ntap-20240419-0009", + "https://security.netapp.com/advisory/ntap-20240419-0009/", + "https://ubuntu.com/security/notices/USN-6886-1", + "https://ubuntu.com/security/notices/USN-7109-1", + "https://ubuntu.com/security/notices/USN-7111-1", + "https://www.cve.org/CVERecord?id=CVE-2023-45288", + "https://www.kb.cert.org/vuls/id/421644" + ], + "PublishedDate": "2024-04-04T21:15:16.113Z", + "LastModifiedDate": "2024-11-21T08:26:42.38Z" + }, + { + "VulnerabilityID": "CVE-2025-22870", + "PkgID": "golang.org/x/net@v0.7.0", + "PkgName": "golang.org/x/net", + "PkgIdentifier": { + "PURL": "pkg:golang/golang.org/x/net@v0.7.0", + "UID": "2d04c9eb28132c6a" + }, + "InstalledVersion": "v0.7.0", + "FixedVersion": "0.36.0", + "Status": "fixed", + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2025-22870", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory Go", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Ago" + }, + "Title": "golang.org/x/net/proxy: golang.org/x/net/http/httpproxy: HTTP Proxy bypass using IPv6 Zone IDs in golang.org/x/net", + "Description": "Matching of hosts against proxy patterns can improperly treat an IPv6 zone ID as a hostname component. For example, when the NO_PROXY environment variable is set to \"*.example.com\", a request to \"[::1%25.example.com]:80` will incorrectly match and not be proxied.", + "Severity": "MEDIUM", + "CweIDs": [ + "CWE-115" + ], + "VendorSeverity": { + "amazon": 2, + "azure": 2, + "cbl-mariner": 2, + "ghsa": 2, + "redhat": 2, + "ubuntu": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L", + "V3Score": 4.4 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L", + "V3Score": 4.4 + } + }, + "References": [ + "http://www.openwall.com/lists/oss-security/2025/03/07/2", + "https://access.redhat.com/security/cve/CVE-2025-22870", + "https://github.com/golang/go/issues/71984", + "https://go-review.googlesource.com/q/project:net", + "https://go.dev/cl/654697", + "https://go.dev/issue/71984", + "https://groups.google.com/g/golang-announce/c/4t3lzH3I0eI/m/b42ImqrBAQAJ", + "https://nvd.nist.gov/vuln/detail/CVE-2025-22870", + "https://pkg.go.dev/vuln/GO-2025-3503", + "https://security.netapp.com/advisory/ntap-20250509-0007", + "https://security.netapp.com/advisory/ntap-20250509-0007/", + "https://ubuntu.com/security/notices/USN-7574-1", + "https://www.cve.org/CVERecord?id=CVE-2025-22870" + ], + "PublishedDate": "2025-03-12T19:15:38.31Z", + "LastModifiedDate": "2025-05-09T20:15:38.727Z" + }, + { + "VulnerabilityID": "CVE-2025-22872", + "PkgID": "golang.org/x/net@v0.7.0", + "PkgName": "golang.org/x/net", + "PkgIdentifier": { + "PURL": "pkg:golang/golang.org/x/net@v0.7.0", + "UID": "2d04c9eb28132c6a" + }, + "InstalledVersion": "v0.7.0", + "FixedVersion": "0.38.0", + "Status": "fixed", + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2025-22872", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory Go", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Ago" + }, + "Title": "golang.org/x/net/html: Incorrect Neutralization of Input During Web Page Generation in x/net in golang.org/x/net", + "Description": "The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character (/) as self-closing. When directly using Tokenizer, this can result in such tags incorrectly being marked as self-closing, and when using the Parse functions, this can result in content following such tags as being placed in the wrong scope during DOM construction, but only when tags are in foreign content (e.g. \u003cmath\u003e, \u003csvg\u003e, etc contexts).", + "Severity": "MEDIUM", + "VendorSeverity": { + "amazon": 3, + "azure": 2, + "cbl-mariner": 2, + "ghsa": 2, + "redhat": 2 + }, + "CVSS": { + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L", + "V3Score": 6.5 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2025-22872", + "https://github.com/advisories/GHSA-vvgc-356p-c3xw", + "https://go.dev/cl/662715", + "https://go.dev/issue/73070", + "https://groups.google.com/g/golang-announce/c/ezSKR9vqbqA", + "https://nvd.nist.gov/vuln/detail/CVE-2025-22872", + "https://pkg.go.dev/vuln/GO-2025-3595", + "https://security.netapp.com/advisory/ntap-20250516-0007", + "https://security.netapp.com/advisory/ntap-20250516-0007/", + "https://www.cve.org/CVERecord?id=CVE-2025-22872" + ], + "PublishedDate": "2025-04-16T18:16:04.183Z", + "LastModifiedDate": "2025-05-16T23:15:19.707Z" + }, + { + "VulnerabilityID": "GHSA-m425-mq94-257g", + "PkgID": "google.golang.org/grpc@v1.47.0", + "PkgName": "google.golang.org/grpc", + "PkgIdentifier": { + "PURL": "pkg:golang/google.golang.org/grpc@v1.47.0", + "UID": "9f38c01d0fce29c7" + }, + "InstalledVersion": "v1.47.0", + "FixedVersion": "1.56.3, 1.57.1, 1.58.3", + "Status": "fixed", + "SeveritySource": "ghsa", + "PrimaryURL": "https://github.com/advisories/GHSA-m425-mq94-257g", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory Go", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Ago" + }, + "Title": "gRPC-Go HTTP/2 Rapid Reset vulnerability", + "Description": "### Impact\nIn affected releases of gRPC-Go, it is possible for an attacker to send HTTP/2 requests, cancel them, and send subsequent requests, which is valid by the HTTP/2 protocol, but would cause the gRPC-Go server to launch more concurrent method handlers than the configured maximum stream limit.\n\n### Patches\nThis vulnerability was addressed by #6703 and has been included in patch releases: 1.56.3, 1.57.1, 1.58.3. It is also included in the latest release, 1.59.0.\n\nAlong with applying the patch, users should also ensure they are using the `grpc.MaxConcurrentStreams` server option to apply a limit to the server's resources used for any single connection.\n\n### Workarounds\nNone.\n\n### References\n#6703\n", + "Severity": "HIGH", + "VendorSeverity": { + "ghsa": 3 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + } + }, + "References": [ + "https://github.com/grpc/grpc-go", + "https://github.com/grpc/grpc-go/commit/f2180b4d5403d2210b30b93098eb7da31c05c721", + "https://github.com/grpc/grpc-go/pull/6703", + "https://github.com/grpc/grpc-go/security/advisories/GHSA-m425-mq94-257g", + "https://nvd.nist.gov/vuln/detail/CVE-2023-44487" + ], + "PublishedDate": "2023-10-25T21:17:37Z", + "LastModifiedDate": "2024-07-19T16:32:30Z" + }, + { + "VulnerabilityID": "CVE-2023-44487", + "PkgID": "google.golang.org/grpc@v1.47.0", + "PkgName": "google.golang.org/grpc", + "PkgIdentifier": { + "PURL": "pkg:golang/google.golang.org/grpc@v1.47.0", + "UID": "9f38c01d0fce29c7" + }, + "InstalledVersion": "v1.47.0", + "FixedVersion": "1.58.3, 1.57.1, 1.56.3", + "Status": "fixed", + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2023-44487", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory Go", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Ago" + }, + "Title": "HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack)", + "Description": "The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.", + "Severity": "MEDIUM", + "CweIDs": [ + "CWE-400" + ], + "VendorSeverity": { + "alma": 3, + "amazon": 3, + "azure": 3, + "bitnami": 3, + "cbl-mariner": 3, + "ghsa": 2, + "nvd": 3, + "oracle-oval": 3, + "photon": 3, + "redhat": 3, + "rocky": 3, + "ubuntu": 3 + }, + "CVSS": { + "bitnami": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + }, + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "V3Score": 5.3 + }, + "nvd": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + } + }, + "References": [ + "http://www.openwall.com/lists/oss-security/2023/10/10/6", + "http://www.openwall.com/lists/oss-security/2023/10/10/7", + "http://www.openwall.com/lists/oss-security/2023/10/13/4", + "http://www.openwall.com/lists/oss-security/2023/10/13/9", + "http://www.openwall.com/lists/oss-security/2023/10/18/4", + "http://www.openwall.com/lists/oss-security/2023/10/18/8", + "http://www.openwall.com/lists/oss-security/2023/10/19/6", + "http://www.openwall.com/lists/oss-security/2023/10/20/8", + "https://access.redhat.com/errata/RHSA-2023:6746", + "https://access.redhat.com/security/cve/CVE-2023-44487", + "https://access.redhat.com/security/cve/cve-2023-44487", + "https://akka.io/security/akka-http-cve-2023-44487.html", + "https://arstechnica.com/security/2023/10/how-ddosers-used-the-http-2-protocol-to-deliver-attacks-of-unprecedented-size", + "https://arstechnica.com/security/2023/10/how-ddosers-used-the-http-2-protocol-to-deliver-attacks-of-unprecedented-size/", + "https://aws.amazon.com/security/security-bulletins/AWS-2023-011", + "https://aws.amazon.com/security/security-bulletins/AWS-2023-011/", + "https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack", + "https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/", + "https://blog.cloudflare.com/zero-day-rapid-reset-http2-record-breaking-ddos-attack", + "https://blog.cloudflare.com/zero-day-rapid-reset-http2-record-breaking-ddos-attack/", + "https://blog.litespeedtech.com/2023/10/11/rapid-reset-http-2-vulnerablilty", + "https://blog.litespeedtech.com/2023/10/11/rapid-reset-http-2-vulnerablilty/", + "https://blog.qualys.com/vulnerabilities-threat-research/2023/10/10/cve-2023-44487-http-2-rapid-reset-attack", + "https://blog.vespa.ai/cve-2023-44487", + "https://blog.vespa.ai/cve-2023-44487/", + "https://bugzilla.proxmox.com/show_bug.cgi?id=4988", + "https://bugzilla.redhat.com/2242803", + "https://bugzilla.redhat.com/show_bug.cgi?id=2242803", + "https://bugzilla.suse.com/show_bug.cgi?id=1216123", + "https://cgit.freebsd.org/ports/commit/?id=c64c329c2c1752f46b73e3e6ce9f4329be6629f9", + "https://chaos.social/@icing/111210915918780532", + "https://cloud.google.com/blog/products/identity-security/google-cloud-mitigated-largest-ddos-attack-peaking-above-398-million-rps", + "https://cloud.google.com/blog/products/identity-security/google-cloud-mitigated-largest-ddos-attack-peaking-above-398-million-rps/", + "https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack", + "https://community.traefik.io/t/is-traefik-vulnerable-to-cve-2023-44487/20125", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-44487", + "https://devblogs.microsoft.com/dotnet/october-2023-updates/", + "https://discuss.hashicorp.com/t/hcsec-2023-32-vault-consul-and-boundary-affected-by-http-2-rapid-reset-denial-of-service-vulnerability-cve-2023-44487/59715", + "https://edg.io/lp/blog/resets-leaks-ddos-and-the-tale-of-a-hidden-cve", + "https://errata.almalinux.org/9/ALSA-2023-6746.html", + "https://errata.rockylinux.org/RLSA-2023:5838", + "https://forums.swift.org/t/swift-nio-http2-security-update-cve-2023-44487-http-2-dos/67764", + "https://gist.github.com/adulau/7c2bfb8e9cdbe4b35a5e131c66a0c088", + "https://github.com/Azure/AKS/issues/3947", + "https://github.com/Kong/kong/discussions/11741", + "https://github.com/advisories/GHSA-qppj-fm5r-hxr3", + "https://github.com/advisories/GHSA-vx74-f528-fxqg", + "https://github.com/advisories/GHSA-xpw8-rcwv-8f8p", + "https://github.com/akka/akka-http/issues/4323", + "https://github.com/akka/akka-http/pull/4324", + "https://github.com/akka/akka-http/pull/4325", + "https://github.com/alibaba/tengine/issues/1872", + "https://github.com/apache/apisix/issues/10320", + "https://github.com/apache/httpd-site/pull/10", + "https://github.com/apache/httpd/blob/afcdbeebbff4b0c50ea26cdd16e178c0d1f24152/modules/http2/h2_mplx.c#L1101-L1113", + "https://github.com/apache/tomcat/commit/944332bb15bd2f3bf76ec2caeb1ff0a58a3bc628", + "https://github.com/apache/tomcat/tree/main/java/org/apache/coyote/http2", + "https://github.com/apache/trafficserver/pull/10564", + "https://github.com/apple/swift-nio-http2", + "https://github.com/apple/swift-nio-http2/security/advisories/GHSA-qppj-fm5r-hxr3", + "https://github.com/arkrwn/PoC/tree/main/CVE-2023-44487", + "https://github.com/bcdannyboy/CVE-2023-44487", + "https://github.com/caddyserver/caddy/issues/5877", + "https://github.com/caddyserver/caddy/releases/tag/v2.7.5", + "https://github.com/dotnet/announcements/issues/277", + "https://github.com/dotnet/core/blob/e4613450ea0da7fd2fc6b61dfb2c1c1dec1ce9ec/release-notes/6.0/6.0.23/6.0.23.md?plain=1#L73", + "https://github.com/eclipse/jetty.project/issues/10679", + "https://github.com/envoyproxy/envoy/pull/30055", + "https://github.com/etcd-io/etcd/issues/16740", + "https://github.com/facebook/proxygen/pull/466", + "https://github.com/golang/go/issues/63417", + "https://github.com/grpc/grpc-go/pull/6703", + "https://github.com/grpc/grpc-go/releases", + "https://github.com/grpc/grpc/releases/tag/v1.59.2", + "https://github.com/h2o/h2o/pull/3291", + "https://github.com/h2o/h2o/security/advisories/GHSA-2m7v-gc89-fjqf", + "https://github.com/haproxy/haproxy/issues/2312", + "https://github.com/hyperium/hyper/issues/3337", + "https://github.com/icing/mod_h2/blob/0a864782af0a942aa2ad4ed960a6b32cd35bcf0a/mod_http2/README.md?plain=1#L239-L244", + "https://github.com/junkurihara/rust-rpxy/issues/97", + "https://github.com/kazu-yamamoto/http2/commit/f61d41a502bd0f60eb24e1ce14edc7b6df6722a1", + "https://github.com/kazu-yamamoto/http2/issues/93", + "https://github.com/kubernetes/kubernetes/pull/121120", + "https://github.com/line/armeria/pull/5232", + "https://github.com/linkerd/website/pull/1695/commits/4b9c6836471bc8270ab48aae6fd2181bc73fd632", + "https://github.com/micrictor/http2-rst-stream", + "https://github.com/microsoft/CBL-Mariner/pull/6381", + "https://github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61", + "https://github.com/nghttp2/nghttp2/pull/1961", + "https://github.com/nghttp2/nghttp2/releases/tag/v1.57.0", + "https://github.com/ninenines/cowboy/issues/1615", + "https://github.com/nodejs/node/pull/50121", + "https://github.com/openresty/openresty/issues/930", + "https://github.com/opensearch-project/data-prepper/issues/3474", + "https://github.com/oqtane/oqtane.framework/discussions/3367", + "https://github.com/projectcontour/contour/pull/5826", + "https://github.com/tempesta-tech/tempesta/issues/1986", + "https://github.com/varnishcache/varnish-cache/issues/3996", + "https://go.dev/cl/534215", + "https://go.dev/cl/534235", + "https://go.dev/issue/63417", + "https://groups.google.com/g/golang-announce/c/iNNxDTCjZvo", + "https://groups.google.com/g/golang-announce/c/iNNxDTCjZvo/m/UDd7VKQuAAAJ", + "https://istio.io/latest/news/security/istio-security-2023-004", + "https://istio.io/latest/news/security/istio-security-2023-004/", + "https://linkerd.io/2023/10/12/linkerd-cve-2023-44487", + "https://linkerd.io/2023/10/12/linkerd-cve-2023-44487/", + "https://linux.oracle.com/cve/CVE-2023-44487.html", + "https://linux.oracle.com/errata/ELSA-2024-1444.html", + "https://lists.apache.org/thread/5py8h42mxfsn8l1wy6o41xwhsjlsd87q", + "https://lists.debian.org/debian-lts-announce/2023/10/msg00020.html", + "https://lists.debian.org/debian-lts-announce/2023/10/msg00023.html", + "https://lists.debian.org/debian-lts-announce/2023/10/msg00024.html", + "https://lists.debian.org/debian-lts-announce/2023/10/msg00045.html", + "https://lists.debian.org/debian-lts-announce/2023/10/msg00047.html", + "https://lists.debian.org/debian-lts-announce/2023/11/msg00001.html", + "https://lists.debian.org/debian-lts-announce/2023/11/msg00012.html", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2MBEPPC36UBVOZZNAXFHKLFGSLCMN5LI", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2MBEPPC36UBVOZZNAXFHKLFGSLCMN5LI/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3N4NJ7FR4X4FPZUGNTQAPSTVB2HB2Y4A", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3N4NJ7FR4X4FPZUGNTQAPSTVB2HB2Y4A/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BFQD3KUEMFBHPAPBGLWQC34L4OWL5HAZ", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BFQD3KUEMFBHPAPBGLWQC34L4OWL5HAZ/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CLB4TW7KALB3EEQWNWCN7OUIWWVWWCG2", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CLB4TW7KALB3EEQWNWCN7OUIWWVWWCG2/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/E72T67UPDRXHIDLO3OROR25YAMN4GGW5", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/E72T67UPDRXHIDLO3OROR25YAMN4GGW5/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FNA62Q767CFAFHBCDKYNPBMZWB7TWYVU", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FNA62Q767CFAFHBCDKYNPBMZWB7TWYVU/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HT7T2R4MQKLIF4ODV4BDLPARWFPCJ5CZ", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HT7T2R4MQKLIF4ODV4BDLPARWFPCJ5CZ/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JIZSEFC3YKCGABA2BZW6ZJRMDZJMB7PJ", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JIZSEFC3YKCGABA2BZW6ZJRMDZJMB7PJ/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JMEXY22BFG5Q64HQCM5CK2Q7KDKVV4TY", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JMEXY22BFG5Q64HQCM5CK2Q7KDKVV4TY/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KSEGD2IWKNUO3DWY4KQGUQM5BISRWHQE", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KSEGD2IWKNUO3DWY4KQGUQM5BISRWHQE/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LKYHSZQFDNR7RSA7LHVLLIAQMVYCUGBG", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LKYHSZQFDNR7RSA7LHVLLIAQMVYCUGBG/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LNMZJCDHGLJJLXO4OXWJMTVQRNWOC7UL", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LNMZJCDHGLJJLXO4OXWJMTVQRNWOC7UL/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VHUHTSXLXGXS7JYKBXTA3VINUPHTNGVU", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VHUHTSXLXGXS7JYKBXTA3VINUPHTNGVU/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VSRDIV77HNKUSM7SJC5BKE5JSHLHU2NK", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VSRDIV77HNKUSM7SJC5BKE5JSHLHU2NK/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WE2I52RHNNU42PX6NZ2RBUHSFFJ2LVZX", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WE2I52RHNNU42PX6NZ2RBUHSFFJ2LVZX/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WLPRQ5TWUQQXYWBJM7ECYDAIL2YVKIUH", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WLPRQ5TWUQQXYWBJM7ECYDAIL2YVKIUH/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X6QXN4ORIVF6XBW4WWFE7VNPVC74S45Y", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X6QXN4ORIVF6XBW4WWFE7VNPVC74S45Y/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XFOIBB4YFICHDM7IBOP7PWXW3FX4HLL2", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XFOIBB4YFICHDM7IBOP7PWXW3FX4HLL2/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZB43REMKRQR62NJEI7I5NQ4FSXNLBKRT", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZB43REMKRQR62NJEI7I5NQ4FSXNLBKRT/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZKQSIKIAT5TJ3WSLU3RDBQ35YX4GY4V3", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZKQSIKIAT5TJ3WSLU3RDBQ35YX4GY4V3/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZLU6U2R2IC2K64NDPNMV55AUAO65MAF4", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZLU6U2R2IC2K64NDPNMV55AUAO65MAF4/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2MBEPPC36UBVOZZNAXFHKLFGSLCMN5LI", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2MBEPPC36UBVOZZNAXFHKLFGSLCMN5LI/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3N4NJ7FR4X4FPZUGNTQAPSTVB2HB2Y4A", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3N4NJ7FR4X4FPZUGNTQAPSTVB2HB2Y4A/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BFQD3KUEMFBHPAPBGLWQC34L4OWL5HAZ", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BFQD3KUEMFBHPAPBGLWQC34L4OWL5HAZ/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CLB4TW7KALB3EEQWNWCN7OUIWWVWWCG2", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CLB4TW7KALB3EEQWNWCN7OUIWWVWWCG2/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/E72T67UPDRXHIDLO3OROR25YAMN4GGW5", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/E72T67UPDRXHIDLO3OROR25YAMN4GGW5/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FNA62Q767CFAFHBCDKYNPBMZWB7TWYVU", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FNA62Q767CFAFHBCDKYNPBMZWB7TWYVU/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HT7T2R4MQKLIF4ODV4BDLPARWFPCJ5CZ", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HT7T2R4MQKLIF4ODV4BDLPARWFPCJ5CZ/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JIZSEFC3YKCGABA2BZW6ZJRMDZJMB7PJ", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JIZSEFC3YKCGABA2BZW6ZJRMDZJMB7PJ/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JMEXY22BFG5Q64HQCM5CK2Q7KDKVV4TY", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JMEXY22BFG5Q64HQCM5CK2Q7KDKVV4TY/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KSEGD2IWKNUO3DWY4KQGUQM5BISRWHQE", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KSEGD2IWKNUO3DWY4KQGUQM5BISRWHQE/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LKYHSZQFDNR7RSA7LHVLLIAQMVYCUGBG", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LKYHSZQFDNR7RSA7LHVLLIAQMVYCUGBG/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LNMZJCDHGLJJLXO4OXWJMTVQRNWOC7UL", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LNMZJCDHGLJJLXO4OXWJMTVQRNWOC7UL/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VHUHTSXLXGXS7JYKBXTA3VINUPHTNGVU", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VHUHTSXLXGXS7JYKBXTA3VINUPHTNGVU/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VSRDIV77HNKUSM7SJC5BKE5JSHLHU2NK", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VSRDIV77HNKUSM7SJC5BKE5JSHLHU2NK/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WE2I52RHNNU42PX6NZ2RBUHSFFJ2LVZX", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WE2I52RHNNU42PX6NZ2RBUHSFFJ2LVZX/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WLPRQ5TWUQQXYWBJM7ECYDAIL2YVKIUH", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WLPRQ5TWUQQXYWBJM7ECYDAIL2YVKIUH/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X6QXN4ORIVF6XBW4WWFE7VNPVC74S45Y", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X6QXN4ORIVF6XBW4WWFE7VNPVC74S45Y/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XFOIBB4YFICHDM7IBOP7PWXW3FX4HLL2", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XFOIBB4YFICHDM7IBOP7PWXW3FX4HLL2/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZB43REMKRQR62NJEI7I5NQ4FSXNLBKRT", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZB43REMKRQR62NJEI7I5NQ4FSXNLBKRT/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZKQSIKIAT5TJ3WSLU3RDBQ35YX4GY4V3", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZKQSIKIAT5TJ3WSLU3RDBQ35YX4GY4V3/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZLU6U2R2IC2K64NDPNMV55AUAO65MAF4", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZLU6U2R2IC2K64NDPNMV55AUAO65MAF4/", + "https://lists.w3.org/Archives/Public/ietf-http-wg/2023OctDec/0025.html", + "https://mailman.nginx.org/pipermail/nginx-devel/2023-October/S36Q5HBXR7CAIMPLLPRSSSYR4PCMWILK.html", + "https://martinthomson.github.io/h2-stream-limits/draft-thomson-httpbis-h2-stream-limits.html", + "https://msrc.microsoft.com/blog/2023/10/microsoft-response-to-distributed-denial-of-service-ddos-attacks-against-http/2", + "https://msrc.microsoft.com/blog/2023/10/microsoft-response-to-distributed-denial-of-service-ddos-attacks-against-http/2/", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-44487", + "https://my.f5.com/manage/s/article/K000137106", + "https://netty.io/news/2023/10/10/4-1-100-Final.html", + "https://news.ycombinator.com/item?id=37830987", + "https://news.ycombinator.com/item?id=37830998", + "https://news.ycombinator.com/item?id=37831062", + "https://news.ycombinator.com/item?id=37837043", + "https://nodejs.org/en/blog/vulnerability/october-2023-security-releases", + "https://nvd.nist.gov/vuln/detail/CVE-2023-44487", + "https://openssf.org/blog/2023/10/10/http-2-rapid-reset-vulnerability-highlights-need-for-rapid-response", + "https://openssf.org/blog/2023/10/10/http-2-rapid-reset-vulnerability-highlights-need-for-rapid-response/", + "https://pkg.go.dev/vuln/GO-2023-2102", + "https://seanmonstar.com/post/730794151136935936/hyper-http2-rapid-reset-unaffected", + "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-http2-reset-d8Kf32vZ", + "https://security.gentoo.org/glsa/202311-09", + "https://security.netapp.com/advisory/ntap-20231016-0001", + "https://security.netapp.com/advisory/ntap-20231016-0001/", + "https://security.netapp.com/advisory/ntap-20240426-0007", + "https://security.netapp.com/advisory/ntap-20240426-0007/", + "https://security.netapp.com/advisory/ntap-20240621-0006", + "https://security.netapp.com/advisory/ntap-20240621-0006/", + "https://security.netapp.com/advisory/ntap-20240621-0007", + "https://security.netapp.com/advisory/ntap-20240621-0007/", + "https://security.paloaltonetworks.com/CVE-2023-44487", + "https://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.1.14", + "https://tomcat.apache.org/security-11.html#Fixed_in_Apache_Tomcat_11.0.0-M12", + "https://tomcat.apache.org/security-8.html", + "https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.94", + "https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.81", + "https://ubuntu.com/security/CVE-2023-44487", + "https://ubuntu.com/security/notices/USN-6427-1", + "https://ubuntu.com/security/notices/USN-6427-2", + "https://ubuntu.com/security/notices/USN-6438-1", + "https://ubuntu.com/security/notices/USN-6505-1", + "https://ubuntu.com/security/notices/USN-6574-1", + "https://ubuntu.com/security/notices/USN-6754-1", + "https://ubuntu.com/security/notices/USN-6994-1", + "https://ubuntu.com/security/notices/USN-7067-1", + "https://ubuntu.com/security/notices/USN-7410-1", + "https://ubuntu.com/security/notices/USN-7469-1", + "https://ubuntu.com/security/notices/USN-7469-2", + "https://ubuntu.com/security/notices/USN-7469-3", + "https://ubuntu.com/security/notices/USN-7469-4", + "https://www.bleepingcomputer.com/news/security/new-http-2-rapid-reset-zero-day-attack-breaks-ddos-records", + "https://www.bleepingcomputer.com/news/security/new-http-2-rapid-reset-zero-day-attack-breaks-ddos-records/", + "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", + "https://www.cisa.gov/news-events/alerts/2023/10/10/http2-rapid-reset-vulnerability-cve-2023-44487", + "https://www.cve.org/CVERecord?id=CVE-2023-44487", + "https://www.darkreading.com/cloud/internet-wide-zero-day-bug-fuels-largest-ever-ddos-event", + "https://www.debian.org/security/2023/dsa-5521", + "https://www.debian.org/security/2023/dsa-5522", + "https://www.debian.org/security/2023/dsa-5540", + "https://www.debian.org/security/2023/dsa-5549", + "https://www.debian.org/security/2023/dsa-5558", + "https://www.debian.org/security/2023/dsa-5570", + "https://www.eclipse.org/lists/jetty-announce/msg00181.html", + "https://www.haproxy.com/blog/haproxy-is-not-affected-by-the-http-2-rapid-reset-attack-cve-2023-44487", + "https://www.mail-archive.com/haproxy@formilux.org/msg44134.html", + "https://www.netlify.com/blog/netlify-successfully-mitigates-cve-2023-44487", + "https://www.netlify.com/blog/netlify-successfully-mitigates-cve-2023-44487/", + "https://www.nginx.com/blog/http-2-rapid-reset-attack-impacting-f5-nginx-products", + "https://www.nginx.com/blog/http-2-rapid-reset-attack-impacting-f5-nginx-products/", + "https://www.openwall.com/lists/oss-security/2023/10/10/6", + "https://www.phoronix.com/news/HTTP2-Rapid-Reset-Attack", + "https://www.theregister.com/2023/10/10/http2_rapid_reset_zeroday", + "https://www.theregister.com/2023/10/10/http2_rapid_reset_zeroday/", + "https://www.vicarius.io/vsociety/posts/rapid-reset-cve-2023-44487-dos-in-http2-understanding-the-root-cause" + ], + "PublishedDate": "2023-10-10T14:15:10.883Z", + "LastModifiedDate": "2025-06-11T17:29:54.137Z" + }, + { + "VulnerabilityID": "CVE-2024-24786", + "PkgID": "google.golang.org/protobuf@v1.28.1", + "PkgName": "google.golang.org/protobuf", + "PkgIdentifier": { + "PURL": "pkg:golang/google.golang.org/protobuf@v1.28.1", + "UID": "6605f1b6521e8cfc" + }, + "InstalledVersion": "v1.28.1", + "FixedVersion": "1.33.0", + "Status": "fixed", + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-24786", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory Go", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Ago" + }, + "Title": "golang-protobuf: encoding/protojson, internal/encoding/json: infinite loop in protojson.Unmarshal when unmarshaling certain forms of invalid JSON", + "Description": "The protojson.Unmarshal function can enter an infinite loop when unmarshaling certain forms of invalid JSON. This condition can occur when unmarshaling into a message which contains a google.protobuf.Any value, or when the UnmarshalOptions.DiscardUnknown option is set.", + "Severity": "MEDIUM", + "VendorSeverity": { + "alma": 2, + "amazon": 2, + "azure": 3, + "cbl-mariner": 3, + "ghsa": 2, + "oracle-oval": 2, + "redhat": 2, + "rocky": 2, + "ubuntu": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 5.9 + } + }, + "References": [ + "http://www.openwall.com/lists/oss-security/2024/03/08/4", + "https://access.redhat.com/errata/RHSA-2024:2550", + "https://access.redhat.com/security/cve/CVE-2024-24786", + "https://bugzilla.redhat.com/2268046", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-24786", + "https://errata.almalinux.org/9/ALSA-2024-2550.html", + "https://errata.rockylinux.org/RLSA-2024:2550", + "https://github.com/protocolbuffers/protobuf-go", + "https://github.com/protocolbuffers/protobuf-go/commit/f01a588e5810b90996452eec4a28f22a0afae023", + "https://github.com/protocolbuffers/protobuf-go/releases/tag/v1.33.0", + "https://go-review.googlesource.com/c/protobuf/+/569356", + "https://go.dev/cl/569356", + "https://groups.google.com/g/golang-announce/c/ArQ6CDgtEjY/", + "https://linux.oracle.com/cve/CVE-2024-24786.html", + "https://linux.oracle.com/errata/ELSA-2024-4246.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JDMBHAVSDU2FBDZ45U3A2VLSM35OJ2HU", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JDMBHAVSDU2FBDZ45U3A2VLSM35OJ2HU/", + "https://nvd.nist.gov/vuln/detail/CVE-2024-24786", + "https://pkg.go.dev/vuln/GO-2024-2611", + "https://security.netapp.com/advisory/ntap-20240517-0002", + "https://security.netapp.com/advisory/ntap-20240517-0002/", + "https://ubuntu.com/security/notices/USN-6746-1", + "https://ubuntu.com/security/notices/USN-6746-2", + "https://www.cve.org/CVERecord?id=CVE-2024-24786" + ], + "PublishedDate": "2024-03-05T23:15:07.82Z", + "LastModifiedDate": "2024-11-21T08:59:42.117Z" + } + ] + }, + { + "Target": "examples/go.mod", + "Class": "lang-pkgs", + "Type": "gomod", + "Vulnerabilities": [ + { + "VulnerabilityID": "CVE-2024-45337", + "PkgID": "golang.org/x/crypto@v0.0.0-20220112180741-5e0467b6c7ce", + "PkgName": "golang.org/x/crypto", + "PkgIdentifier": { + "PURL": "pkg:golang/golang.org/x/crypto@v0.0.0-20220112180741-5e0467b6c7ce", + "UID": "98c3cb1492510fa5" + }, + "InstalledVersion": "v0.0.0-20220112180741-5e0467b6c7ce", + "FixedVersion": "0.31.0", + "Status": "fixed", + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-45337", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory Go", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Ago" + }, + "Title": "golang.org/x/crypto/ssh: Misuse of ServerConfig.PublicKeyCallback may cause authorization bypass in golang.org/x/crypto", + "Description": "Applications and libraries which misuse connection.serverAuthenticate (via callback field ServerConfig.PublicKeyCallback) may be susceptible to an authorization bypass. The documentation for ServerConfig.PublicKeyCallback says that \"A call to this function does not guarantee that the key offered is in fact used to authenticate.\" Specifically, the SSH protocol allows clients to inquire about whether a public key is acceptable before proving control of the corresponding private key. PublicKeyCallback may be called with multiple keys, and the order in which the keys were provided cannot be used to infer which key the client successfully authenticated with, if any. Some applications, which store the key(s) passed to PublicKeyCallback (or derived information) and make security relevant determinations based on it once the connection is established, may make incorrect assumptions. For example, an attacker may send public keys A and B, and then authenticate with A. PublicKeyCallback would be called only twice, first with A and then with B. A vulnerable application may then make authorization decisions based on key B for which the attacker does not actually control the private key. Since this API is widely misused, as a partial mitigation golang.org/x/cry...@v0.31.0 enforces the property that, when successfully authenticating via public key, the last key passed to ServerConfig.PublicKeyCallback will be the key used to authenticate the connection. PublicKeyCallback will now be called multiple times with the same key, if necessary. Note that the client may still not control the last key passed to PublicKeyCallback if the connection is then authenticated with a different method, such as PasswordCallback, KeyboardInteractiveCallback, or NoClientAuth. Users should be using the Extensions field of the Permissions return value from the various authentication callbacks to record data associated with the authentication attempt instead of referencing external state. Once the connection is established the state corresponding to the successful authentication attempt can be retrieved via the ServerConn.Permissions field. Note that some third-party libraries misuse the Permissions type by sharing it across authentication attempts; users of third-party libraries should refer to the relevant projects for guidance.", + "Severity": "CRITICAL", + "VendorSeverity": { + "amazon": 3, + "azure": 4, + "cbl-mariner": 4, + "ghsa": 4, + "redhat": 3 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", + "V3Score": 9.1 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N", + "V3Score": 8.2 + } + }, + "References": [ + "http://www.openwall.com/lists/oss-security/2024/12/11/2", + "https://access.redhat.com/security/cve/CVE-2024-45337", + "https://github.com/golang/crypto", + "https://github.com/golang/crypto/commit/b4f1988a35dee11ec3e05d6bf3e90b695fbd8909", + "https://go.dev/cl/635315", + "https://go.dev/issue/70779", + "https://groups.google.com/g/golang-announce/c/-nPEi39gI4Q/m/cGVPJCqdAQAJ", + "https://nvd.nist.gov/vuln/detail/CVE-2024-45337", + "https://pkg.go.dev/vuln/GO-2024-3321", + "https://security.netapp.com/advisory/ntap-20250131-0007", + "https://security.netapp.com/advisory/ntap-20250131-0007/", + "https://www.cve.org/CVERecord?id=CVE-2024-45337" + ], + "PublishedDate": "2024-12-12T02:02:07.97Z", + "LastModifiedDate": "2025-02-18T21:15:22.187Z" + }, + { + "VulnerabilityID": "CVE-2022-27191", + "PkgID": "golang.org/x/crypto@v0.0.0-20220112180741-5e0467b6c7ce", + "PkgName": "golang.org/x/crypto", + "PkgIdentifier": { + "PURL": "pkg:golang/golang.org/x/crypto@v0.0.0-20220112180741-5e0467b6c7ce", + "UID": "98c3cb1492510fa5" + }, + "InstalledVersion": "v0.0.0-20220112180741-5e0467b6c7ce", + "FixedVersion": "0.0.0-20220314234659-1baeb1ce4c0b", + "Status": "fixed", + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-27191", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory Go", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Ago" + }, + "Title": "golang: crash in a golang.org/x/crypto/ssh server", + "Description": "The golang.org/x/crypto/ssh package before 0.0.0-20220314234659-1baeb1ce4c0b for Go allows an attacker to crash a server in certain circumstances involving AddHostKey.", + "Severity": "HIGH", + "VendorSeverity": { + "alma": 2, + "amazon": 3, + "ghsa": 3, + "nvd": 3, + "oracle-oval": 2, + "redhat": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + }, + "nvd": { + "V2Vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P", + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V2Score": 4.3, + "V3Score": 7.5 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + } + }, + "References": [ + "https://access.redhat.com/errata/RHSA-2022:8008", + "https://access.redhat.com/security/cve/CVE-2022-27191", + "https://bugzilla.redhat.com/1939485", + "https://bugzilla.redhat.com/1989564", + "https://bugzilla.redhat.com/1989570", + "https://bugzilla.redhat.com/1989575", + "https://bugzilla.redhat.com/2064702", + "https://bugzilla.redhat.com/2121445", + "https://bugzilla.redhat.com/2121453", + "https://cs.opensource.google/go/x/crypto", + "https://errata.almalinux.org/9/ALSA-2022-8008.html", + "https://go.dev/cl/392355", + "https://go.googlesource.com/crypto/+/1baeb1ce4c0b006eff0f294c47cb7617598dfb3d", + "https://groups.google.com/g/golang-announce", + "https://groups.google.com/g/golang-announce/c/-cp44ypCT5s", + "https://groups.google.com/g/golang-announce/c/-cp44ypCT5s/m/wmegxkLiAQAJ", + "https://linux.oracle.com/cve/CVE-2022-27191.html", + "https://linux.oracle.com/errata/ELSA-2022-8008.html", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DLUJZV3HBP56ADXU6QH2V7RNYUPMVBXQ/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EZ3S7LB65N54HXXBCB67P4TTOHTNPP5O/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HHGBEGJ54DZZGTXFUQNS7ZIG3E624YAF/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/J5WPM42UR6XIBQNQPNQHM32X7S4LJTRX/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QTFOIDHQRGNI4P6LYN6ILH5G443RYYKB/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RQXU752ALW53OJAF5MG3WMR5CCZVLWW6/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YHYRQB7TRMHDB3NEHW5XBRG7PPMUTPGV/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Z55VUVGO7E5PJFXIOVAY373NZRHBNCI5/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZFUNHFHQVJSADNH7EZ3B53CYDZVEEPBP/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZQNPPQWSTP2IX7SHE6TS4SP4EVMI5EZK/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZY2SLWOQR4ZURQ7UBRZ7JIX6H6F5JHJR/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DLUJZV3HBP56ADXU6QH2V7RNYUPMVBXQ", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EZ3S7LB65N54HXXBCB67P4TTOHTNPP5O", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HHGBEGJ54DZZGTXFUQNS7ZIG3E624YAF", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/J5WPM42UR6XIBQNQPNQHM32X7S4LJTRX", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QTFOIDHQRGNI4P6LYN6ILH5G443RYYKB", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RQXU752ALW53OJAF5MG3WMR5CCZVLWW6", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YHYRQB7TRMHDB3NEHW5XBRG7PPMUTPGV", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Z55VUVGO7E5PJFXIOVAY373NZRHBNCI5", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZFUNHFHQVJSADNH7EZ3B53CYDZVEEPBP", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZQNPPQWSTP2IX7SHE6TS4SP4EVMI5EZK", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZY2SLWOQR4ZURQ7UBRZ7JIX6H6F5JHJR", + "https://nvd.nist.gov/vuln/detail/CVE-2022-27191", + "https://pkg.go.dev/vuln/GO-2021-0356", + "https://raw.githubusercontent.com/golang/vulndb/df2d3d326300e2ae768f00351ffa96cc2c56cf54/reports/GO-2021-0356.yaml", + "https://security.netapp.com/advisory/ntap-20220429-0002", + "https://security.netapp.com/advisory/ntap-20220429-0002/", + "https://www.cve.org/CVERecord?id=CVE-2022-27191" + ], + "PublishedDate": "2022-03-18T07:15:06.75Z", + "LastModifiedDate": "2024-11-21T06:55:22.62Z" + }, + { + "VulnerabilityID": "CVE-2025-22869", + "PkgID": "golang.org/x/crypto@v0.0.0-20220112180741-5e0467b6c7ce", + "PkgName": "golang.org/x/crypto", + "PkgIdentifier": { + "PURL": "pkg:golang/golang.org/x/crypto@v0.0.0-20220112180741-5e0467b6c7ce", + "UID": "98c3cb1492510fa5" + }, + "InstalledVersion": "v0.0.0-20220112180741-5e0467b6c7ce", + "FixedVersion": "0.35.0", + "Status": "fixed", + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2025-22869", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory Go", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Ago" + }, + "Title": "golang.org/x/crypto/ssh: Denial of Service in the Key Exchange of golang.org/x/crypto/ssh", + "Description": "SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read into memory, but never transmitted.", + "Severity": "HIGH", + "CweIDs": [ + "CWE-770" + ], + "VendorSeverity": { + "alma": 3, + "amazon": 3, + "azure": 3, + "cbl-mariner": 3, + "ghsa": 3, + "oracle-oval": 3, + "redhat": 3 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + } + }, + "References": [ + "https://access.redhat.com/errata/RHSA-2025:3833", + "https://access.redhat.com/security/cve/CVE-2025-22869", + "https://bugzilla.redhat.com/2348367", + "https://errata.almalinux.org/9/ALSA-2025-3833.html", + "https://github.com/golang/crypto", + "https://github.com/golang/crypto/commit/7292932d45d55c7199324ab0027cc86e8198aa22", + "https://go-review.googlesource.com/c/crypto/+/652135", + "https://go.dev/cl/652135", + "https://go.dev/issue/71931", + "https://linux.oracle.com/cve/CVE-2025-22869.html", + "https://linux.oracle.com/errata/ELSA-2025-7484.html", + "https://nvd.nist.gov/vuln/detail/CVE-2025-22869", + "https://pkg.go.dev/vuln/GO-2025-3487", + "https://security.netapp.com/advisory/ntap-20250411-0010", + "https://security.netapp.com/advisory/ntap-20250411-0010/", + "https://www.cve.org/CVERecord?id=CVE-2025-22869" + ], + "PublishedDate": "2025-02-26T08:14:24.997Z", + "LastModifiedDate": "2025-05-01T19:28:20.74Z" + }, + { + "VulnerabilityID": "CVE-2023-48795", + "PkgID": "golang.org/x/crypto@v0.0.0-20220112180741-5e0467b6c7ce", + "PkgName": "golang.org/x/crypto", + "PkgIdentifier": { + "PURL": "pkg:golang/golang.org/x/crypto@v0.0.0-20220112180741-5e0467b6c7ce", + "UID": "98c3cb1492510fa5" + }, + "InstalledVersion": "v0.0.0-20220112180741-5e0467b6c7ce", + "FixedVersion": "0.17.0, 0.0.0-20231218163308-9d2ee975ef9f", + "Status": "fixed", + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2023-48795", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory Go", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Ago" + }, + "Title": "ssh: Prefix truncation attack on Binary Packet Protocol (BPP)", + "Description": "The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation message), and a client and server may consequently end up with a connection for which some security features have been downgraded or disabled, aka a Terrapin attack. This occurs because the SSH Binary Packet Protocol (BPP), implemented by these extensions, mishandles the handshake phase and mishandles use of sequence numbers. For example, there is an effective attack against SSH's use of ChaCha20-Poly1305 (and CBC with Encrypt-then-MAC). The bypass occurs in chacha20-poly1305@openssh.com and (if CBC is used) the -etm@openssh.com MAC algorithms. This also affects Maverick Synergy Java SSH API before 3.1.0-SNAPSHOT, Dropbear through 2022.83, Ssh before 5.1.1 in Erlang/OTP, PuTTY before 0.80, AsyncSSH before 2.14.2, golang.org/x/crypto before 0.17.0, libssh before 0.10.6, libssh2 through 1.11.0, Thorn Tech SFTP Gateway before 3.4.6, Tera Term before 5.1, Paramiko before 3.4.0, jsch before 0.2.15, SFTPGo before 2.5.6, Netgate pfSense Plus through 23.09.1, Netgate pfSense CE through 2.7.2, HPN-SSH through 18.2.0, ProFTPD before 1.3.8b (and before 1.3.9rc2), ORYX CycloneSSH before 2.3.4, NetSarang XShell 7 before Build 0144, CrushFTP before 10.6.0, ConnectBot SSH library before 2.2.22, Apache MINA sshd through 2.11.0, sshj through 0.37.0, TinySSH through 20230101, trilead-ssh2 6401, LANCOM LCOS and LANconfig, FileZilla before 3.66.4, Nova before 11.8, PKIX-SSH before 14.4, SecureCRT before 9.4.3, Transmit5 before 5.10.4, Win32-OpenSSH before 9.5.0.0p1-Beta, WinSCP before 6.2.2, Bitvise SSH Server before 9.32, Bitvise SSH Client before 9.33, KiTTY through 0.76.1.13, the net-ssh gem 7.2.0 for Ruby, the mscdex ssh2 module before 1.15.0 for Node.js, the thrussh library before 0.35.1 for Rust, and the Russh crate before 0.40.2 for Rust.", + "Severity": "MEDIUM", + "CweIDs": [ + "CWE-354" + ], + "VendorSeverity": { + "alma": 2, + "amazon": 2, + "azure": 2, + "cbl-mariner": 2, + "ghsa": 2, + "nvd": 2, + "oracle-oval": 2, + "photon": 2, + "redhat": 2, + "rocky": 2, + "ubuntu": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", + "V3Score": 5.9 + }, + "nvd": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", + "V3Score": 5.9 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", + "V3Score": 5.9 + } + }, + "References": [ + "http://packetstormsecurity.com/files/176280/Terrapin-SSH-Connection-Weakening.html", + "http://seclists.org/fulldisclosure/2024/Mar/21", + "http://www.openwall.com/lists/oss-security/2023/12/18/3", + "http://www.openwall.com/lists/oss-security/2023/12/19/5", + "http://www.openwall.com/lists/oss-security/2023/12/20/3", + "http://www.openwall.com/lists/oss-security/2024/03/06/3", + "http://www.openwall.com/lists/oss-security/2024/04/17/8", + "https://access.redhat.com/errata/RHSA-2024:1150", + "https://access.redhat.com/security/cve/CVE-2023-48795", + "https://access.redhat.com/security/cve/cve-2023-48795", + "https://access.redhat.com/solutions/7071748", + "https://arstechnica.com/security/2023/12/hackers-can-break-ssh-channel-integrity-using-novel-data-corruption-attack", + "https://arstechnica.com/security/2023/12/hackers-can-break-ssh-channel-integrity-using-novel-data-corruption-attack/", + "https://bugs.gentoo.org/920280", + "https://bugzilla.redhat.com/2254210", + "https://bugzilla.redhat.com/show_bug.cgi?id=2254210", + "https://bugzilla.suse.com/show_bug.cgi?id=1217950", + "https://crates.io/crates/thrussh/versions", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-48795", + "https://errata.almalinux.org/9/ALSA-2024-1150.html", + "https://errata.rockylinux.org/RLSA-2024:0628", + "https://filezilla-project.org/versions.php", + "https://forum.netgate.com/topic/184941/terrapin-ssh-attack", + "https://git.libssh.org/projects/libssh.git/commit/?h=stable-0.10\u0026id=10e09e273f69e149389b3e0e5d44b8c221c2e7f6", + "https://github.com/NixOS/nixpkgs/pull/275249", + "https://github.com/PowerShell/Win32-OpenSSH/issues/2189", + "https://github.com/PowerShell/Win32-OpenSSH/releases/tag/v9.5.0.0p1-Beta", + "https://github.com/TeraTermProject/teraterm/commit/7279fbd6ef4d0c8bdd6a90af4ada2899d786eec0", + "https://github.com/TeraTermProject/teraterm/releases/tag/v5.1", + "https://github.com/advisories/GHSA-45x7-px36-x8w8", + "https://github.com/apache/mina-sshd/issues/445", + "https://github.com/connectbot/sshlib/commit/5c8b534f6e97db7ac0e0e579331213aa25c173ab", + "https://github.com/connectbot/sshlib/compare/2.2.21...2.2.22", + "https://github.com/cyd01/KiTTY/issues/520", + "https://github.com/drakkan/sftpgo/releases/tag/v2.5.6", + "https://github.com/erlang/otp/blob/d1b43dc0f1361d2ad67601169e90a7fc50bb0369/lib/ssh/doc/src/notes.xml#L39-L42", + "https://github.com/erlang/otp/releases/tag/OTP-26.2.1", + "https://github.com/golang/crypto/commit/9d2ee975ef9fe627bf0a6f01c1f69e8ef1d4f05d", + "https://github.com/hierynomus/sshj/issues/916", + "https://github.com/janmojzis/tinyssh/issues/81", + "https://github.com/jtesta/ssh-audit/commit/8e972c5e94b460379fe0c7d20209c16df81538a5", + "https://github.com/libssh2/libssh2/pull/1291", + "https://github.com/mkj/dropbear/blob/17657c36cce6df7716d5ff151ec09a665382d5dd/CHANGES#L25", + "https://github.com/mscdex/ssh2/commit/97b223f8891b96d6fc054df5ab1d5a1a545da2a3", + "https://github.com/mwiede/jsch/compare/jsch-0.2.14...jsch-0.2.15", + "https://github.com/mwiede/jsch/issues/457", + "https://github.com/mwiede/jsch/pull/461", + "https://github.com/net-ssh/net-ssh/blob/2e65064a52d73396bfc3806c9196fc8108f33cd8/CHANGES.txt#L14-L16", + "https://github.com/openssh/openssh-portable/commits/master", + "https://github.com/paramiko/paramiko/issues/2337", + "https://github.com/paramiko/paramiko/issues/2337#issuecomment-1887642773", + "https://github.com/proftpd/proftpd/blob/0a7ea9b0ba9fcdf368374a226370d08f10397d99/RELEASE_NOTES", + "https://github.com/proftpd/proftpd/blob/d21e7a2e47e9b38f709bec58e3fa711f759ad0e1/RELEASE_NOTES", + "https://github.com/proftpd/proftpd/blob/master/RELEASE_NOTES", + "https://github.com/proftpd/proftpd/issues/456", + "https://github.com/rapier1/hpn-ssh/releases", + "https://github.com/ronf/asyncssh/blob/develop/docs/changes.rst", + "https://github.com/ronf/asyncssh/security/advisories/GHSA-hfmc-7525-mj55", + "https://github.com/ronf/asyncssh/tags", + "https://github.com/ssh-mitm/ssh-mitm/issues/165", + "https://github.com/warp-tech/russh", + "https://github.com/warp-tech/russh/commit/1aa340a7df1d5be1c0f4a9e247aade76dfdd2951", + "https://github.com/warp-tech/russh/releases/tag/v0.40.2", + "https://github.com/warp-tech/russh/security/advisories/GHSA-45x7-px36-x8w8", + "https://gitlab.com/libssh/libssh-mirror/-/tags", + "https://go.dev/cl/550715", + "https://go.dev/issue/64784", + "https://groups.google.com/g/golang-announce/c/-n5WqVC18LQ", + "https://groups.google.com/g/golang-announce/c/qA3XtxvMUyg", + "https://help.panic.com/releasenotes/transmit5", + "https://help.panic.com/releasenotes/transmit5/", + "https://jadaptive.com/important-java-ssh-security-update-new-ssh-vulnerability-discovered-cve-2023-48795", + "https://jadaptive.com/important-java-ssh-security-update-new-ssh-vulnerability-discovered-cve-2023-48795/", + "https://linux.oracle.com/cve/CVE-2023-48795.html", + "https://linux.oracle.com/errata/ELSA-2024-2988.html", + "https://lists.debian.org/debian-lts-announce/2023/12/msg00017.html", + "https://lists.debian.org/debian-lts-announce/2024/01/msg00013.html", + "https://lists.debian.org/debian-lts-announce/2024/01/msg00014.html", + "https://lists.debian.org/debian-lts-announce/2024/04/msg00016.html", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/33XHJUB6ROFUOH2OQNENFROTVH6MHSHA", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/33XHJUB6ROFUOH2OQNENFROTVH6MHSHA/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3CAYYW35MUTNO65RVAELICTNZZFMT2XS", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3CAYYW35MUTNO65RVAELICTNZZFMT2XS/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3JIMLVBDWOP4FUPXPTB4PGHHIOMGFLQE", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3JIMLVBDWOP4FUPXPTB4PGHHIOMGFLQE/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3YQLUQWLIHDB5QCXQEX7HXHAWMOKPP5O", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3YQLUQWLIHDB5QCXQEX7HXHAWMOKPP5O/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6Y74KVCPEPT4MVU3LHDWCNNOXOE5ZLUR", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6Y74KVCPEPT4MVU3LHDWCNNOXOE5ZLUR/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/APYIXIQOVDCRWLHTGB4VYMAUIAQLKYJ3", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/APYIXIQOVDCRWLHTGB4VYMAUIAQLKYJ3/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BL5KTLOSLH2KHRN4HCXJPK3JUVLDGEL6", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BL5KTLOSLH2KHRN4HCXJPK3JUVLDGEL6/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/C3AFMZ6MH2UHHOPIWT5YLSFV3D2VB3AC", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/C3AFMZ6MH2UHHOPIWT5YLSFV3D2VB3AC/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CHHITS4PUOZAKFIUBQAQZC7JWXMOYE4B", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CHHITS4PUOZAKFIUBQAQZC7JWXMOYE4B/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/F7EYCFQCTSGJXWO3ZZ44MGKFC5HA7G3Y", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/F7EYCFQCTSGJXWO3ZZ44MGKFC5HA7G3Y/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HYEDEXIKFKTUJIN43RG4B7T5ZS6MHUSP", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HYEDEXIKFKTUJIN43RG4B7T5ZS6MHUSP/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/I724O3LSRCPO4WNVIXTZCT4VVRMXMMSG", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/I724O3LSRCPO4WNVIXTZCT4VVRMXMMSG/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KEOTKBUPZXHE3F352JBYNTSNRXYLWD6P", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KEOTKBUPZXHE3F352JBYNTSNRXYLWD6P/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KMZCVGUGJZZVDPCVDA7TEB22VUCNEXDD", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KMZCVGUGJZZVDPCVDA7TEB22VUCNEXDD/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L5Y6MNNVAPIJSXJERQ6PKZVCIUXSNJK7", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L5Y6MNNVAPIJSXJERQ6PKZVCIUXSNJK7/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LZQVUHWVWRH73YBXUQJOD6CKHDQBU3DM", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LZQVUHWVWRH73YBXUQJOD6CKHDQBU3DM/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MKQRBF3DWMWPH36LBCOBUTSIZRTPEZXB", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MKQRBF3DWMWPH36LBCOBUTSIZRTPEZXB/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QI3EHAHABFQK7OABNCSF5GMYP6TONTI7", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QI3EHAHABFQK7OABNCSF5GMYP6TONTI7/", + "https://matt.ucc.asn.au/dropbear/CHANGES", + "https://nest.pijul.com/pijul/thrussh/changes/D6H7OWTTMHHX6BTB3B6MNBOBX2L66CBL4LGSEUSAI2MCRCJDQFRQC", + "https://news.ycombinator.com/item?id=38684904", + "https://news.ycombinator.com/item?id=38685286", + "https://news.ycombinator.com/item?id=38732005", + "https://nova.app/releases/#v11.8", + "https://nvd.nist.gov/vuln/detail/CVE-2023-48795", + "https://oryx-embedded.com/download/#changelog", + "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2024-0002", + "https://roumenpetrov.info/secsh/#news20231220", + "https://security-tracker.debian.org/tracker/CVE-2023-48795", + "https://security-tracker.debian.org/tracker/source-package/libssh2", + "https://security-tracker.debian.org/tracker/source-package/proftpd-dfsg", + "https://security-tracker.debian.org/tracker/source-package/trilead-ssh2", + "https://security.gentoo.org/glsa/202312-16", + "https://security.gentoo.org/glsa/202312-17", + "https://security.netapp.com/advisory/ntap-20240105-0004", + "https://security.netapp.com/advisory/ntap-20240105-0004/", + "https://support.apple.com/kb/HT214084", + "https://terrapin-attack.com/", + "https://thorntech.com/cve-2023-48795-and-sftp-gateway", + "https://thorntech.com/cve-2023-48795-and-sftp-gateway/", + "https://twitter.com/TrueSkrillor/status/1736774389725565005", + "https://ubuntu.com/security/CVE-2023-48795", + "https://ubuntu.com/security/notices/USN-6560-1", + "https://ubuntu.com/security/notices/USN-6560-2", + "https://ubuntu.com/security/notices/USN-6561-1", + "https://ubuntu.com/security/notices/USN-6585-1", + "https://ubuntu.com/security/notices/USN-6589-1", + "https://ubuntu.com/security/notices/USN-6598-1", + "https://ubuntu.com/security/notices/USN-6738-1", + "https://ubuntu.com/security/notices/USN-7051-1", + "https://ubuntu.com/security/notices/USN-7292-1", + "https://ubuntu.com/security/notices/USN-7297-1", + "https://winscp.net/eng/docs/history#6.2.2", + "https://www.bitvise.com/ssh-client-version-history#933", + "https://www.bitvise.com/ssh-server-version-history", + "https://www.chiark.greenend.org.uk/~sgtatham/putty/changes.html", + "https://www.crushftp.com/crush10wiki/Wiki.jsp?page=Update", + "https://www.cve.org/CVERecord?id=CVE-2023-48795", + "https://www.debian.org/security/2023/dsa-5586", + "https://www.debian.org/security/2023/dsa-5588", + "https://www.freebsd.org/security/advisories/FreeBSD-SA-23:19.openssh.asc", + "https://www.lancom-systems.de/service-support/allgemeine-sicherheitshinweise#c243508", + "https://www.netsarang.com/en/xshell-update-history", + "https://www.netsarang.com/en/xshell-update-history/", + "https://www.openssh.com/openbsd.html", + "https://www.openssh.com/txt/release-9.6", + "https://www.openwall.com/lists/oss-security/2023/12/18/2", + "https://www.openwall.com/lists/oss-security/2023/12/18/3", + "https://www.openwall.com/lists/oss-security/2023/12/20/3", + "https://www.paramiko.org/changelog.html", + "https://www.reddit.com/r/sysadmin/comments/18idv52/cve202348795_why_is_this_cve_still_undisclosed", + "https://www.reddit.com/r/sysadmin/comments/18idv52/cve202348795_why_is_this_cve_still_undisclosed/", + "https://www.suse.com/c/suse-addresses-the-ssh-v2-protocol-terrapin-attack-aka-cve-2023-48795", + "https://www.suse.com/c/suse-addresses-the-ssh-v2-protocol-terrapin-attack-aka-cve-2023-48795/", + "https://www.terrapin-attack.com", + "https://www.theregister.com/2023/12/20/terrapin_attack_ssh", + "https://www.vandyke.com/products/securecrt/history.txt", + "https://www.vicarius.io/vsociety/posts/cve-2023-48795-detect-openssh-vulnerabilit", + "https://www.vicarius.io/vsociety/posts/cve-2023-48795-mitigate-openssh-vulnerability" + ], + "PublishedDate": "2023-12-18T16:15:10.897Z", + "LastModifiedDate": "2025-05-23T02:24:58.787Z" + }, + { + "VulnerabilityID": "CVE-2023-39325", + "PkgID": "golang.org/x/net@v0.7.0", + "PkgName": "golang.org/x/net", + "PkgIdentifier": { + "PURL": "pkg:golang/golang.org/x/net@v0.7.0", + "UID": "a23937acc82a7ed5" + }, + "InstalledVersion": "v0.7.0", + "FixedVersion": "0.17.0", + "Status": "fixed", + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2023-39325", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory Go", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Ago" + }, + "Title": "golang: net/http, x/net/http2: rapid stream resets can cause excessive work (CVE-2023-44487)", + "Description": "A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a new request while the existing one is still executing. With the fix applied, HTTP/2 servers now bound the number of simultaneously executing handler goroutines to the stream concurrency limit (MaxConcurrentStreams). New requests arriving when at the limit (which can only happen after the client has reset an existing, in-flight request) will be queued until a handler exits. If the request queue grows too large, the server will terminate the connection. This issue is also fixed in golang.org/x/net/http2 for users manually configuring HTTP/2. The default stream concurrency limit is 250 streams (requests) per HTTP/2 connection. This value may be adjusted using the golang.org/x/net/http2 package; see the Server.MaxConcurrentStreams setting and the ConfigureServer function.", + "Severity": "HIGH", + "CweIDs": [ + "CWE-770" + ], + "VendorSeverity": { + "alma": 2, + "amazon": 3, + "azure": 3, + "bitnami": 3, + "cbl-mariner": 3, + "ghsa": 3, + "nvd": 3, + "oracle-oval": 2, + "redhat": 3, + "rocky": 2, + "ubuntu": 2 + }, + "CVSS": { + "bitnami": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + }, + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + }, + "nvd": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + } + }, + "References": [ + "golang.org/x/net", + "https://access.redhat.com/errata/RHSA-2023:6077", + "https://access.redhat.com/security/cve/CVE-2023-39325", + "https://access.redhat.com/security/cve/CVE-2023-44487", + "https://bugzilla.redhat.com/2242803", + "https://bugzilla.redhat.com/2243296", + "https://bugzilla.redhat.com/show_bug.cgi?id=2242803", + "https://bugzilla.redhat.com/show_bug.cgi?id=2243296", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-39325", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-44487", + "https://errata.almalinux.org/9/ALSA-2023-6077.html", + "https://errata.rockylinux.org/RLSA-2023:6077", + "https://github.com/golang/go/commit/24ae2d927285c697440fdde3ad7f26028354bcf3 [golang- 1.21]", + "https://github.com/golang/go/commit/e175f27f58aa7b9cd4d79607ae65d2cd5baaee68 [golang-1.20]", + "https://github.com/golang/go/issues/63417", + "https://go.dev/cl/534215", + "https://go.dev/cl/534235", + "https://go.dev/issue/63417", + "https://groups.google.com/g/golang-announce/c/iNNxDTCjZvo/m/UDd7VKQuAAAJ", + "https://linux.oracle.com/cve/CVE-2023-39325.html", + "https://linux.oracle.com/errata/ELSA-2023-5867.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3OVW5V2DM5K5IC3H7O42YDUGNJ74J35O", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3OVW5V2DM5K5IC3H7O42YDUGNJ74J35O/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3SZN67IL7HMGMNAVLOTIXLIHUDXZK4LH", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3SZN67IL7HMGMNAVLOTIXLIHUDXZK4LH/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3WJ4QVX2AMUJ2F2S27POOAHRC4K3CHU4", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3WJ4QVX2AMUJ2F2S27POOAHRC4K3CHU4/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4BUK2ZIAGCULOOYDNH25JPU6JBES5NF2", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4BUK2ZIAGCULOOYDNH25JPU6JBES5NF2/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5RSKA2II6QTD4YUKUNDVJQSRYSFC4VFR", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5RSKA2II6QTD4YUKUNDVJQSRYSFC4VFR/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AVZDNSMVDAQJ64LJC5I5U5LDM5753647", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AVZDNSMVDAQJ64LJC5I5U5LDM5753647/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CHHITS4PUOZAKFIUBQAQZC7JWXMOYE4B", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CHHITS4PUOZAKFIUBQAQZC7JWXMOYE4B/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CLB4TW7KALB3EEQWNWCN7OUIWWVWWCG2", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CLB4TW7KALB3EEQWNWCN7OUIWWVWWCG2/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/D2BBIDR2ZMB3X5BC7SR4SLQMHRMVPY6L", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/D2BBIDR2ZMB3X5BC7SR4SLQMHRMVPY6L/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ECRC75BQJP6FJN2L7KCKYZW4DSBD7QSD", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ECRC75BQJP6FJN2L7KCKYZW4DSBD7QSD/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FTMJ3NJIDAZFWJQQSP3L22MUFJ3UP2PT", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FTMJ3NJIDAZFWJQQSP3L22MUFJ3UP2PT/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GSY7SXFFTPZFWDM6XELSDSHZLVW3AHK7", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GSY7SXFFTPZFWDM6XELSDSHZLVW3AHK7/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HZQIELEIRSZUYTFFH5KTH2YJ4IIQG2KE", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HZQIELEIRSZUYTFFH5KTH2YJ4IIQG2KE/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IPWCNYB5PQ5PCVZ4NJT6G56ZYFZ5QBU6", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IPWCNYB5PQ5PCVZ4NJT6G56ZYFZ5QBU6/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KEOTKBUPZXHE3F352JBYNTSNRXYLWD6P", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KEOTKBUPZXHE3F352JBYNTSNRXYLWD6P/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KSEGD2IWKNUO3DWY4KQGUQM5BISRWHQE", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KSEGD2IWKNUO3DWY4KQGUQM5BISRWHQE/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L5E5JSJBZLYXOTZWXHJKRVCIXIHVWKJ6", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L5E5JSJBZLYXOTZWXHJKRVCIXIHVWKJ6/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MZQYOOKHQDQ57LV2IAG6NRFOVXKHJJ3Z", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MZQYOOKHQDQ57LV2IAG6NRFOVXKHJJ3Z/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NG7IMPL55MVWU3LCI4JQJT3K2U5CHDV7", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NG7IMPL55MVWU3LCI4JQJT3K2U5CHDV7/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ODBY7RVMGZCBSTWF2OZGIZS57FNFUL67", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ODBY7RVMGZCBSTWF2OZGIZS57FNFUL67/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OXGWPQOJ3JNDW2XIYKIVJ7N7QUIFNM2Q", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OXGWPQOJ3JNDW2XIYKIVJ7N7QUIFNM2Q/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PJCUNGIQDUMZ4Z6HWVYIMR66A35F5S74", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PJCUNGIQDUMZ4Z6HWVYIMR66A35F5S74/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QF5QSYAOPDOWLY6DUHID56Q4HQFYB45I", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QF5QSYAOPDOWLY6DUHID56Q4HQFYB45I/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QXOU2JZUBEBP7GBKAYIJRPRBZSJCD7ST", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QXOU2JZUBEBP7GBKAYIJRPRBZSJCD7ST/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/R3UETKPUB3V5JS5TLZOF3SMTGT5K5APS", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/R3UETKPUB3V5JS5TLZOF3SMTGT5K5APS/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/REMHVVIBDNKSRKNOTV7EQSB7CYQWOUOU", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/REMHVVIBDNKSRKNOTV7EQSB7CYQWOUOU/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T7N5GV4CHH6WAGX3GFMDD3COEOVCZ4RI", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T7N5GV4CHH6WAGX3GFMDD3COEOVCZ4RI/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ULQQONMSCQSH5Z5OWFFQHCGEZ3NL4DRJ", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ULQQONMSCQSH5Z5OWFFQHCGEZ3NL4DRJ/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UTT7DG3QOF5ZNJLUGHDNLRUIN6OWZARP", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UTT7DG3QOF5ZNJLUGHDNLRUIN6OWZARP/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/W2LZSWTV4NV4SNQARNXG5T6LRHP26EW2", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/W2LZSWTV4NV4SNQARNXG5T6LRHP26EW2/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WCNCBYKZXLDFGAJUB7ZP5VLC3YTHJNVH", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WCNCBYKZXLDFGAJUB7ZP5VLC3YTHJNVH/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XFOIBB4YFICHDM7IBOP7PWXW3FX4HLL2", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XFOIBB4YFICHDM7IBOP7PWXW3FX4HLL2/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XTNLSL44Y5FB6JWADSZH6DCV4JJAAEQY", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XTNLSL44Y5FB6JWADSZH6DCV4JJAAEQY/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YJWHBLVZDM5KQSDFRBFRKU5KSSOLIRQ4", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YJWHBLVZDM5KQSDFRBFRKU5KSSOLIRQ4/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YRKEXKANQ7BKJW2YTAMP625LJUJZLJ4P", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YRKEXKANQ7BKJW2YTAMP625LJUJZLJ4P/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZSVEMQV5ROY5YW5QE3I57HT3ITWG5GCV", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZSVEMQV5ROY5YW5QE3I57HT3ITWG5GCV/", + "https://nvd.nist.gov/vuln/detail/CVE-2023-39325", + "https://pkg.go.dev/vuln/GO-2023-2102", + "https://security.gentoo.org/glsa/202311-09", + "https://security.netapp.com/advisory/ntap-20231110-0008", + "https://security.netapp.com/advisory/ntap-20231110-0008/", + "https://ubuntu.com/security/notices/USN-6574-1", + "https://ubuntu.com/security/notices/USN-7061-1", + "https://ubuntu.com/security/notices/USN-7109-1", + "https://www.cisa.gov/news-events/alerts/2023/10/10/http2-rapid-reset-vulnerability-cve-2023-44487", + "https://www.cve.org/CVERecord?id=CVE-2023-39325" + ], + "PublishedDate": "2023-10-11T22:15:09.88Z", + "LastModifiedDate": "2024-11-21T08:15:09.627Z" + }, + { + "VulnerabilityID": "CVE-2023-3978", + "PkgID": "golang.org/x/net@v0.7.0", + "PkgName": "golang.org/x/net", + "PkgIdentifier": { + "PURL": "pkg:golang/golang.org/x/net@v0.7.0", + "UID": "a23937acc82a7ed5" + }, + "InstalledVersion": "v0.7.0", + "FixedVersion": "0.13.0", + "Status": "fixed", + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2023-3978", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory Go", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Ago" + }, + "Title": "golang.org/x/net/html: Cross site scripting", + "Description": "Text nodes not in the HTML namespace are incorrectly literally rendered, causing text which should be escaped to not be. This could lead to an XSS attack.", + "Severity": "MEDIUM", + "CweIDs": [ + "CWE-79" + ], + "VendorSeverity": { + "alma": 2, + "amazon": 2, + "azure": 2, + "cbl-mariner": 2, + "ghsa": 2, + "nvd": 2, + "oracle-oval": 2, + "redhat": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", + "V3Score": 6.1 + }, + "nvd": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", + "V3Score": 6.1 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", + "V3Score": 6.1 + } + }, + "References": [ + "https://access.redhat.com/errata/RHSA-2023:6474", + "https://access.redhat.com/security/cve/CVE-2023-3978", + "https://bugzilla.redhat.com/2174485", + "https://bugzilla.redhat.com/2178358", + "https://bugzilla.redhat.com/2178488", + "https://bugzilla.redhat.com/2178492", + "https://bugzilla.redhat.com/2184481", + "https://bugzilla.redhat.com/2184482", + "https://bugzilla.redhat.com/2184483", + "https://bugzilla.redhat.com/2184484", + "https://bugzilla.redhat.com/2196026", + "https://bugzilla.redhat.com/2196027", + "https://bugzilla.redhat.com/2196029", + "https://bugzilla.redhat.com/2222167", + "https://bugzilla.redhat.com/2228689", + "https://errata.almalinux.org/9/ALSA-2023-6474.html", + "https://go.dev/cl/514896", + "https://go.dev/issue/61615", + "https://linux.oracle.com/cve/CVE-2023-3978.html", + "https://linux.oracle.com/errata/ELSA-2023-6939.html", + "https://nvd.nist.gov/vuln/detail/CVE-2023-3978", + "https://pkg.go.dev/vuln/GO-2023-1988", + "https://www.cve.org/CVERecord?id=CVE-2023-3978" + ], + "PublishedDate": "2023-08-02T20:15:12.097Z", + "LastModifiedDate": "2024-11-21T08:18:27.68Z" + }, + { + "VulnerabilityID": "CVE-2023-44487", + "PkgID": "golang.org/x/net@v0.7.0", + "PkgName": "golang.org/x/net", + "PkgIdentifier": { + "PURL": "pkg:golang/golang.org/x/net@v0.7.0", + "UID": "a23937acc82a7ed5" + }, + "InstalledVersion": "v0.7.0", + "FixedVersion": "0.17.0", + "Status": "fixed", + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2023-44487", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory Go", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Ago" + }, + "Title": "HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack)", + "Description": "The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.", + "Severity": "MEDIUM", + "CweIDs": [ + "CWE-400" + ], + "VendorSeverity": { + "alma": 3, + "amazon": 3, + "azure": 3, + "bitnami": 3, + "cbl-mariner": 3, + "ghsa": 2, + "nvd": 3, + "oracle-oval": 3, + "photon": 3, + "redhat": 3, + "rocky": 3, + "ubuntu": 3 + }, + "CVSS": { + "bitnami": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + }, + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "V3Score": 5.3 + }, + "nvd": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + } + }, + "References": [ + "http://www.openwall.com/lists/oss-security/2023/10/10/6", + "http://www.openwall.com/lists/oss-security/2023/10/10/7", + "http://www.openwall.com/lists/oss-security/2023/10/13/4", + "http://www.openwall.com/lists/oss-security/2023/10/13/9", + "http://www.openwall.com/lists/oss-security/2023/10/18/4", + "http://www.openwall.com/lists/oss-security/2023/10/18/8", + "http://www.openwall.com/lists/oss-security/2023/10/19/6", + "http://www.openwall.com/lists/oss-security/2023/10/20/8", + "https://access.redhat.com/errata/RHSA-2023:6746", + "https://access.redhat.com/security/cve/CVE-2023-44487", + "https://access.redhat.com/security/cve/cve-2023-44487", + "https://akka.io/security/akka-http-cve-2023-44487.html", + "https://arstechnica.com/security/2023/10/how-ddosers-used-the-http-2-protocol-to-deliver-attacks-of-unprecedented-size", + "https://arstechnica.com/security/2023/10/how-ddosers-used-the-http-2-protocol-to-deliver-attacks-of-unprecedented-size/", + "https://aws.amazon.com/security/security-bulletins/AWS-2023-011", + "https://aws.amazon.com/security/security-bulletins/AWS-2023-011/", + "https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack", + "https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/", + "https://blog.cloudflare.com/zero-day-rapid-reset-http2-record-breaking-ddos-attack", + "https://blog.cloudflare.com/zero-day-rapid-reset-http2-record-breaking-ddos-attack/", + "https://blog.litespeedtech.com/2023/10/11/rapid-reset-http-2-vulnerablilty", + "https://blog.litespeedtech.com/2023/10/11/rapid-reset-http-2-vulnerablilty/", + "https://blog.qualys.com/vulnerabilities-threat-research/2023/10/10/cve-2023-44487-http-2-rapid-reset-attack", + "https://blog.vespa.ai/cve-2023-44487", + "https://blog.vespa.ai/cve-2023-44487/", + "https://bugzilla.proxmox.com/show_bug.cgi?id=4988", + "https://bugzilla.redhat.com/2242803", + "https://bugzilla.redhat.com/show_bug.cgi?id=2242803", + "https://bugzilla.suse.com/show_bug.cgi?id=1216123", + "https://cgit.freebsd.org/ports/commit/?id=c64c329c2c1752f46b73e3e6ce9f4329be6629f9", + "https://chaos.social/@icing/111210915918780532", + "https://cloud.google.com/blog/products/identity-security/google-cloud-mitigated-largest-ddos-attack-peaking-above-398-million-rps", + "https://cloud.google.com/blog/products/identity-security/google-cloud-mitigated-largest-ddos-attack-peaking-above-398-million-rps/", + "https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack", + "https://community.traefik.io/t/is-traefik-vulnerable-to-cve-2023-44487/20125", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-44487", + "https://devblogs.microsoft.com/dotnet/october-2023-updates/", + "https://discuss.hashicorp.com/t/hcsec-2023-32-vault-consul-and-boundary-affected-by-http-2-rapid-reset-denial-of-service-vulnerability-cve-2023-44487/59715", + "https://edg.io/lp/blog/resets-leaks-ddos-and-the-tale-of-a-hidden-cve", + "https://errata.almalinux.org/9/ALSA-2023-6746.html", + "https://errata.rockylinux.org/RLSA-2023:5838", + "https://forums.swift.org/t/swift-nio-http2-security-update-cve-2023-44487-http-2-dos/67764", + "https://gist.github.com/adulau/7c2bfb8e9cdbe4b35a5e131c66a0c088", + "https://github.com/Azure/AKS/issues/3947", + "https://github.com/Kong/kong/discussions/11741", + "https://github.com/advisories/GHSA-qppj-fm5r-hxr3", + "https://github.com/advisories/GHSA-vx74-f528-fxqg", + "https://github.com/advisories/GHSA-xpw8-rcwv-8f8p", + "https://github.com/akka/akka-http/issues/4323", + "https://github.com/akka/akka-http/pull/4324", + "https://github.com/akka/akka-http/pull/4325", + "https://github.com/alibaba/tengine/issues/1872", + "https://github.com/apache/apisix/issues/10320", + "https://github.com/apache/httpd-site/pull/10", + "https://github.com/apache/httpd/blob/afcdbeebbff4b0c50ea26cdd16e178c0d1f24152/modules/http2/h2_mplx.c#L1101-L1113", + "https://github.com/apache/tomcat/commit/944332bb15bd2f3bf76ec2caeb1ff0a58a3bc628", + "https://github.com/apache/tomcat/tree/main/java/org/apache/coyote/http2", + "https://github.com/apache/trafficserver/pull/10564", + "https://github.com/apple/swift-nio-http2", + "https://github.com/apple/swift-nio-http2/security/advisories/GHSA-qppj-fm5r-hxr3", + "https://github.com/arkrwn/PoC/tree/main/CVE-2023-44487", + "https://github.com/bcdannyboy/CVE-2023-44487", + "https://github.com/caddyserver/caddy/issues/5877", + "https://github.com/caddyserver/caddy/releases/tag/v2.7.5", + "https://github.com/dotnet/announcements/issues/277", + "https://github.com/dotnet/core/blob/e4613450ea0da7fd2fc6b61dfb2c1c1dec1ce9ec/release-notes/6.0/6.0.23/6.0.23.md?plain=1#L73", + "https://github.com/eclipse/jetty.project/issues/10679", + "https://github.com/envoyproxy/envoy/pull/30055", + "https://github.com/etcd-io/etcd/issues/16740", + "https://github.com/facebook/proxygen/pull/466", + "https://github.com/golang/go/issues/63417", + "https://github.com/grpc/grpc-go/pull/6703", + "https://github.com/grpc/grpc-go/releases", + "https://github.com/grpc/grpc/releases/tag/v1.59.2", + "https://github.com/h2o/h2o/pull/3291", + "https://github.com/h2o/h2o/security/advisories/GHSA-2m7v-gc89-fjqf", + "https://github.com/haproxy/haproxy/issues/2312", + "https://github.com/hyperium/hyper/issues/3337", + "https://github.com/icing/mod_h2/blob/0a864782af0a942aa2ad4ed960a6b32cd35bcf0a/mod_http2/README.md?plain=1#L239-L244", + "https://github.com/junkurihara/rust-rpxy/issues/97", + "https://github.com/kazu-yamamoto/http2/commit/f61d41a502bd0f60eb24e1ce14edc7b6df6722a1", + "https://github.com/kazu-yamamoto/http2/issues/93", + "https://github.com/kubernetes/kubernetes/pull/121120", + "https://github.com/line/armeria/pull/5232", + "https://github.com/linkerd/website/pull/1695/commits/4b9c6836471bc8270ab48aae6fd2181bc73fd632", + "https://github.com/micrictor/http2-rst-stream", + "https://github.com/microsoft/CBL-Mariner/pull/6381", + "https://github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61", + "https://github.com/nghttp2/nghttp2/pull/1961", + "https://github.com/nghttp2/nghttp2/releases/tag/v1.57.0", + "https://github.com/ninenines/cowboy/issues/1615", + "https://github.com/nodejs/node/pull/50121", + "https://github.com/openresty/openresty/issues/930", + "https://github.com/opensearch-project/data-prepper/issues/3474", + "https://github.com/oqtane/oqtane.framework/discussions/3367", + "https://github.com/projectcontour/contour/pull/5826", + "https://github.com/tempesta-tech/tempesta/issues/1986", + "https://github.com/varnishcache/varnish-cache/issues/3996", + "https://go.dev/cl/534215", + "https://go.dev/cl/534235", + "https://go.dev/issue/63417", + "https://groups.google.com/g/golang-announce/c/iNNxDTCjZvo", + "https://groups.google.com/g/golang-announce/c/iNNxDTCjZvo/m/UDd7VKQuAAAJ", + "https://istio.io/latest/news/security/istio-security-2023-004", + "https://istio.io/latest/news/security/istio-security-2023-004/", + "https://linkerd.io/2023/10/12/linkerd-cve-2023-44487", + "https://linkerd.io/2023/10/12/linkerd-cve-2023-44487/", + "https://linux.oracle.com/cve/CVE-2023-44487.html", + "https://linux.oracle.com/errata/ELSA-2024-1444.html", + "https://lists.apache.org/thread/5py8h42mxfsn8l1wy6o41xwhsjlsd87q", + "https://lists.debian.org/debian-lts-announce/2023/10/msg00020.html", + "https://lists.debian.org/debian-lts-announce/2023/10/msg00023.html", + "https://lists.debian.org/debian-lts-announce/2023/10/msg00024.html", + "https://lists.debian.org/debian-lts-announce/2023/10/msg00045.html", + "https://lists.debian.org/debian-lts-announce/2023/10/msg00047.html", + "https://lists.debian.org/debian-lts-announce/2023/11/msg00001.html", + "https://lists.debian.org/debian-lts-announce/2023/11/msg00012.html", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2MBEPPC36UBVOZZNAXFHKLFGSLCMN5LI", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2MBEPPC36UBVOZZNAXFHKLFGSLCMN5LI/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3N4NJ7FR4X4FPZUGNTQAPSTVB2HB2Y4A", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3N4NJ7FR4X4FPZUGNTQAPSTVB2HB2Y4A/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BFQD3KUEMFBHPAPBGLWQC34L4OWL5HAZ", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BFQD3KUEMFBHPAPBGLWQC34L4OWL5HAZ/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CLB4TW7KALB3EEQWNWCN7OUIWWVWWCG2", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CLB4TW7KALB3EEQWNWCN7OUIWWVWWCG2/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/E72T67UPDRXHIDLO3OROR25YAMN4GGW5", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/E72T67UPDRXHIDLO3OROR25YAMN4GGW5/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FNA62Q767CFAFHBCDKYNPBMZWB7TWYVU", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FNA62Q767CFAFHBCDKYNPBMZWB7TWYVU/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HT7T2R4MQKLIF4ODV4BDLPARWFPCJ5CZ", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HT7T2R4MQKLIF4ODV4BDLPARWFPCJ5CZ/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JIZSEFC3YKCGABA2BZW6ZJRMDZJMB7PJ", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JIZSEFC3YKCGABA2BZW6ZJRMDZJMB7PJ/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JMEXY22BFG5Q64HQCM5CK2Q7KDKVV4TY", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JMEXY22BFG5Q64HQCM5CK2Q7KDKVV4TY/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KSEGD2IWKNUO3DWY4KQGUQM5BISRWHQE", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KSEGD2IWKNUO3DWY4KQGUQM5BISRWHQE/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LKYHSZQFDNR7RSA7LHVLLIAQMVYCUGBG", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LKYHSZQFDNR7RSA7LHVLLIAQMVYCUGBG/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LNMZJCDHGLJJLXO4OXWJMTVQRNWOC7UL", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LNMZJCDHGLJJLXO4OXWJMTVQRNWOC7UL/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VHUHTSXLXGXS7JYKBXTA3VINUPHTNGVU", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VHUHTSXLXGXS7JYKBXTA3VINUPHTNGVU/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VSRDIV77HNKUSM7SJC5BKE5JSHLHU2NK", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VSRDIV77HNKUSM7SJC5BKE5JSHLHU2NK/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WE2I52RHNNU42PX6NZ2RBUHSFFJ2LVZX", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WE2I52RHNNU42PX6NZ2RBUHSFFJ2LVZX/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WLPRQ5TWUQQXYWBJM7ECYDAIL2YVKIUH", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WLPRQ5TWUQQXYWBJM7ECYDAIL2YVKIUH/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X6QXN4ORIVF6XBW4WWFE7VNPVC74S45Y", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X6QXN4ORIVF6XBW4WWFE7VNPVC74S45Y/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XFOIBB4YFICHDM7IBOP7PWXW3FX4HLL2", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XFOIBB4YFICHDM7IBOP7PWXW3FX4HLL2/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZB43REMKRQR62NJEI7I5NQ4FSXNLBKRT", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZB43REMKRQR62NJEI7I5NQ4FSXNLBKRT/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZKQSIKIAT5TJ3WSLU3RDBQ35YX4GY4V3", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZKQSIKIAT5TJ3WSLU3RDBQ35YX4GY4V3/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZLU6U2R2IC2K64NDPNMV55AUAO65MAF4", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZLU6U2R2IC2K64NDPNMV55AUAO65MAF4/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2MBEPPC36UBVOZZNAXFHKLFGSLCMN5LI", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2MBEPPC36UBVOZZNAXFHKLFGSLCMN5LI/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3N4NJ7FR4X4FPZUGNTQAPSTVB2HB2Y4A", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3N4NJ7FR4X4FPZUGNTQAPSTVB2HB2Y4A/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BFQD3KUEMFBHPAPBGLWQC34L4OWL5HAZ", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BFQD3KUEMFBHPAPBGLWQC34L4OWL5HAZ/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CLB4TW7KALB3EEQWNWCN7OUIWWVWWCG2", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CLB4TW7KALB3EEQWNWCN7OUIWWVWWCG2/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/E72T67UPDRXHIDLO3OROR25YAMN4GGW5", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/E72T67UPDRXHIDLO3OROR25YAMN4GGW5/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FNA62Q767CFAFHBCDKYNPBMZWB7TWYVU", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FNA62Q767CFAFHBCDKYNPBMZWB7TWYVU/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HT7T2R4MQKLIF4ODV4BDLPARWFPCJ5CZ", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HT7T2R4MQKLIF4ODV4BDLPARWFPCJ5CZ/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JIZSEFC3YKCGABA2BZW6ZJRMDZJMB7PJ", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JIZSEFC3YKCGABA2BZW6ZJRMDZJMB7PJ/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JMEXY22BFG5Q64HQCM5CK2Q7KDKVV4TY", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JMEXY22BFG5Q64HQCM5CK2Q7KDKVV4TY/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KSEGD2IWKNUO3DWY4KQGUQM5BISRWHQE", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KSEGD2IWKNUO3DWY4KQGUQM5BISRWHQE/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LKYHSZQFDNR7RSA7LHVLLIAQMVYCUGBG", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LKYHSZQFDNR7RSA7LHVLLIAQMVYCUGBG/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LNMZJCDHGLJJLXO4OXWJMTVQRNWOC7UL", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LNMZJCDHGLJJLXO4OXWJMTVQRNWOC7UL/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VHUHTSXLXGXS7JYKBXTA3VINUPHTNGVU", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VHUHTSXLXGXS7JYKBXTA3VINUPHTNGVU/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VSRDIV77HNKUSM7SJC5BKE5JSHLHU2NK", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VSRDIV77HNKUSM7SJC5BKE5JSHLHU2NK/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WE2I52RHNNU42PX6NZ2RBUHSFFJ2LVZX", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WE2I52RHNNU42PX6NZ2RBUHSFFJ2LVZX/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WLPRQ5TWUQQXYWBJM7ECYDAIL2YVKIUH", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WLPRQ5TWUQQXYWBJM7ECYDAIL2YVKIUH/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X6QXN4ORIVF6XBW4WWFE7VNPVC74S45Y", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X6QXN4ORIVF6XBW4WWFE7VNPVC74S45Y/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XFOIBB4YFICHDM7IBOP7PWXW3FX4HLL2", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XFOIBB4YFICHDM7IBOP7PWXW3FX4HLL2/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZB43REMKRQR62NJEI7I5NQ4FSXNLBKRT", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZB43REMKRQR62NJEI7I5NQ4FSXNLBKRT/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZKQSIKIAT5TJ3WSLU3RDBQ35YX4GY4V3", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZKQSIKIAT5TJ3WSLU3RDBQ35YX4GY4V3/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZLU6U2R2IC2K64NDPNMV55AUAO65MAF4", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZLU6U2R2IC2K64NDPNMV55AUAO65MAF4/", + "https://lists.w3.org/Archives/Public/ietf-http-wg/2023OctDec/0025.html", + "https://mailman.nginx.org/pipermail/nginx-devel/2023-October/S36Q5HBXR7CAIMPLLPRSSSYR4PCMWILK.html", + "https://martinthomson.github.io/h2-stream-limits/draft-thomson-httpbis-h2-stream-limits.html", + "https://msrc.microsoft.com/blog/2023/10/microsoft-response-to-distributed-denial-of-service-ddos-attacks-against-http/2", + "https://msrc.microsoft.com/blog/2023/10/microsoft-response-to-distributed-denial-of-service-ddos-attacks-against-http/2/", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-44487", + "https://my.f5.com/manage/s/article/K000137106", + "https://netty.io/news/2023/10/10/4-1-100-Final.html", + "https://news.ycombinator.com/item?id=37830987", + "https://news.ycombinator.com/item?id=37830998", + "https://news.ycombinator.com/item?id=37831062", + "https://news.ycombinator.com/item?id=37837043", + "https://nodejs.org/en/blog/vulnerability/october-2023-security-releases", + "https://nvd.nist.gov/vuln/detail/CVE-2023-44487", + "https://openssf.org/blog/2023/10/10/http-2-rapid-reset-vulnerability-highlights-need-for-rapid-response", + "https://openssf.org/blog/2023/10/10/http-2-rapid-reset-vulnerability-highlights-need-for-rapid-response/", + "https://pkg.go.dev/vuln/GO-2023-2102", + "https://seanmonstar.com/post/730794151136935936/hyper-http2-rapid-reset-unaffected", + "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-http2-reset-d8Kf32vZ", + "https://security.gentoo.org/glsa/202311-09", + "https://security.netapp.com/advisory/ntap-20231016-0001", + "https://security.netapp.com/advisory/ntap-20231016-0001/", + "https://security.netapp.com/advisory/ntap-20240426-0007", + "https://security.netapp.com/advisory/ntap-20240426-0007/", + "https://security.netapp.com/advisory/ntap-20240621-0006", + "https://security.netapp.com/advisory/ntap-20240621-0006/", + "https://security.netapp.com/advisory/ntap-20240621-0007", + "https://security.netapp.com/advisory/ntap-20240621-0007/", + "https://security.paloaltonetworks.com/CVE-2023-44487", + "https://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.1.14", + "https://tomcat.apache.org/security-11.html#Fixed_in_Apache_Tomcat_11.0.0-M12", + "https://tomcat.apache.org/security-8.html", + "https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.94", + "https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.81", + "https://ubuntu.com/security/CVE-2023-44487", + "https://ubuntu.com/security/notices/USN-6427-1", + "https://ubuntu.com/security/notices/USN-6427-2", + "https://ubuntu.com/security/notices/USN-6438-1", + "https://ubuntu.com/security/notices/USN-6505-1", + "https://ubuntu.com/security/notices/USN-6574-1", + "https://ubuntu.com/security/notices/USN-6754-1", + "https://ubuntu.com/security/notices/USN-6994-1", + "https://ubuntu.com/security/notices/USN-7067-1", + "https://ubuntu.com/security/notices/USN-7410-1", + "https://ubuntu.com/security/notices/USN-7469-1", + "https://ubuntu.com/security/notices/USN-7469-2", + "https://ubuntu.com/security/notices/USN-7469-3", + "https://ubuntu.com/security/notices/USN-7469-4", + "https://www.bleepingcomputer.com/news/security/new-http-2-rapid-reset-zero-day-attack-breaks-ddos-records", + "https://www.bleepingcomputer.com/news/security/new-http-2-rapid-reset-zero-day-attack-breaks-ddos-records/", + "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", + "https://www.cisa.gov/news-events/alerts/2023/10/10/http2-rapid-reset-vulnerability-cve-2023-44487", + "https://www.cve.org/CVERecord?id=CVE-2023-44487", + "https://www.darkreading.com/cloud/internet-wide-zero-day-bug-fuels-largest-ever-ddos-event", + "https://www.debian.org/security/2023/dsa-5521", + "https://www.debian.org/security/2023/dsa-5522", + "https://www.debian.org/security/2023/dsa-5540", + "https://www.debian.org/security/2023/dsa-5549", + "https://www.debian.org/security/2023/dsa-5558", + "https://www.debian.org/security/2023/dsa-5570", + "https://www.eclipse.org/lists/jetty-announce/msg00181.html", + "https://www.haproxy.com/blog/haproxy-is-not-affected-by-the-http-2-rapid-reset-attack-cve-2023-44487", + "https://www.mail-archive.com/haproxy@formilux.org/msg44134.html", + "https://www.netlify.com/blog/netlify-successfully-mitigates-cve-2023-44487", + "https://www.netlify.com/blog/netlify-successfully-mitigates-cve-2023-44487/", + "https://www.nginx.com/blog/http-2-rapid-reset-attack-impacting-f5-nginx-products", + "https://www.nginx.com/blog/http-2-rapid-reset-attack-impacting-f5-nginx-products/", + "https://www.openwall.com/lists/oss-security/2023/10/10/6", + "https://www.phoronix.com/news/HTTP2-Rapid-Reset-Attack", + "https://www.theregister.com/2023/10/10/http2_rapid_reset_zeroday", + "https://www.theregister.com/2023/10/10/http2_rapid_reset_zeroday/", + "https://www.vicarius.io/vsociety/posts/rapid-reset-cve-2023-44487-dos-in-http2-understanding-the-root-cause" + ], + "PublishedDate": "2023-10-10T14:15:10.883Z", + "LastModifiedDate": "2025-06-11T17:29:54.137Z" + }, + { + "VulnerabilityID": "CVE-2023-45288", + "PkgID": "golang.org/x/net@v0.7.0", + "PkgName": "golang.org/x/net", + "PkgIdentifier": { + "PURL": "pkg:golang/golang.org/x/net@v0.7.0", + "UID": "a23937acc82a7ed5" + }, + "InstalledVersion": "v0.7.0", + "FixedVersion": "0.23.0", + "Status": "fixed", + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2023-45288", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory Go", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Ago" + }, + "Title": "golang: net/http, x/net/http2: unlimited number of CONTINUATION frames causes DoS", + "Description": "An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed MaxHeaderBytes, no memory is allocated to store the excess headers, but they are still parsed. This permits an attacker to cause an HTTP/2 endpoint to read arbitrary amounts of header data, all associated with a request which is going to be rejected. These headers can include Huffman-encoded data which is significantly more expensive for the receiver to decode than for an attacker to send. The fix sets a limit on the amount of excess header frames we will process before closing a connection.", + "Severity": "MEDIUM", + "VendorSeverity": { + "alma": 3, + "amazon": 2, + "azure": 3, + "bitnami": 3, + "cbl-mariner": 3, + "ghsa": 2, + "oracle-oval": 3, + "photon": 3, + "redhat": 3, + "rocky": 3, + "ubuntu": 2 + }, + "CVSS": { + "bitnami": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + }, + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "V3Score": 5.3 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + } + }, + "References": [ + "http://www.openwall.com/lists/oss-security/2024/04/03/16", + "http://www.openwall.com/lists/oss-security/2024/04/05/4", + "https://access.redhat.com/errata/RHSA-2024:2724", + "https://access.redhat.com/security/cve/CVE-2023-45288", + "https://bugzilla.redhat.com/2268017", + "https://bugzilla.redhat.com/2268018", + "https://bugzilla.redhat.com/2268019", + "https://bugzilla.redhat.com/2268273", + "https://bugzilla.redhat.com/show_bug.cgi?id=2268017", + "https://bugzilla.redhat.com/show_bug.cgi?id=2268018", + "https://bugzilla.redhat.com/show_bug.cgi?id=2268019", + "https://bugzilla.redhat.com/show_bug.cgi?id=2268273", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-45288", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-45289", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-45290", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-24783", + "https://errata.almalinux.org/9/ALSA-2024-2724.html", + "https://errata.rockylinux.org/RLSA-2024:2724", + "https://go.dev/cl/576155", + "https://go.dev/issue/65051", + "https://groups.google.com/g/golang-announce/c/YgW0sx8mN3M", + "https://kb.cert.org/vuls/id/421644", + "https://linux.oracle.com/cve/CVE-2023-45288.html", + "https://linux.oracle.com/errata/ELSA-2024-3346.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QRYFHIQ6XRKRYBI2F5UESH67BJBQXUPT", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QRYFHIQ6XRKRYBI2F5UESH67BJBQXUPT/", + "https://nowotarski.info/http2-continuation-flood-technical-details", + "https://nowotarski.info/http2-continuation-flood/", + "https://nvd.nist.gov/vuln/detail/CVE-2023-45288", + "https://pkg.go.dev/vuln/GO-2024-2687", + "https://security.netapp.com/advisory/ntap-20240419-0009", + "https://security.netapp.com/advisory/ntap-20240419-0009/", + "https://ubuntu.com/security/notices/USN-6886-1", + "https://ubuntu.com/security/notices/USN-7109-1", + "https://ubuntu.com/security/notices/USN-7111-1", + "https://www.cve.org/CVERecord?id=CVE-2023-45288", + "https://www.kb.cert.org/vuls/id/421644" + ], + "PublishedDate": "2024-04-04T21:15:16.113Z", + "LastModifiedDate": "2024-11-21T08:26:42.38Z" + }, + { + "VulnerabilityID": "CVE-2025-22870", + "PkgID": "golang.org/x/net@v0.7.0", + "PkgName": "golang.org/x/net", + "PkgIdentifier": { + "PURL": "pkg:golang/golang.org/x/net@v0.7.0", + "UID": "a23937acc82a7ed5" + }, + "InstalledVersion": "v0.7.0", + "FixedVersion": "0.36.0", + "Status": "fixed", + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2025-22870", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory Go", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Ago" + }, + "Title": "golang.org/x/net/proxy: golang.org/x/net/http/httpproxy: HTTP Proxy bypass using IPv6 Zone IDs in golang.org/x/net", + "Description": "Matching of hosts against proxy patterns can improperly treat an IPv6 zone ID as a hostname component. For example, when the NO_PROXY environment variable is set to \"*.example.com\", a request to \"[::1%25.example.com]:80` will incorrectly match and not be proxied.", + "Severity": "MEDIUM", + "CweIDs": [ + "CWE-115" + ], + "VendorSeverity": { + "amazon": 2, + "azure": 2, + "cbl-mariner": 2, + "ghsa": 2, + "redhat": 2, + "ubuntu": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L", + "V3Score": 4.4 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L", + "V3Score": 4.4 + } + }, + "References": [ + "http://www.openwall.com/lists/oss-security/2025/03/07/2", + "https://access.redhat.com/security/cve/CVE-2025-22870", + "https://github.com/golang/go/issues/71984", + "https://go-review.googlesource.com/q/project:net", + "https://go.dev/cl/654697", + "https://go.dev/issue/71984", + "https://groups.google.com/g/golang-announce/c/4t3lzH3I0eI/m/b42ImqrBAQAJ", + "https://nvd.nist.gov/vuln/detail/CVE-2025-22870", + "https://pkg.go.dev/vuln/GO-2025-3503", + "https://security.netapp.com/advisory/ntap-20250509-0007", + "https://security.netapp.com/advisory/ntap-20250509-0007/", + "https://ubuntu.com/security/notices/USN-7574-1", + "https://www.cve.org/CVERecord?id=CVE-2025-22870" + ], + "PublishedDate": "2025-03-12T19:15:38.31Z", + "LastModifiedDate": "2025-05-09T20:15:38.727Z" + }, + { + "VulnerabilityID": "CVE-2025-22872", + "PkgID": "golang.org/x/net@v0.7.0", + "PkgName": "golang.org/x/net", + "PkgIdentifier": { + "PURL": "pkg:golang/golang.org/x/net@v0.7.0", + "UID": "a23937acc82a7ed5" + }, + "InstalledVersion": "v0.7.0", + "FixedVersion": "0.38.0", + "Status": "fixed", + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2025-22872", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory Go", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Ago" + }, + "Title": "golang.org/x/net/html: Incorrect Neutralization of Input During Web Page Generation in x/net in golang.org/x/net", + "Description": "The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character (/) as self-closing. When directly using Tokenizer, this can result in such tags incorrectly being marked as self-closing, and when using the Parse functions, this can result in content following such tags as being placed in the wrong scope during DOM construction, but only when tags are in foreign content (e.g. \u003cmath\u003e, \u003csvg\u003e, etc contexts).", + "Severity": "MEDIUM", + "VendorSeverity": { + "amazon": 3, + "azure": 2, + "cbl-mariner": 2, + "ghsa": 2, + "redhat": 2 + }, + "CVSS": { + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L", + "V3Score": 6.5 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2025-22872", + "https://github.com/advisories/GHSA-vvgc-356p-c3xw", + "https://go.dev/cl/662715", + "https://go.dev/issue/73070", + "https://groups.google.com/g/golang-announce/c/ezSKR9vqbqA", + "https://nvd.nist.gov/vuln/detail/CVE-2025-22872", + "https://pkg.go.dev/vuln/GO-2025-3595", + "https://security.netapp.com/advisory/ntap-20250516-0007", + "https://security.netapp.com/advisory/ntap-20250516-0007/", + "https://www.cve.org/CVERecord?id=CVE-2025-22872" + ], + "PublishedDate": "2025-04-16T18:16:04.183Z", + "LastModifiedDate": "2025-05-16T23:15:19.707Z" + }, + { + "VulnerabilityID": "CVE-2025-22868", + "PkgID": "golang.org/x/oauth2@v0.0.0-20211104180415-d3ed0bb246c8", + "PkgName": "golang.org/x/oauth2", + "PkgIdentifier": { + "PURL": "pkg:golang/golang.org/x/oauth2@v0.0.0-20211104180415-d3ed0bb246c8", + "UID": "8433a0c1e374037b" + }, + "InstalledVersion": "v0.0.0-20211104180415-d3ed0bb246c8", + "FixedVersion": "0.27.0", + "Status": "fixed", + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2025-22868", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory Go", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Ago" + }, + "Title": "golang.org/x/oauth2/jws: Unexpected memory consumption during token parsing in golang.org/x/oauth2/jws", + "Description": "An attacker can pass a malicious malformed token which causes unexpected memory to be consumed during parsing.", + "Severity": "HIGH", + "CweIDs": [ + "CWE-1286" + ], + "VendorSeverity": { + "amazon": 3, + "azure": 3, + "cbl-mariner": 3, + "ghsa": 3, + "redhat": 3 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2025-22868", + "https://go.dev/cl/652155", + "https://go.dev/issue/71490", + "https://nvd.nist.gov/vuln/detail/CVE-2025-22868", + "https://pkg.go.dev/vuln/GO-2025-3488", + "https://www.cve.org/CVERecord?id=CVE-2025-22868" + ], + "PublishedDate": "2025-02-26T08:14:24.897Z", + "LastModifiedDate": "2025-05-01T19:27:10.43Z" + }, + { + "VulnerabilityID": "GHSA-m425-mq94-257g", + "PkgID": "google.golang.org/grpc@v1.43.0", + "PkgName": "google.golang.org/grpc", + "PkgIdentifier": { + "PURL": "pkg:golang/google.golang.org/grpc@v1.43.0", + "UID": "453495113e213487" + }, + "InstalledVersion": "v1.43.0", + "FixedVersion": "1.56.3, 1.57.1, 1.58.3", + "Status": "fixed", + "SeveritySource": "ghsa", + "PrimaryURL": "https://github.com/advisories/GHSA-m425-mq94-257g", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory Go", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Ago" + }, + "Title": "gRPC-Go HTTP/2 Rapid Reset vulnerability", + "Description": "### Impact\nIn affected releases of gRPC-Go, it is possible for an attacker to send HTTP/2 requests, cancel them, and send subsequent requests, which is valid by the HTTP/2 protocol, but would cause the gRPC-Go server to launch more concurrent method handlers than the configured maximum stream limit.\n\n### Patches\nThis vulnerability was addressed by #6703 and has been included in patch releases: 1.56.3, 1.57.1, 1.58.3. It is also included in the latest release, 1.59.0.\n\nAlong with applying the patch, users should also ensure they are using the `grpc.MaxConcurrentStreams` server option to apply a limit to the server's resources used for any single connection.\n\n### Workarounds\nNone.\n\n### References\n#6703\n", + "Severity": "HIGH", + "VendorSeverity": { + "ghsa": 3 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + } + }, + "References": [ + "https://github.com/grpc/grpc-go", + "https://github.com/grpc/grpc-go/commit/f2180b4d5403d2210b30b93098eb7da31c05c721", + "https://github.com/grpc/grpc-go/pull/6703", + "https://github.com/grpc/grpc-go/security/advisories/GHSA-m425-mq94-257g", + "https://nvd.nist.gov/vuln/detail/CVE-2023-44487" + ], + "PublishedDate": "2023-10-25T21:17:37Z", + "LastModifiedDate": "2024-07-19T16:32:30Z" + }, + { + "VulnerabilityID": "CVE-2023-44487", + "PkgID": "google.golang.org/grpc@v1.43.0", + "PkgName": "google.golang.org/grpc", + "PkgIdentifier": { + "PURL": "pkg:golang/google.golang.org/grpc@v1.43.0", + "UID": "453495113e213487" + }, + "InstalledVersion": "v1.43.0", + "FixedVersion": "1.58.3, 1.57.1, 1.56.3", + "Status": "fixed", + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2023-44487", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory Go", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Ago" + }, + "Title": "HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack)", + "Description": "The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.", + "Severity": "MEDIUM", + "CweIDs": [ + "CWE-400" + ], + "VendorSeverity": { + "alma": 3, + "amazon": 3, + "azure": 3, + "bitnami": 3, + "cbl-mariner": 3, + "ghsa": 2, + "nvd": 3, + "oracle-oval": 3, + "photon": 3, + "redhat": 3, + "rocky": 3, + "ubuntu": 3 + }, + "CVSS": { + "bitnami": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + }, + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "V3Score": 5.3 + }, + "nvd": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + } + }, + "References": [ + "http://www.openwall.com/lists/oss-security/2023/10/10/6", + "http://www.openwall.com/lists/oss-security/2023/10/10/7", + "http://www.openwall.com/lists/oss-security/2023/10/13/4", + "http://www.openwall.com/lists/oss-security/2023/10/13/9", + "http://www.openwall.com/lists/oss-security/2023/10/18/4", + "http://www.openwall.com/lists/oss-security/2023/10/18/8", + "http://www.openwall.com/lists/oss-security/2023/10/19/6", + "http://www.openwall.com/lists/oss-security/2023/10/20/8", + "https://access.redhat.com/errata/RHSA-2023:6746", + "https://access.redhat.com/security/cve/CVE-2023-44487", + "https://access.redhat.com/security/cve/cve-2023-44487", + "https://akka.io/security/akka-http-cve-2023-44487.html", + "https://arstechnica.com/security/2023/10/how-ddosers-used-the-http-2-protocol-to-deliver-attacks-of-unprecedented-size", + "https://arstechnica.com/security/2023/10/how-ddosers-used-the-http-2-protocol-to-deliver-attacks-of-unprecedented-size/", + "https://aws.amazon.com/security/security-bulletins/AWS-2023-011", + "https://aws.amazon.com/security/security-bulletins/AWS-2023-011/", + "https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack", + "https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/", + "https://blog.cloudflare.com/zero-day-rapid-reset-http2-record-breaking-ddos-attack", + "https://blog.cloudflare.com/zero-day-rapid-reset-http2-record-breaking-ddos-attack/", + "https://blog.litespeedtech.com/2023/10/11/rapid-reset-http-2-vulnerablilty", + "https://blog.litespeedtech.com/2023/10/11/rapid-reset-http-2-vulnerablilty/", + "https://blog.qualys.com/vulnerabilities-threat-research/2023/10/10/cve-2023-44487-http-2-rapid-reset-attack", + "https://blog.vespa.ai/cve-2023-44487", + "https://blog.vespa.ai/cve-2023-44487/", + "https://bugzilla.proxmox.com/show_bug.cgi?id=4988", + "https://bugzilla.redhat.com/2242803", + "https://bugzilla.redhat.com/show_bug.cgi?id=2242803", + "https://bugzilla.suse.com/show_bug.cgi?id=1216123", + "https://cgit.freebsd.org/ports/commit/?id=c64c329c2c1752f46b73e3e6ce9f4329be6629f9", + "https://chaos.social/@icing/111210915918780532", + "https://cloud.google.com/blog/products/identity-security/google-cloud-mitigated-largest-ddos-attack-peaking-above-398-million-rps", + "https://cloud.google.com/blog/products/identity-security/google-cloud-mitigated-largest-ddos-attack-peaking-above-398-million-rps/", + "https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack", + "https://community.traefik.io/t/is-traefik-vulnerable-to-cve-2023-44487/20125", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-44487", + "https://devblogs.microsoft.com/dotnet/october-2023-updates/", + "https://discuss.hashicorp.com/t/hcsec-2023-32-vault-consul-and-boundary-affected-by-http-2-rapid-reset-denial-of-service-vulnerability-cve-2023-44487/59715", + "https://edg.io/lp/blog/resets-leaks-ddos-and-the-tale-of-a-hidden-cve", + "https://errata.almalinux.org/9/ALSA-2023-6746.html", + "https://errata.rockylinux.org/RLSA-2023:5838", + "https://forums.swift.org/t/swift-nio-http2-security-update-cve-2023-44487-http-2-dos/67764", + "https://gist.github.com/adulau/7c2bfb8e9cdbe4b35a5e131c66a0c088", + "https://github.com/Azure/AKS/issues/3947", + "https://github.com/Kong/kong/discussions/11741", + "https://github.com/advisories/GHSA-qppj-fm5r-hxr3", + "https://github.com/advisories/GHSA-vx74-f528-fxqg", + "https://github.com/advisories/GHSA-xpw8-rcwv-8f8p", + "https://github.com/akka/akka-http/issues/4323", + "https://github.com/akka/akka-http/pull/4324", + "https://github.com/akka/akka-http/pull/4325", + "https://github.com/alibaba/tengine/issues/1872", + "https://github.com/apache/apisix/issues/10320", + "https://github.com/apache/httpd-site/pull/10", + "https://github.com/apache/httpd/blob/afcdbeebbff4b0c50ea26cdd16e178c0d1f24152/modules/http2/h2_mplx.c#L1101-L1113", + "https://github.com/apache/tomcat/commit/944332bb15bd2f3bf76ec2caeb1ff0a58a3bc628", + "https://github.com/apache/tomcat/tree/main/java/org/apache/coyote/http2", + "https://github.com/apache/trafficserver/pull/10564", + "https://github.com/apple/swift-nio-http2", + "https://github.com/apple/swift-nio-http2/security/advisories/GHSA-qppj-fm5r-hxr3", + "https://github.com/arkrwn/PoC/tree/main/CVE-2023-44487", + "https://github.com/bcdannyboy/CVE-2023-44487", + "https://github.com/caddyserver/caddy/issues/5877", + "https://github.com/caddyserver/caddy/releases/tag/v2.7.5", + "https://github.com/dotnet/announcements/issues/277", + "https://github.com/dotnet/core/blob/e4613450ea0da7fd2fc6b61dfb2c1c1dec1ce9ec/release-notes/6.0/6.0.23/6.0.23.md?plain=1#L73", + "https://github.com/eclipse/jetty.project/issues/10679", + "https://github.com/envoyproxy/envoy/pull/30055", + "https://github.com/etcd-io/etcd/issues/16740", + "https://github.com/facebook/proxygen/pull/466", + "https://github.com/golang/go/issues/63417", + "https://github.com/grpc/grpc-go/pull/6703", + "https://github.com/grpc/grpc-go/releases", + "https://github.com/grpc/grpc/releases/tag/v1.59.2", + "https://github.com/h2o/h2o/pull/3291", + "https://github.com/h2o/h2o/security/advisories/GHSA-2m7v-gc89-fjqf", + "https://github.com/haproxy/haproxy/issues/2312", + "https://github.com/hyperium/hyper/issues/3337", + "https://github.com/icing/mod_h2/blob/0a864782af0a942aa2ad4ed960a6b32cd35bcf0a/mod_http2/README.md?plain=1#L239-L244", + "https://github.com/junkurihara/rust-rpxy/issues/97", + "https://github.com/kazu-yamamoto/http2/commit/f61d41a502bd0f60eb24e1ce14edc7b6df6722a1", + "https://github.com/kazu-yamamoto/http2/issues/93", + "https://github.com/kubernetes/kubernetes/pull/121120", + "https://github.com/line/armeria/pull/5232", + "https://github.com/linkerd/website/pull/1695/commits/4b9c6836471bc8270ab48aae6fd2181bc73fd632", + "https://github.com/micrictor/http2-rst-stream", + "https://github.com/microsoft/CBL-Mariner/pull/6381", + "https://github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61", + "https://github.com/nghttp2/nghttp2/pull/1961", + "https://github.com/nghttp2/nghttp2/releases/tag/v1.57.0", + "https://github.com/ninenines/cowboy/issues/1615", + "https://github.com/nodejs/node/pull/50121", + "https://github.com/openresty/openresty/issues/930", + "https://github.com/opensearch-project/data-prepper/issues/3474", + "https://github.com/oqtane/oqtane.framework/discussions/3367", + "https://github.com/projectcontour/contour/pull/5826", + "https://github.com/tempesta-tech/tempesta/issues/1986", + "https://github.com/varnishcache/varnish-cache/issues/3996", + "https://go.dev/cl/534215", + "https://go.dev/cl/534235", + "https://go.dev/issue/63417", + "https://groups.google.com/g/golang-announce/c/iNNxDTCjZvo", + "https://groups.google.com/g/golang-announce/c/iNNxDTCjZvo/m/UDd7VKQuAAAJ", + "https://istio.io/latest/news/security/istio-security-2023-004", + "https://istio.io/latest/news/security/istio-security-2023-004/", + "https://linkerd.io/2023/10/12/linkerd-cve-2023-44487", + "https://linkerd.io/2023/10/12/linkerd-cve-2023-44487/", + "https://linux.oracle.com/cve/CVE-2023-44487.html", + "https://linux.oracle.com/errata/ELSA-2024-1444.html", + "https://lists.apache.org/thread/5py8h42mxfsn8l1wy6o41xwhsjlsd87q", + "https://lists.debian.org/debian-lts-announce/2023/10/msg00020.html", + "https://lists.debian.org/debian-lts-announce/2023/10/msg00023.html", + "https://lists.debian.org/debian-lts-announce/2023/10/msg00024.html", + "https://lists.debian.org/debian-lts-announce/2023/10/msg00045.html", + "https://lists.debian.org/debian-lts-announce/2023/10/msg00047.html", + "https://lists.debian.org/debian-lts-announce/2023/11/msg00001.html", + "https://lists.debian.org/debian-lts-announce/2023/11/msg00012.html", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2MBEPPC36UBVOZZNAXFHKLFGSLCMN5LI", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2MBEPPC36UBVOZZNAXFHKLFGSLCMN5LI/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3N4NJ7FR4X4FPZUGNTQAPSTVB2HB2Y4A", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3N4NJ7FR4X4FPZUGNTQAPSTVB2HB2Y4A/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BFQD3KUEMFBHPAPBGLWQC34L4OWL5HAZ", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BFQD3KUEMFBHPAPBGLWQC34L4OWL5HAZ/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CLB4TW7KALB3EEQWNWCN7OUIWWVWWCG2", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CLB4TW7KALB3EEQWNWCN7OUIWWVWWCG2/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/E72T67UPDRXHIDLO3OROR25YAMN4GGW5", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/E72T67UPDRXHIDLO3OROR25YAMN4GGW5/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FNA62Q767CFAFHBCDKYNPBMZWB7TWYVU", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FNA62Q767CFAFHBCDKYNPBMZWB7TWYVU/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HT7T2R4MQKLIF4ODV4BDLPARWFPCJ5CZ", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HT7T2R4MQKLIF4ODV4BDLPARWFPCJ5CZ/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JIZSEFC3YKCGABA2BZW6ZJRMDZJMB7PJ", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JIZSEFC3YKCGABA2BZW6ZJRMDZJMB7PJ/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JMEXY22BFG5Q64HQCM5CK2Q7KDKVV4TY", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JMEXY22BFG5Q64HQCM5CK2Q7KDKVV4TY/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KSEGD2IWKNUO3DWY4KQGUQM5BISRWHQE", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KSEGD2IWKNUO3DWY4KQGUQM5BISRWHQE/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LKYHSZQFDNR7RSA7LHVLLIAQMVYCUGBG", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LKYHSZQFDNR7RSA7LHVLLIAQMVYCUGBG/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LNMZJCDHGLJJLXO4OXWJMTVQRNWOC7UL", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LNMZJCDHGLJJLXO4OXWJMTVQRNWOC7UL/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VHUHTSXLXGXS7JYKBXTA3VINUPHTNGVU", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VHUHTSXLXGXS7JYKBXTA3VINUPHTNGVU/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VSRDIV77HNKUSM7SJC5BKE5JSHLHU2NK", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VSRDIV77HNKUSM7SJC5BKE5JSHLHU2NK/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WE2I52RHNNU42PX6NZ2RBUHSFFJ2LVZX", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WE2I52RHNNU42PX6NZ2RBUHSFFJ2LVZX/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WLPRQ5TWUQQXYWBJM7ECYDAIL2YVKIUH", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WLPRQ5TWUQQXYWBJM7ECYDAIL2YVKIUH/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X6QXN4ORIVF6XBW4WWFE7VNPVC74S45Y", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X6QXN4ORIVF6XBW4WWFE7VNPVC74S45Y/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XFOIBB4YFICHDM7IBOP7PWXW3FX4HLL2", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XFOIBB4YFICHDM7IBOP7PWXW3FX4HLL2/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZB43REMKRQR62NJEI7I5NQ4FSXNLBKRT", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZB43REMKRQR62NJEI7I5NQ4FSXNLBKRT/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZKQSIKIAT5TJ3WSLU3RDBQ35YX4GY4V3", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZKQSIKIAT5TJ3WSLU3RDBQ35YX4GY4V3/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZLU6U2R2IC2K64NDPNMV55AUAO65MAF4", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZLU6U2R2IC2K64NDPNMV55AUAO65MAF4/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2MBEPPC36UBVOZZNAXFHKLFGSLCMN5LI", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2MBEPPC36UBVOZZNAXFHKLFGSLCMN5LI/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3N4NJ7FR4X4FPZUGNTQAPSTVB2HB2Y4A", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3N4NJ7FR4X4FPZUGNTQAPSTVB2HB2Y4A/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BFQD3KUEMFBHPAPBGLWQC34L4OWL5HAZ", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BFQD3KUEMFBHPAPBGLWQC34L4OWL5HAZ/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CLB4TW7KALB3EEQWNWCN7OUIWWVWWCG2", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CLB4TW7KALB3EEQWNWCN7OUIWWVWWCG2/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/E72T67UPDRXHIDLO3OROR25YAMN4GGW5", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/E72T67UPDRXHIDLO3OROR25YAMN4GGW5/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FNA62Q767CFAFHBCDKYNPBMZWB7TWYVU", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FNA62Q767CFAFHBCDKYNPBMZWB7TWYVU/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HT7T2R4MQKLIF4ODV4BDLPARWFPCJ5CZ", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HT7T2R4MQKLIF4ODV4BDLPARWFPCJ5CZ/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JIZSEFC3YKCGABA2BZW6ZJRMDZJMB7PJ", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JIZSEFC3YKCGABA2BZW6ZJRMDZJMB7PJ/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JMEXY22BFG5Q64HQCM5CK2Q7KDKVV4TY", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JMEXY22BFG5Q64HQCM5CK2Q7KDKVV4TY/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KSEGD2IWKNUO3DWY4KQGUQM5BISRWHQE", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KSEGD2IWKNUO3DWY4KQGUQM5BISRWHQE/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LKYHSZQFDNR7RSA7LHVLLIAQMVYCUGBG", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LKYHSZQFDNR7RSA7LHVLLIAQMVYCUGBG/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LNMZJCDHGLJJLXO4OXWJMTVQRNWOC7UL", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LNMZJCDHGLJJLXO4OXWJMTVQRNWOC7UL/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VHUHTSXLXGXS7JYKBXTA3VINUPHTNGVU", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VHUHTSXLXGXS7JYKBXTA3VINUPHTNGVU/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VSRDIV77HNKUSM7SJC5BKE5JSHLHU2NK", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VSRDIV77HNKUSM7SJC5BKE5JSHLHU2NK/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WE2I52RHNNU42PX6NZ2RBUHSFFJ2LVZX", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WE2I52RHNNU42PX6NZ2RBUHSFFJ2LVZX/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WLPRQ5TWUQQXYWBJM7ECYDAIL2YVKIUH", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WLPRQ5TWUQQXYWBJM7ECYDAIL2YVKIUH/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X6QXN4ORIVF6XBW4WWFE7VNPVC74S45Y", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X6QXN4ORIVF6XBW4WWFE7VNPVC74S45Y/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XFOIBB4YFICHDM7IBOP7PWXW3FX4HLL2", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XFOIBB4YFICHDM7IBOP7PWXW3FX4HLL2/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZB43REMKRQR62NJEI7I5NQ4FSXNLBKRT", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZB43REMKRQR62NJEI7I5NQ4FSXNLBKRT/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZKQSIKIAT5TJ3WSLU3RDBQ35YX4GY4V3", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZKQSIKIAT5TJ3WSLU3RDBQ35YX4GY4V3/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZLU6U2R2IC2K64NDPNMV55AUAO65MAF4", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZLU6U2R2IC2K64NDPNMV55AUAO65MAF4/", + "https://lists.w3.org/Archives/Public/ietf-http-wg/2023OctDec/0025.html", + "https://mailman.nginx.org/pipermail/nginx-devel/2023-October/S36Q5HBXR7CAIMPLLPRSSSYR4PCMWILK.html", + "https://martinthomson.github.io/h2-stream-limits/draft-thomson-httpbis-h2-stream-limits.html", + "https://msrc.microsoft.com/blog/2023/10/microsoft-response-to-distributed-denial-of-service-ddos-attacks-against-http/2", + "https://msrc.microsoft.com/blog/2023/10/microsoft-response-to-distributed-denial-of-service-ddos-attacks-against-http/2/", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-44487", + "https://my.f5.com/manage/s/article/K000137106", + "https://netty.io/news/2023/10/10/4-1-100-Final.html", + "https://news.ycombinator.com/item?id=37830987", + "https://news.ycombinator.com/item?id=37830998", + "https://news.ycombinator.com/item?id=37831062", + "https://news.ycombinator.com/item?id=37837043", + "https://nodejs.org/en/blog/vulnerability/october-2023-security-releases", + "https://nvd.nist.gov/vuln/detail/CVE-2023-44487", + "https://openssf.org/blog/2023/10/10/http-2-rapid-reset-vulnerability-highlights-need-for-rapid-response", + "https://openssf.org/blog/2023/10/10/http-2-rapid-reset-vulnerability-highlights-need-for-rapid-response/", + "https://pkg.go.dev/vuln/GO-2023-2102", + "https://seanmonstar.com/post/730794151136935936/hyper-http2-rapid-reset-unaffected", + "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-http2-reset-d8Kf32vZ", + "https://security.gentoo.org/glsa/202311-09", + "https://security.netapp.com/advisory/ntap-20231016-0001", + "https://security.netapp.com/advisory/ntap-20231016-0001/", + "https://security.netapp.com/advisory/ntap-20240426-0007", + "https://security.netapp.com/advisory/ntap-20240426-0007/", + "https://security.netapp.com/advisory/ntap-20240621-0006", + "https://security.netapp.com/advisory/ntap-20240621-0006/", + "https://security.netapp.com/advisory/ntap-20240621-0007", + "https://security.netapp.com/advisory/ntap-20240621-0007/", + "https://security.paloaltonetworks.com/CVE-2023-44487", + "https://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.1.14", + "https://tomcat.apache.org/security-11.html#Fixed_in_Apache_Tomcat_11.0.0-M12", + "https://tomcat.apache.org/security-8.html", + "https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.94", + "https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.81", + "https://ubuntu.com/security/CVE-2023-44487", + "https://ubuntu.com/security/notices/USN-6427-1", + "https://ubuntu.com/security/notices/USN-6427-2", + "https://ubuntu.com/security/notices/USN-6438-1", + "https://ubuntu.com/security/notices/USN-6505-1", + "https://ubuntu.com/security/notices/USN-6574-1", + "https://ubuntu.com/security/notices/USN-6754-1", + "https://ubuntu.com/security/notices/USN-6994-1", + "https://ubuntu.com/security/notices/USN-7067-1", + "https://ubuntu.com/security/notices/USN-7410-1", + "https://ubuntu.com/security/notices/USN-7469-1", + "https://ubuntu.com/security/notices/USN-7469-2", + "https://ubuntu.com/security/notices/USN-7469-3", + "https://ubuntu.com/security/notices/USN-7469-4", + "https://www.bleepingcomputer.com/news/security/new-http-2-rapid-reset-zero-day-attack-breaks-ddos-records", + "https://www.bleepingcomputer.com/news/security/new-http-2-rapid-reset-zero-day-attack-breaks-ddos-records/", + "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", + "https://www.cisa.gov/news-events/alerts/2023/10/10/http2-rapid-reset-vulnerability-cve-2023-44487", + "https://www.cve.org/CVERecord?id=CVE-2023-44487", + "https://www.darkreading.com/cloud/internet-wide-zero-day-bug-fuels-largest-ever-ddos-event", + "https://www.debian.org/security/2023/dsa-5521", + "https://www.debian.org/security/2023/dsa-5522", + "https://www.debian.org/security/2023/dsa-5540", + "https://www.debian.org/security/2023/dsa-5549", + "https://www.debian.org/security/2023/dsa-5558", + "https://www.debian.org/security/2023/dsa-5570", + "https://www.eclipse.org/lists/jetty-announce/msg00181.html", + "https://www.haproxy.com/blog/haproxy-is-not-affected-by-the-http-2-rapid-reset-attack-cve-2023-44487", + "https://www.mail-archive.com/haproxy@formilux.org/msg44134.html", + "https://www.netlify.com/blog/netlify-successfully-mitigates-cve-2023-44487", + "https://www.netlify.com/blog/netlify-successfully-mitigates-cve-2023-44487/", + "https://www.nginx.com/blog/http-2-rapid-reset-attack-impacting-f5-nginx-products", + "https://www.nginx.com/blog/http-2-rapid-reset-attack-impacting-f5-nginx-products/", + "https://www.openwall.com/lists/oss-security/2023/10/10/6", + "https://www.phoronix.com/news/HTTP2-Rapid-Reset-Attack", + "https://www.theregister.com/2023/10/10/http2_rapid_reset_zeroday", + "https://www.theregister.com/2023/10/10/http2_rapid_reset_zeroday/", + "https://www.vicarius.io/vsociety/posts/rapid-reset-cve-2023-44487-dos-in-http2-understanding-the-root-cause" + ], + "PublishedDate": "2023-10-10T14:15:10.883Z", + "LastModifiedDate": "2025-06-11T17:29:54.137Z" + }, + { + "VulnerabilityID": "CVE-2024-24786", + "PkgID": "google.golang.org/protobuf@v1.27.1", + "PkgName": "google.golang.org/protobuf", + "PkgIdentifier": { + "PURL": "pkg:golang/google.golang.org/protobuf@v1.27.1", + "UID": "90f7db3475fc3359" + }, + "InstalledVersion": "v1.27.1", + "FixedVersion": "1.33.0", + "Status": "fixed", + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-24786", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory Go", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Ago" + }, + "Title": "golang-protobuf: encoding/protojson, internal/encoding/json: infinite loop in protojson.Unmarshal when unmarshaling certain forms of invalid JSON", + "Description": "The protojson.Unmarshal function can enter an infinite loop when unmarshaling certain forms of invalid JSON. This condition can occur when unmarshaling into a message which contains a google.protobuf.Any value, or when the UnmarshalOptions.DiscardUnknown option is set.", + "Severity": "MEDIUM", + "VendorSeverity": { + "alma": 2, + "amazon": 2, + "azure": 3, + "cbl-mariner": 3, + "ghsa": 2, + "oracle-oval": 2, + "redhat": 2, + "rocky": 2, + "ubuntu": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 5.9 + } + }, + "References": [ + "http://www.openwall.com/lists/oss-security/2024/03/08/4", + "https://access.redhat.com/errata/RHSA-2024:2550", + "https://access.redhat.com/security/cve/CVE-2024-24786", + "https://bugzilla.redhat.com/2268046", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-24786", + "https://errata.almalinux.org/9/ALSA-2024-2550.html", + "https://errata.rockylinux.org/RLSA-2024:2550", + "https://github.com/protocolbuffers/protobuf-go", + "https://github.com/protocolbuffers/protobuf-go/commit/f01a588e5810b90996452eec4a28f22a0afae023", + "https://github.com/protocolbuffers/protobuf-go/releases/tag/v1.33.0", + "https://go-review.googlesource.com/c/protobuf/+/569356", + "https://go.dev/cl/569356", + "https://groups.google.com/g/golang-announce/c/ArQ6CDgtEjY/", + "https://linux.oracle.com/cve/CVE-2024-24786.html", + "https://linux.oracle.com/errata/ELSA-2024-4246.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JDMBHAVSDU2FBDZ45U3A2VLSM35OJ2HU", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JDMBHAVSDU2FBDZ45U3A2VLSM35OJ2HU/", + "https://nvd.nist.gov/vuln/detail/CVE-2024-24786", + "https://pkg.go.dev/vuln/GO-2024-2611", + "https://security.netapp.com/advisory/ntap-20240517-0002", + "https://security.netapp.com/advisory/ntap-20240517-0002/", + "https://ubuntu.com/security/notices/USN-6746-1", + "https://ubuntu.com/security/notices/USN-6746-2", + "https://www.cve.org/CVERecord?id=CVE-2024-24786" + ], + "PublishedDate": "2024-03-05T23:15:07.82Z", + "LastModifiedDate": "2024-11-21T08:59:42.117Z" + }, + { + "VulnerabilityID": "CVE-2024-28180", + "PkgID": "gopkg.in/square/go-jose.v2@v2.6.0", + "PkgName": "gopkg.in/square/go-jose.v2", + "PkgIdentifier": { + "PURL": "pkg:golang/gopkg.in/square/go-jose.v2@v2.6.0", + "UID": "7d5bf3c3f2dcd297" + }, + "InstalledVersion": "v2.6.0", + "Status": "affected", + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-28180", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory Go", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Ago" + }, + "Title": "jose-go: improper handling of highly compressed data", + "Description": "Package jose aims to provide an implementation of the Javascript Object Signing and Encryption set of standards. An attacker could send a JWE containing compressed data that used large amounts of memory and CPU when decompressed by Decrypt or DecryptMulti. Those functions now return an error if the decompressed data would exceed 250kB or 10x the compressed size (whichever is larger). This vulnerability has been patched in versions 4.0.1, 3.0.3 and 2.6.3.", + "Severity": "MEDIUM", + "CweIDs": [ + "CWE-409" + ], + "VendorSeverity": { + "alma": 2, + "amazon": 2, + "azure": 2, + "cbl-mariner": 2, + "ghsa": 2, + "oracle-oval": 2, + "redhat": 2, + "rocky": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", + "V3Score": 4.3 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", + "V3Score": 4.3 + } + }, + "References": [ + "https://access.redhat.com/errata/RHSA-2024:3827", + "https://access.redhat.com/security/cve/CVE-2024-28180", + "https://bugzilla.redhat.com/2268017", + "https://bugzilla.redhat.com/2268820", + "https://bugzilla.redhat.com/2268854", + "https://bugzilla.redhat.com/show_bug.cgi?id=2268017", + "https://bugzilla.redhat.com/show_bug.cgi?id=2268820", + "https://bugzilla.redhat.com/show_bug.cgi?id=2268854", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-45290", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-28176", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-28180", + "https://errata.almalinux.org/9/ALSA-2024-3827.html", + "https://errata.rockylinux.org/RLSA-2024:3827", + "https://github.com/go-jose/go-jose", + "https://github.com/go-jose/go-jose/commit/0dd4dd541c665fb292d664f77604ba694726f298", + "https://github.com/go-jose/go-jose/commit/add6a284ea0f844fd6628cba637be5451fe4b28a", + "https://github.com/go-jose/go-jose/commit/f4c051a0653d78199a053892f7619ebf96339502", + "https://github.com/go-jose/go-jose/security/advisories/GHSA-c5q2-7r4c-mv6g", + "https://linux.oracle.com/cve/CVE-2024-28180.html", + "https://linux.oracle.com/errata/ELSA-2024-3968.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GD2GSBQTBLYADASUBHHZV2CZPTSLIPQJ", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GD2GSBQTBLYADASUBHHZV2CZPTSLIPQJ/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I6MMWFBOXJA6ZCXNVPDFJ4XMK5PVG5RG", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I6MMWFBOXJA6ZCXNVPDFJ4XMK5PVG5RG/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IJ6LAJJ2FTA2JVVOACCV5RZTOIZLXUNJ", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IJ6LAJJ2FTA2JVVOACCV5RZTOIZLXUNJ/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JNPMXL36YGS3GQEVI3Q5HKHJ7YAAQXL5", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JNPMXL36YGS3GQEVI3Q5HKHJ7YAAQXL5/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KXKGNCRU7OTM5AHC7YIYBNOWI742PRMY", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KXKGNCRU7OTM5AHC7YIYBNOWI742PRMY/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MSOMHDKRPU3A2JEMRODT2IREDFBLVPGS", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MSOMHDKRPU3A2JEMRODT2IREDFBLVPGS/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UG5FSEYJ3GP27FZXC5YAAMMEC5XWKJHG", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UG5FSEYJ3GP27FZXC5YAAMMEC5XWKJHG/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UJO2U5ACZVACNQXJ5EBRFLFW6DP5BROY", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UJO2U5ACZVACNQXJ5EBRFLFW6DP5BROY/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XJDO5VSIAOGT2WP63AXAAWNRSVJCNCRH", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XJDO5VSIAOGT2WP63AXAAWNRSVJCNCRH/", + "https://nvd.nist.gov/vuln/detail/CVE-2024-28180", + "https://www.cve.org/CVERecord?id=CVE-2024-28180" + ], + "PublishedDate": "2024-03-09T01:15:07.34Z", + "LastModifiedDate": "2025-02-13T18:17:48.353Z" + } + ] + }, + { + "Target": "go.mod", + "Class": "lang-pkgs", + "Type": "gomod", + "Vulnerabilities": [ + { + "VulnerabilityID": "CVE-2024-45337", + "PkgID": "golang.org/x/crypto@v0.0.0-20220622213112-05595931fe9d", + "PkgName": "golang.org/x/crypto", + "PkgIdentifier": { + "PURL": "pkg:golang/golang.org/x/crypto@v0.0.0-20220622213112-05595931fe9d", + "UID": "a1a9e65a8a8b5747" + }, + "InstalledVersion": "v0.0.0-20220622213112-05595931fe9d", + "FixedVersion": "0.31.0", + "Status": "fixed", + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-45337", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory Go", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Ago" + }, + "Title": "golang.org/x/crypto/ssh: Misuse of ServerConfig.PublicKeyCallback may cause authorization bypass in golang.org/x/crypto", + "Description": "Applications and libraries which misuse connection.serverAuthenticate (via callback field ServerConfig.PublicKeyCallback) may be susceptible to an authorization bypass. The documentation for ServerConfig.PublicKeyCallback says that \"A call to this function does not guarantee that the key offered is in fact used to authenticate.\" Specifically, the SSH protocol allows clients to inquire about whether a public key is acceptable before proving control of the corresponding private key. PublicKeyCallback may be called with multiple keys, and the order in which the keys were provided cannot be used to infer which key the client successfully authenticated with, if any. Some applications, which store the key(s) passed to PublicKeyCallback (or derived information) and make security relevant determinations based on it once the connection is established, may make incorrect assumptions. For example, an attacker may send public keys A and B, and then authenticate with A. PublicKeyCallback would be called only twice, first with A and then with B. A vulnerable application may then make authorization decisions based on key B for which the attacker does not actually control the private key. Since this API is widely misused, as a partial mitigation golang.org/x/cry...@v0.31.0 enforces the property that, when successfully authenticating via public key, the last key passed to ServerConfig.PublicKeyCallback will be the key used to authenticate the connection. PublicKeyCallback will now be called multiple times with the same key, if necessary. Note that the client may still not control the last key passed to PublicKeyCallback if the connection is then authenticated with a different method, such as PasswordCallback, KeyboardInteractiveCallback, or NoClientAuth. Users should be using the Extensions field of the Permissions return value from the various authentication callbacks to record data associated with the authentication attempt instead of referencing external state. Once the connection is established the state corresponding to the successful authentication attempt can be retrieved via the ServerConn.Permissions field. Note that some third-party libraries misuse the Permissions type by sharing it across authentication attempts; users of third-party libraries should refer to the relevant projects for guidance.", + "Severity": "CRITICAL", + "VendorSeverity": { + "amazon": 3, + "azure": 4, + "cbl-mariner": 4, + "ghsa": 4, + "redhat": 3 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", + "V3Score": 9.1 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N", + "V3Score": 8.2 + } + }, + "References": [ + "http://www.openwall.com/lists/oss-security/2024/12/11/2", + "https://access.redhat.com/security/cve/CVE-2024-45337", + "https://github.com/golang/crypto", + "https://github.com/golang/crypto/commit/b4f1988a35dee11ec3e05d6bf3e90b695fbd8909", + "https://go.dev/cl/635315", + "https://go.dev/issue/70779", + "https://groups.google.com/g/golang-announce/c/-nPEi39gI4Q/m/cGVPJCqdAQAJ", + "https://nvd.nist.gov/vuln/detail/CVE-2024-45337", + "https://pkg.go.dev/vuln/GO-2024-3321", + "https://security.netapp.com/advisory/ntap-20250131-0007", + "https://security.netapp.com/advisory/ntap-20250131-0007/", + "https://www.cve.org/CVERecord?id=CVE-2024-45337" + ], + "PublishedDate": "2024-12-12T02:02:07.97Z", + "LastModifiedDate": "2025-02-18T21:15:22.187Z" + }, + { + "VulnerabilityID": "CVE-2025-22869", + "PkgID": "golang.org/x/crypto@v0.0.0-20220622213112-05595931fe9d", + "PkgName": "golang.org/x/crypto", + "PkgIdentifier": { + "PURL": "pkg:golang/golang.org/x/crypto@v0.0.0-20220622213112-05595931fe9d", + "UID": "a1a9e65a8a8b5747" + }, + "InstalledVersion": "v0.0.0-20220622213112-05595931fe9d", + "FixedVersion": "0.35.0", + "Status": "fixed", + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2025-22869", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory Go", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Ago" + }, + "Title": "golang.org/x/crypto/ssh: Denial of Service in the Key Exchange of golang.org/x/crypto/ssh", + "Description": "SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read into memory, but never transmitted.", + "Severity": "HIGH", + "CweIDs": [ + "CWE-770" + ], + "VendorSeverity": { + "alma": 3, + "amazon": 3, + "azure": 3, + "cbl-mariner": 3, + "ghsa": 3, + "oracle-oval": 3, + "redhat": 3 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + } + }, + "References": [ + "https://access.redhat.com/errata/RHSA-2025:3833", + "https://access.redhat.com/security/cve/CVE-2025-22869", + "https://bugzilla.redhat.com/2348367", + "https://errata.almalinux.org/9/ALSA-2025-3833.html", + "https://github.com/golang/crypto", + "https://github.com/golang/crypto/commit/7292932d45d55c7199324ab0027cc86e8198aa22", + "https://go-review.googlesource.com/c/crypto/+/652135", + "https://go.dev/cl/652135", + "https://go.dev/issue/71931", + "https://linux.oracle.com/cve/CVE-2025-22869.html", + "https://linux.oracle.com/errata/ELSA-2025-7484.html", + "https://nvd.nist.gov/vuln/detail/CVE-2025-22869", + "https://pkg.go.dev/vuln/GO-2025-3487", + "https://security.netapp.com/advisory/ntap-20250411-0010", + "https://security.netapp.com/advisory/ntap-20250411-0010/", + "https://www.cve.org/CVERecord?id=CVE-2025-22869" + ], + "PublishedDate": "2025-02-26T08:14:24.997Z", + "LastModifiedDate": "2025-05-01T19:28:20.74Z" + }, + { + "VulnerabilityID": "CVE-2023-48795", + "PkgID": "golang.org/x/crypto@v0.0.0-20220622213112-05595931fe9d", + "PkgName": "golang.org/x/crypto", + "PkgIdentifier": { + "PURL": "pkg:golang/golang.org/x/crypto@v0.0.0-20220622213112-05595931fe9d", + "UID": "a1a9e65a8a8b5747" + }, + "InstalledVersion": "v0.0.0-20220622213112-05595931fe9d", + "FixedVersion": "0.17.0, 0.0.0-20231218163308-9d2ee975ef9f", + "Status": "fixed", + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2023-48795", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory Go", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Ago" + }, + "Title": "ssh: Prefix truncation attack on Binary Packet Protocol (BPP)", + "Description": "The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation message), and a client and server may consequently end up with a connection for which some security features have been downgraded or disabled, aka a Terrapin attack. This occurs because the SSH Binary Packet Protocol (BPP), implemented by these extensions, mishandles the handshake phase and mishandles use of sequence numbers. For example, there is an effective attack against SSH's use of ChaCha20-Poly1305 (and CBC with Encrypt-then-MAC). The bypass occurs in chacha20-poly1305@openssh.com and (if CBC is used) the -etm@openssh.com MAC algorithms. This also affects Maverick Synergy Java SSH API before 3.1.0-SNAPSHOT, Dropbear through 2022.83, Ssh before 5.1.1 in Erlang/OTP, PuTTY before 0.80, AsyncSSH before 2.14.2, golang.org/x/crypto before 0.17.0, libssh before 0.10.6, libssh2 through 1.11.0, Thorn Tech SFTP Gateway before 3.4.6, Tera Term before 5.1, Paramiko before 3.4.0, jsch before 0.2.15, SFTPGo before 2.5.6, Netgate pfSense Plus through 23.09.1, Netgate pfSense CE through 2.7.2, HPN-SSH through 18.2.0, ProFTPD before 1.3.8b (and before 1.3.9rc2), ORYX CycloneSSH before 2.3.4, NetSarang XShell 7 before Build 0144, CrushFTP before 10.6.0, ConnectBot SSH library before 2.2.22, Apache MINA sshd through 2.11.0, sshj through 0.37.0, TinySSH through 20230101, trilead-ssh2 6401, LANCOM LCOS and LANconfig, FileZilla before 3.66.4, Nova before 11.8, PKIX-SSH before 14.4, SecureCRT before 9.4.3, Transmit5 before 5.10.4, Win32-OpenSSH before 9.5.0.0p1-Beta, WinSCP before 6.2.2, Bitvise SSH Server before 9.32, Bitvise SSH Client before 9.33, KiTTY through 0.76.1.13, the net-ssh gem 7.2.0 for Ruby, the mscdex ssh2 module before 1.15.0 for Node.js, the thrussh library before 0.35.1 for Rust, and the Russh crate before 0.40.2 for Rust.", + "Severity": "MEDIUM", + "CweIDs": [ + "CWE-354" + ], + "VendorSeverity": { + "alma": 2, + "amazon": 2, + "azure": 2, + "cbl-mariner": 2, + "ghsa": 2, + "nvd": 2, + "oracle-oval": 2, + "photon": 2, + "redhat": 2, + "rocky": 2, + "ubuntu": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", + "V3Score": 5.9 + }, + "nvd": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", + "V3Score": 5.9 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", + "V3Score": 5.9 + } + }, + "References": [ + "http://packetstormsecurity.com/files/176280/Terrapin-SSH-Connection-Weakening.html", + "http://seclists.org/fulldisclosure/2024/Mar/21", + "http://www.openwall.com/lists/oss-security/2023/12/18/3", + "http://www.openwall.com/lists/oss-security/2023/12/19/5", + "http://www.openwall.com/lists/oss-security/2023/12/20/3", + "http://www.openwall.com/lists/oss-security/2024/03/06/3", + "http://www.openwall.com/lists/oss-security/2024/04/17/8", + "https://access.redhat.com/errata/RHSA-2024:1150", + "https://access.redhat.com/security/cve/CVE-2023-48795", + "https://access.redhat.com/security/cve/cve-2023-48795", + "https://access.redhat.com/solutions/7071748", + "https://arstechnica.com/security/2023/12/hackers-can-break-ssh-channel-integrity-using-novel-data-corruption-attack", + "https://arstechnica.com/security/2023/12/hackers-can-break-ssh-channel-integrity-using-novel-data-corruption-attack/", + "https://bugs.gentoo.org/920280", + "https://bugzilla.redhat.com/2254210", + "https://bugzilla.redhat.com/show_bug.cgi?id=2254210", + "https://bugzilla.suse.com/show_bug.cgi?id=1217950", + "https://crates.io/crates/thrussh/versions", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-48795", + "https://errata.almalinux.org/9/ALSA-2024-1150.html", + "https://errata.rockylinux.org/RLSA-2024:0628", + "https://filezilla-project.org/versions.php", + "https://forum.netgate.com/topic/184941/terrapin-ssh-attack", + "https://git.libssh.org/projects/libssh.git/commit/?h=stable-0.10\u0026id=10e09e273f69e149389b3e0e5d44b8c221c2e7f6", + "https://github.com/NixOS/nixpkgs/pull/275249", + "https://github.com/PowerShell/Win32-OpenSSH/issues/2189", + "https://github.com/PowerShell/Win32-OpenSSH/releases/tag/v9.5.0.0p1-Beta", + "https://github.com/TeraTermProject/teraterm/commit/7279fbd6ef4d0c8bdd6a90af4ada2899d786eec0", + "https://github.com/TeraTermProject/teraterm/releases/tag/v5.1", + "https://github.com/advisories/GHSA-45x7-px36-x8w8", + "https://github.com/apache/mina-sshd/issues/445", + "https://github.com/connectbot/sshlib/commit/5c8b534f6e97db7ac0e0e579331213aa25c173ab", + "https://github.com/connectbot/sshlib/compare/2.2.21...2.2.22", + "https://github.com/cyd01/KiTTY/issues/520", + "https://github.com/drakkan/sftpgo/releases/tag/v2.5.6", + "https://github.com/erlang/otp/blob/d1b43dc0f1361d2ad67601169e90a7fc50bb0369/lib/ssh/doc/src/notes.xml#L39-L42", + "https://github.com/erlang/otp/releases/tag/OTP-26.2.1", + "https://github.com/golang/crypto/commit/9d2ee975ef9fe627bf0a6f01c1f69e8ef1d4f05d", + "https://github.com/hierynomus/sshj/issues/916", + "https://github.com/janmojzis/tinyssh/issues/81", + "https://github.com/jtesta/ssh-audit/commit/8e972c5e94b460379fe0c7d20209c16df81538a5", + "https://github.com/libssh2/libssh2/pull/1291", + "https://github.com/mkj/dropbear/blob/17657c36cce6df7716d5ff151ec09a665382d5dd/CHANGES#L25", + "https://github.com/mscdex/ssh2/commit/97b223f8891b96d6fc054df5ab1d5a1a545da2a3", + "https://github.com/mwiede/jsch/compare/jsch-0.2.14...jsch-0.2.15", + "https://github.com/mwiede/jsch/issues/457", + "https://github.com/mwiede/jsch/pull/461", + "https://github.com/net-ssh/net-ssh/blob/2e65064a52d73396bfc3806c9196fc8108f33cd8/CHANGES.txt#L14-L16", + "https://github.com/openssh/openssh-portable/commits/master", + "https://github.com/paramiko/paramiko/issues/2337", + "https://github.com/paramiko/paramiko/issues/2337#issuecomment-1887642773", + "https://github.com/proftpd/proftpd/blob/0a7ea9b0ba9fcdf368374a226370d08f10397d99/RELEASE_NOTES", + "https://github.com/proftpd/proftpd/blob/d21e7a2e47e9b38f709bec58e3fa711f759ad0e1/RELEASE_NOTES", + "https://github.com/proftpd/proftpd/blob/master/RELEASE_NOTES", + "https://github.com/proftpd/proftpd/issues/456", + "https://github.com/rapier1/hpn-ssh/releases", + "https://github.com/ronf/asyncssh/blob/develop/docs/changes.rst", + "https://github.com/ronf/asyncssh/security/advisories/GHSA-hfmc-7525-mj55", + "https://github.com/ronf/asyncssh/tags", + "https://github.com/ssh-mitm/ssh-mitm/issues/165", + "https://github.com/warp-tech/russh", + "https://github.com/warp-tech/russh/commit/1aa340a7df1d5be1c0f4a9e247aade76dfdd2951", + "https://github.com/warp-tech/russh/releases/tag/v0.40.2", + "https://github.com/warp-tech/russh/security/advisories/GHSA-45x7-px36-x8w8", + "https://gitlab.com/libssh/libssh-mirror/-/tags", + "https://go.dev/cl/550715", + "https://go.dev/issue/64784", + "https://groups.google.com/g/golang-announce/c/-n5WqVC18LQ", + "https://groups.google.com/g/golang-announce/c/qA3XtxvMUyg", + "https://help.panic.com/releasenotes/transmit5", + "https://help.panic.com/releasenotes/transmit5/", + "https://jadaptive.com/important-java-ssh-security-update-new-ssh-vulnerability-discovered-cve-2023-48795", + "https://jadaptive.com/important-java-ssh-security-update-new-ssh-vulnerability-discovered-cve-2023-48795/", + "https://linux.oracle.com/cve/CVE-2023-48795.html", + "https://linux.oracle.com/errata/ELSA-2024-2988.html", + "https://lists.debian.org/debian-lts-announce/2023/12/msg00017.html", + "https://lists.debian.org/debian-lts-announce/2024/01/msg00013.html", + "https://lists.debian.org/debian-lts-announce/2024/01/msg00014.html", + "https://lists.debian.org/debian-lts-announce/2024/04/msg00016.html", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/33XHJUB6ROFUOH2OQNENFROTVH6MHSHA", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/33XHJUB6ROFUOH2OQNENFROTVH6MHSHA/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3CAYYW35MUTNO65RVAELICTNZZFMT2XS", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3CAYYW35MUTNO65RVAELICTNZZFMT2XS/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3JIMLVBDWOP4FUPXPTB4PGHHIOMGFLQE", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3JIMLVBDWOP4FUPXPTB4PGHHIOMGFLQE/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3YQLUQWLIHDB5QCXQEX7HXHAWMOKPP5O", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3YQLUQWLIHDB5QCXQEX7HXHAWMOKPP5O/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6Y74KVCPEPT4MVU3LHDWCNNOXOE5ZLUR", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6Y74KVCPEPT4MVU3LHDWCNNOXOE5ZLUR/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/APYIXIQOVDCRWLHTGB4VYMAUIAQLKYJ3", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/APYIXIQOVDCRWLHTGB4VYMAUIAQLKYJ3/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BL5KTLOSLH2KHRN4HCXJPK3JUVLDGEL6", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BL5KTLOSLH2KHRN4HCXJPK3JUVLDGEL6/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/C3AFMZ6MH2UHHOPIWT5YLSFV3D2VB3AC", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/C3AFMZ6MH2UHHOPIWT5YLSFV3D2VB3AC/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CHHITS4PUOZAKFIUBQAQZC7JWXMOYE4B", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CHHITS4PUOZAKFIUBQAQZC7JWXMOYE4B/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/F7EYCFQCTSGJXWO3ZZ44MGKFC5HA7G3Y", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/F7EYCFQCTSGJXWO3ZZ44MGKFC5HA7G3Y/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HYEDEXIKFKTUJIN43RG4B7T5ZS6MHUSP", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HYEDEXIKFKTUJIN43RG4B7T5ZS6MHUSP/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/I724O3LSRCPO4WNVIXTZCT4VVRMXMMSG", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/I724O3LSRCPO4WNVIXTZCT4VVRMXMMSG/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KEOTKBUPZXHE3F352JBYNTSNRXYLWD6P", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KEOTKBUPZXHE3F352JBYNTSNRXYLWD6P/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KMZCVGUGJZZVDPCVDA7TEB22VUCNEXDD", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KMZCVGUGJZZVDPCVDA7TEB22VUCNEXDD/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L5Y6MNNVAPIJSXJERQ6PKZVCIUXSNJK7", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L5Y6MNNVAPIJSXJERQ6PKZVCIUXSNJK7/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LZQVUHWVWRH73YBXUQJOD6CKHDQBU3DM", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LZQVUHWVWRH73YBXUQJOD6CKHDQBU3DM/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MKQRBF3DWMWPH36LBCOBUTSIZRTPEZXB", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MKQRBF3DWMWPH36LBCOBUTSIZRTPEZXB/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QI3EHAHABFQK7OABNCSF5GMYP6TONTI7", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QI3EHAHABFQK7OABNCSF5GMYP6TONTI7/", + "https://matt.ucc.asn.au/dropbear/CHANGES", + "https://nest.pijul.com/pijul/thrussh/changes/D6H7OWTTMHHX6BTB3B6MNBOBX2L66CBL4LGSEUSAI2MCRCJDQFRQC", + "https://news.ycombinator.com/item?id=38684904", + "https://news.ycombinator.com/item?id=38685286", + "https://news.ycombinator.com/item?id=38732005", + "https://nova.app/releases/#v11.8", + "https://nvd.nist.gov/vuln/detail/CVE-2023-48795", + "https://oryx-embedded.com/download/#changelog", + "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2024-0002", + "https://roumenpetrov.info/secsh/#news20231220", + "https://security-tracker.debian.org/tracker/CVE-2023-48795", + "https://security-tracker.debian.org/tracker/source-package/libssh2", + "https://security-tracker.debian.org/tracker/source-package/proftpd-dfsg", + "https://security-tracker.debian.org/tracker/source-package/trilead-ssh2", + "https://security.gentoo.org/glsa/202312-16", + "https://security.gentoo.org/glsa/202312-17", + "https://security.netapp.com/advisory/ntap-20240105-0004", + "https://security.netapp.com/advisory/ntap-20240105-0004/", + "https://support.apple.com/kb/HT214084", + "https://terrapin-attack.com/", + "https://thorntech.com/cve-2023-48795-and-sftp-gateway", + "https://thorntech.com/cve-2023-48795-and-sftp-gateway/", + "https://twitter.com/TrueSkrillor/status/1736774389725565005", + "https://ubuntu.com/security/CVE-2023-48795", + "https://ubuntu.com/security/notices/USN-6560-1", + "https://ubuntu.com/security/notices/USN-6560-2", + "https://ubuntu.com/security/notices/USN-6561-1", + "https://ubuntu.com/security/notices/USN-6585-1", + "https://ubuntu.com/security/notices/USN-6589-1", + "https://ubuntu.com/security/notices/USN-6598-1", + "https://ubuntu.com/security/notices/USN-6738-1", + "https://ubuntu.com/security/notices/USN-7051-1", + "https://ubuntu.com/security/notices/USN-7292-1", + "https://ubuntu.com/security/notices/USN-7297-1", + "https://winscp.net/eng/docs/history#6.2.2", + "https://www.bitvise.com/ssh-client-version-history#933", + "https://www.bitvise.com/ssh-server-version-history", + "https://www.chiark.greenend.org.uk/~sgtatham/putty/changes.html", + "https://www.crushftp.com/crush10wiki/Wiki.jsp?page=Update", + "https://www.cve.org/CVERecord?id=CVE-2023-48795", + "https://www.debian.org/security/2023/dsa-5586", + "https://www.debian.org/security/2023/dsa-5588", + "https://www.freebsd.org/security/advisories/FreeBSD-SA-23:19.openssh.asc", + "https://www.lancom-systems.de/service-support/allgemeine-sicherheitshinweise#c243508", + "https://www.netsarang.com/en/xshell-update-history", + "https://www.netsarang.com/en/xshell-update-history/", + "https://www.openssh.com/openbsd.html", + "https://www.openssh.com/txt/release-9.6", + "https://www.openwall.com/lists/oss-security/2023/12/18/2", + "https://www.openwall.com/lists/oss-security/2023/12/18/3", + "https://www.openwall.com/lists/oss-security/2023/12/20/3", + "https://www.paramiko.org/changelog.html", + "https://www.reddit.com/r/sysadmin/comments/18idv52/cve202348795_why_is_this_cve_still_undisclosed", + "https://www.reddit.com/r/sysadmin/comments/18idv52/cve202348795_why_is_this_cve_still_undisclosed/", + "https://www.suse.com/c/suse-addresses-the-ssh-v2-protocol-terrapin-attack-aka-cve-2023-48795", + "https://www.suse.com/c/suse-addresses-the-ssh-v2-protocol-terrapin-attack-aka-cve-2023-48795/", + "https://www.terrapin-attack.com", + "https://www.theregister.com/2023/12/20/terrapin_attack_ssh", + "https://www.vandyke.com/products/securecrt/history.txt", + "https://www.vicarius.io/vsociety/posts/cve-2023-48795-detect-openssh-vulnerabilit", + "https://www.vicarius.io/vsociety/posts/cve-2023-48795-mitigate-openssh-vulnerability" + ], + "PublishedDate": "2023-12-18T16:15:10.897Z", + "LastModifiedDate": "2025-05-23T02:24:58.787Z" + }, + { + "VulnerabilityID": "CVE-2023-39325", + "PkgID": "golang.org/x/net@v0.7.0", + "PkgName": "golang.org/x/net", + "PkgIdentifier": { + "PURL": "pkg:golang/golang.org/x/net@v0.7.0", + "UID": "5046a7e208675ed5" + }, + "InstalledVersion": "v0.7.0", + "FixedVersion": "0.17.0", + "Status": "fixed", + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2023-39325", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory Go", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Ago" + }, + "Title": "golang: net/http, x/net/http2: rapid stream resets can cause excessive work (CVE-2023-44487)", + "Description": "A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a new request while the existing one is still executing. With the fix applied, HTTP/2 servers now bound the number of simultaneously executing handler goroutines to the stream concurrency limit (MaxConcurrentStreams). New requests arriving when at the limit (which can only happen after the client has reset an existing, in-flight request) will be queued until a handler exits. If the request queue grows too large, the server will terminate the connection. This issue is also fixed in golang.org/x/net/http2 for users manually configuring HTTP/2. The default stream concurrency limit is 250 streams (requests) per HTTP/2 connection. This value may be adjusted using the golang.org/x/net/http2 package; see the Server.MaxConcurrentStreams setting and the ConfigureServer function.", + "Severity": "HIGH", + "CweIDs": [ + "CWE-770" + ], + "VendorSeverity": { + "alma": 2, + "amazon": 3, + "azure": 3, + "bitnami": 3, + "cbl-mariner": 3, + "ghsa": 3, + "nvd": 3, + "oracle-oval": 2, + "redhat": 3, + "rocky": 2, + "ubuntu": 2 + }, + "CVSS": { + "bitnami": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + }, + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + }, + "nvd": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + } + }, + "References": [ + "golang.org/x/net", + "https://access.redhat.com/errata/RHSA-2023:6077", + "https://access.redhat.com/security/cve/CVE-2023-39325", + "https://access.redhat.com/security/cve/CVE-2023-44487", + "https://bugzilla.redhat.com/2242803", + "https://bugzilla.redhat.com/2243296", + "https://bugzilla.redhat.com/show_bug.cgi?id=2242803", + "https://bugzilla.redhat.com/show_bug.cgi?id=2243296", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-39325", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-44487", + "https://errata.almalinux.org/9/ALSA-2023-6077.html", + "https://errata.rockylinux.org/RLSA-2023:6077", + "https://github.com/golang/go/commit/24ae2d927285c697440fdde3ad7f26028354bcf3 [golang- 1.21]", + "https://github.com/golang/go/commit/e175f27f58aa7b9cd4d79607ae65d2cd5baaee68 [golang-1.20]", + "https://github.com/golang/go/issues/63417", + "https://go.dev/cl/534215", + "https://go.dev/cl/534235", + "https://go.dev/issue/63417", + "https://groups.google.com/g/golang-announce/c/iNNxDTCjZvo/m/UDd7VKQuAAAJ", + "https://linux.oracle.com/cve/CVE-2023-39325.html", + "https://linux.oracle.com/errata/ELSA-2023-5867.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3OVW5V2DM5K5IC3H7O42YDUGNJ74J35O", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3OVW5V2DM5K5IC3H7O42YDUGNJ74J35O/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3SZN67IL7HMGMNAVLOTIXLIHUDXZK4LH", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3SZN67IL7HMGMNAVLOTIXLIHUDXZK4LH/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3WJ4QVX2AMUJ2F2S27POOAHRC4K3CHU4", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3WJ4QVX2AMUJ2F2S27POOAHRC4K3CHU4/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4BUK2ZIAGCULOOYDNH25JPU6JBES5NF2", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4BUK2ZIAGCULOOYDNH25JPU6JBES5NF2/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5RSKA2II6QTD4YUKUNDVJQSRYSFC4VFR", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5RSKA2II6QTD4YUKUNDVJQSRYSFC4VFR/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AVZDNSMVDAQJ64LJC5I5U5LDM5753647", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AVZDNSMVDAQJ64LJC5I5U5LDM5753647/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CHHITS4PUOZAKFIUBQAQZC7JWXMOYE4B", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CHHITS4PUOZAKFIUBQAQZC7JWXMOYE4B/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CLB4TW7KALB3EEQWNWCN7OUIWWVWWCG2", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CLB4TW7KALB3EEQWNWCN7OUIWWVWWCG2/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/D2BBIDR2ZMB3X5BC7SR4SLQMHRMVPY6L", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/D2BBIDR2ZMB3X5BC7SR4SLQMHRMVPY6L/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ECRC75BQJP6FJN2L7KCKYZW4DSBD7QSD", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ECRC75BQJP6FJN2L7KCKYZW4DSBD7QSD/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FTMJ3NJIDAZFWJQQSP3L22MUFJ3UP2PT", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FTMJ3NJIDAZFWJQQSP3L22MUFJ3UP2PT/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GSY7SXFFTPZFWDM6XELSDSHZLVW3AHK7", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GSY7SXFFTPZFWDM6XELSDSHZLVW3AHK7/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HZQIELEIRSZUYTFFH5KTH2YJ4IIQG2KE", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HZQIELEIRSZUYTFFH5KTH2YJ4IIQG2KE/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IPWCNYB5PQ5PCVZ4NJT6G56ZYFZ5QBU6", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IPWCNYB5PQ5PCVZ4NJT6G56ZYFZ5QBU6/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KEOTKBUPZXHE3F352JBYNTSNRXYLWD6P", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KEOTKBUPZXHE3F352JBYNTSNRXYLWD6P/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KSEGD2IWKNUO3DWY4KQGUQM5BISRWHQE", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KSEGD2IWKNUO3DWY4KQGUQM5BISRWHQE/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L5E5JSJBZLYXOTZWXHJKRVCIXIHVWKJ6", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L5E5JSJBZLYXOTZWXHJKRVCIXIHVWKJ6/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MZQYOOKHQDQ57LV2IAG6NRFOVXKHJJ3Z", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MZQYOOKHQDQ57LV2IAG6NRFOVXKHJJ3Z/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NG7IMPL55MVWU3LCI4JQJT3K2U5CHDV7", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NG7IMPL55MVWU3LCI4JQJT3K2U5CHDV7/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ODBY7RVMGZCBSTWF2OZGIZS57FNFUL67", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ODBY7RVMGZCBSTWF2OZGIZS57FNFUL67/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OXGWPQOJ3JNDW2XIYKIVJ7N7QUIFNM2Q", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OXGWPQOJ3JNDW2XIYKIVJ7N7QUIFNM2Q/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PJCUNGIQDUMZ4Z6HWVYIMR66A35F5S74", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PJCUNGIQDUMZ4Z6HWVYIMR66A35F5S74/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QF5QSYAOPDOWLY6DUHID56Q4HQFYB45I", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QF5QSYAOPDOWLY6DUHID56Q4HQFYB45I/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QXOU2JZUBEBP7GBKAYIJRPRBZSJCD7ST", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QXOU2JZUBEBP7GBKAYIJRPRBZSJCD7ST/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/R3UETKPUB3V5JS5TLZOF3SMTGT5K5APS", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/R3UETKPUB3V5JS5TLZOF3SMTGT5K5APS/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/REMHVVIBDNKSRKNOTV7EQSB7CYQWOUOU", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/REMHVVIBDNKSRKNOTV7EQSB7CYQWOUOU/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T7N5GV4CHH6WAGX3GFMDD3COEOVCZ4RI", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T7N5GV4CHH6WAGX3GFMDD3COEOVCZ4RI/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ULQQONMSCQSH5Z5OWFFQHCGEZ3NL4DRJ", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ULQQONMSCQSH5Z5OWFFQHCGEZ3NL4DRJ/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UTT7DG3QOF5ZNJLUGHDNLRUIN6OWZARP", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UTT7DG3QOF5ZNJLUGHDNLRUIN6OWZARP/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/W2LZSWTV4NV4SNQARNXG5T6LRHP26EW2", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/W2LZSWTV4NV4SNQARNXG5T6LRHP26EW2/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WCNCBYKZXLDFGAJUB7ZP5VLC3YTHJNVH", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WCNCBYKZXLDFGAJUB7ZP5VLC3YTHJNVH/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XFOIBB4YFICHDM7IBOP7PWXW3FX4HLL2", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XFOIBB4YFICHDM7IBOP7PWXW3FX4HLL2/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XTNLSL44Y5FB6JWADSZH6DCV4JJAAEQY", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XTNLSL44Y5FB6JWADSZH6DCV4JJAAEQY/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YJWHBLVZDM5KQSDFRBFRKU5KSSOLIRQ4", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YJWHBLVZDM5KQSDFRBFRKU5KSSOLIRQ4/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YRKEXKANQ7BKJW2YTAMP625LJUJZLJ4P", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YRKEXKANQ7BKJW2YTAMP625LJUJZLJ4P/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZSVEMQV5ROY5YW5QE3I57HT3ITWG5GCV", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZSVEMQV5ROY5YW5QE3I57HT3ITWG5GCV/", + "https://nvd.nist.gov/vuln/detail/CVE-2023-39325", + "https://pkg.go.dev/vuln/GO-2023-2102", + "https://security.gentoo.org/glsa/202311-09", + "https://security.netapp.com/advisory/ntap-20231110-0008", + "https://security.netapp.com/advisory/ntap-20231110-0008/", + "https://ubuntu.com/security/notices/USN-6574-1", + "https://ubuntu.com/security/notices/USN-7061-1", + "https://ubuntu.com/security/notices/USN-7109-1", + "https://www.cisa.gov/news-events/alerts/2023/10/10/http2-rapid-reset-vulnerability-cve-2023-44487", + "https://www.cve.org/CVERecord?id=CVE-2023-39325" + ], + "PublishedDate": "2023-10-11T22:15:09.88Z", + "LastModifiedDate": "2024-11-21T08:15:09.627Z" + }, + { + "VulnerabilityID": "CVE-2023-3978", + "PkgID": "golang.org/x/net@v0.7.0", + "PkgName": "golang.org/x/net", + "PkgIdentifier": { + "PURL": "pkg:golang/golang.org/x/net@v0.7.0", + "UID": "5046a7e208675ed5" + }, + "InstalledVersion": "v0.7.0", + "FixedVersion": "0.13.0", + "Status": "fixed", + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2023-3978", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory Go", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Ago" + }, + "Title": "golang.org/x/net/html: Cross site scripting", + "Description": "Text nodes not in the HTML namespace are incorrectly literally rendered, causing text which should be escaped to not be. This could lead to an XSS attack.", + "Severity": "MEDIUM", + "CweIDs": [ + "CWE-79" + ], + "VendorSeverity": { + "alma": 2, + "amazon": 2, + "azure": 2, + "cbl-mariner": 2, + "ghsa": 2, + "nvd": 2, + "oracle-oval": 2, + "redhat": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", + "V3Score": 6.1 + }, + "nvd": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", + "V3Score": 6.1 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", + "V3Score": 6.1 + } + }, + "References": [ + "https://access.redhat.com/errata/RHSA-2023:6474", + "https://access.redhat.com/security/cve/CVE-2023-3978", + "https://bugzilla.redhat.com/2174485", + "https://bugzilla.redhat.com/2178358", + "https://bugzilla.redhat.com/2178488", + "https://bugzilla.redhat.com/2178492", + "https://bugzilla.redhat.com/2184481", + "https://bugzilla.redhat.com/2184482", + "https://bugzilla.redhat.com/2184483", + "https://bugzilla.redhat.com/2184484", + "https://bugzilla.redhat.com/2196026", + "https://bugzilla.redhat.com/2196027", + "https://bugzilla.redhat.com/2196029", + "https://bugzilla.redhat.com/2222167", + "https://bugzilla.redhat.com/2228689", + "https://errata.almalinux.org/9/ALSA-2023-6474.html", + "https://go.dev/cl/514896", + "https://go.dev/issue/61615", + "https://linux.oracle.com/cve/CVE-2023-3978.html", + "https://linux.oracle.com/errata/ELSA-2023-6939.html", + "https://nvd.nist.gov/vuln/detail/CVE-2023-3978", + "https://pkg.go.dev/vuln/GO-2023-1988", + "https://www.cve.org/CVERecord?id=CVE-2023-3978" + ], + "PublishedDate": "2023-08-02T20:15:12.097Z", + "LastModifiedDate": "2024-11-21T08:18:27.68Z" + }, + { + "VulnerabilityID": "CVE-2023-44487", + "PkgID": "golang.org/x/net@v0.7.0", + "PkgName": "golang.org/x/net", + "PkgIdentifier": { + "PURL": "pkg:golang/golang.org/x/net@v0.7.0", + "UID": "5046a7e208675ed5" + }, + "InstalledVersion": "v0.7.0", + "FixedVersion": "0.17.0", + "Status": "fixed", + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2023-44487", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory Go", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Ago" + }, + "Title": "HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack)", + "Description": "The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.", + "Severity": "MEDIUM", + "CweIDs": [ + "CWE-400" + ], + "VendorSeverity": { + "alma": 3, + "amazon": 3, + "azure": 3, + "bitnami": 3, + "cbl-mariner": 3, + "ghsa": 2, + "nvd": 3, + "oracle-oval": 3, + "photon": 3, + "redhat": 3, + "rocky": 3, + "ubuntu": 3 + }, + "CVSS": { + "bitnami": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + }, + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "V3Score": 5.3 + }, + "nvd": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + } + }, + "References": [ + "http://www.openwall.com/lists/oss-security/2023/10/10/6", + "http://www.openwall.com/lists/oss-security/2023/10/10/7", + "http://www.openwall.com/lists/oss-security/2023/10/13/4", + "http://www.openwall.com/lists/oss-security/2023/10/13/9", + "http://www.openwall.com/lists/oss-security/2023/10/18/4", + "http://www.openwall.com/lists/oss-security/2023/10/18/8", + "http://www.openwall.com/lists/oss-security/2023/10/19/6", + "http://www.openwall.com/lists/oss-security/2023/10/20/8", + "https://access.redhat.com/errata/RHSA-2023:6746", + "https://access.redhat.com/security/cve/CVE-2023-44487", + "https://access.redhat.com/security/cve/cve-2023-44487", + "https://akka.io/security/akka-http-cve-2023-44487.html", + "https://arstechnica.com/security/2023/10/how-ddosers-used-the-http-2-protocol-to-deliver-attacks-of-unprecedented-size", + "https://arstechnica.com/security/2023/10/how-ddosers-used-the-http-2-protocol-to-deliver-attacks-of-unprecedented-size/", + "https://aws.amazon.com/security/security-bulletins/AWS-2023-011", + "https://aws.amazon.com/security/security-bulletins/AWS-2023-011/", + "https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack", + "https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/", + "https://blog.cloudflare.com/zero-day-rapid-reset-http2-record-breaking-ddos-attack", + "https://blog.cloudflare.com/zero-day-rapid-reset-http2-record-breaking-ddos-attack/", + "https://blog.litespeedtech.com/2023/10/11/rapid-reset-http-2-vulnerablilty", + "https://blog.litespeedtech.com/2023/10/11/rapid-reset-http-2-vulnerablilty/", + "https://blog.qualys.com/vulnerabilities-threat-research/2023/10/10/cve-2023-44487-http-2-rapid-reset-attack", + "https://blog.vespa.ai/cve-2023-44487", + "https://blog.vespa.ai/cve-2023-44487/", + "https://bugzilla.proxmox.com/show_bug.cgi?id=4988", + "https://bugzilla.redhat.com/2242803", + "https://bugzilla.redhat.com/show_bug.cgi?id=2242803", + "https://bugzilla.suse.com/show_bug.cgi?id=1216123", + "https://cgit.freebsd.org/ports/commit/?id=c64c329c2c1752f46b73e3e6ce9f4329be6629f9", + "https://chaos.social/@icing/111210915918780532", + "https://cloud.google.com/blog/products/identity-security/google-cloud-mitigated-largest-ddos-attack-peaking-above-398-million-rps", + "https://cloud.google.com/blog/products/identity-security/google-cloud-mitigated-largest-ddos-attack-peaking-above-398-million-rps/", + "https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack", + "https://community.traefik.io/t/is-traefik-vulnerable-to-cve-2023-44487/20125", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-44487", + "https://devblogs.microsoft.com/dotnet/october-2023-updates/", + "https://discuss.hashicorp.com/t/hcsec-2023-32-vault-consul-and-boundary-affected-by-http-2-rapid-reset-denial-of-service-vulnerability-cve-2023-44487/59715", + "https://edg.io/lp/blog/resets-leaks-ddos-and-the-tale-of-a-hidden-cve", + "https://errata.almalinux.org/9/ALSA-2023-6746.html", + "https://errata.rockylinux.org/RLSA-2023:5838", + "https://forums.swift.org/t/swift-nio-http2-security-update-cve-2023-44487-http-2-dos/67764", + "https://gist.github.com/adulau/7c2bfb8e9cdbe4b35a5e131c66a0c088", + "https://github.com/Azure/AKS/issues/3947", + "https://github.com/Kong/kong/discussions/11741", + "https://github.com/advisories/GHSA-qppj-fm5r-hxr3", + "https://github.com/advisories/GHSA-vx74-f528-fxqg", + "https://github.com/advisories/GHSA-xpw8-rcwv-8f8p", + "https://github.com/akka/akka-http/issues/4323", + "https://github.com/akka/akka-http/pull/4324", + "https://github.com/akka/akka-http/pull/4325", + "https://github.com/alibaba/tengine/issues/1872", + "https://github.com/apache/apisix/issues/10320", + "https://github.com/apache/httpd-site/pull/10", + "https://github.com/apache/httpd/blob/afcdbeebbff4b0c50ea26cdd16e178c0d1f24152/modules/http2/h2_mplx.c#L1101-L1113", + "https://github.com/apache/tomcat/commit/944332bb15bd2f3bf76ec2caeb1ff0a58a3bc628", + "https://github.com/apache/tomcat/tree/main/java/org/apache/coyote/http2", + "https://github.com/apache/trafficserver/pull/10564", + "https://github.com/apple/swift-nio-http2", + "https://github.com/apple/swift-nio-http2/security/advisories/GHSA-qppj-fm5r-hxr3", + "https://github.com/arkrwn/PoC/tree/main/CVE-2023-44487", + "https://github.com/bcdannyboy/CVE-2023-44487", + "https://github.com/caddyserver/caddy/issues/5877", + "https://github.com/caddyserver/caddy/releases/tag/v2.7.5", + "https://github.com/dotnet/announcements/issues/277", + "https://github.com/dotnet/core/blob/e4613450ea0da7fd2fc6b61dfb2c1c1dec1ce9ec/release-notes/6.0/6.0.23/6.0.23.md?plain=1#L73", + "https://github.com/eclipse/jetty.project/issues/10679", + "https://github.com/envoyproxy/envoy/pull/30055", + "https://github.com/etcd-io/etcd/issues/16740", + "https://github.com/facebook/proxygen/pull/466", + "https://github.com/golang/go/issues/63417", + "https://github.com/grpc/grpc-go/pull/6703", + "https://github.com/grpc/grpc-go/releases", + "https://github.com/grpc/grpc/releases/tag/v1.59.2", + "https://github.com/h2o/h2o/pull/3291", + "https://github.com/h2o/h2o/security/advisories/GHSA-2m7v-gc89-fjqf", + "https://github.com/haproxy/haproxy/issues/2312", + "https://github.com/hyperium/hyper/issues/3337", + "https://github.com/icing/mod_h2/blob/0a864782af0a942aa2ad4ed960a6b32cd35bcf0a/mod_http2/README.md?plain=1#L239-L244", + "https://github.com/junkurihara/rust-rpxy/issues/97", + "https://github.com/kazu-yamamoto/http2/commit/f61d41a502bd0f60eb24e1ce14edc7b6df6722a1", + "https://github.com/kazu-yamamoto/http2/issues/93", + "https://github.com/kubernetes/kubernetes/pull/121120", + "https://github.com/line/armeria/pull/5232", + "https://github.com/linkerd/website/pull/1695/commits/4b9c6836471bc8270ab48aae6fd2181bc73fd632", + "https://github.com/micrictor/http2-rst-stream", + "https://github.com/microsoft/CBL-Mariner/pull/6381", + "https://github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61", + "https://github.com/nghttp2/nghttp2/pull/1961", + "https://github.com/nghttp2/nghttp2/releases/tag/v1.57.0", + "https://github.com/ninenines/cowboy/issues/1615", + "https://github.com/nodejs/node/pull/50121", + "https://github.com/openresty/openresty/issues/930", + "https://github.com/opensearch-project/data-prepper/issues/3474", + "https://github.com/oqtane/oqtane.framework/discussions/3367", + "https://github.com/projectcontour/contour/pull/5826", + "https://github.com/tempesta-tech/tempesta/issues/1986", + "https://github.com/varnishcache/varnish-cache/issues/3996", + "https://go.dev/cl/534215", + "https://go.dev/cl/534235", + "https://go.dev/issue/63417", + "https://groups.google.com/g/golang-announce/c/iNNxDTCjZvo", + "https://groups.google.com/g/golang-announce/c/iNNxDTCjZvo/m/UDd7VKQuAAAJ", + "https://istio.io/latest/news/security/istio-security-2023-004", + "https://istio.io/latest/news/security/istio-security-2023-004/", + "https://linkerd.io/2023/10/12/linkerd-cve-2023-44487", + "https://linkerd.io/2023/10/12/linkerd-cve-2023-44487/", + "https://linux.oracle.com/cve/CVE-2023-44487.html", + "https://linux.oracle.com/errata/ELSA-2024-1444.html", + "https://lists.apache.org/thread/5py8h42mxfsn8l1wy6o41xwhsjlsd87q", + "https://lists.debian.org/debian-lts-announce/2023/10/msg00020.html", + "https://lists.debian.org/debian-lts-announce/2023/10/msg00023.html", + "https://lists.debian.org/debian-lts-announce/2023/10/msg00024.html", + "https://lists.debian.org/debian-lts-announce/2023/10/msg00045.html", + "https://lists.debian.org/debian-lts-announce/2023/10/msg00047.html", + "https://lists.debian.org/debian-lts-announce/2023/11/msg00001.html", + "https://lists.debian.org/debian-lts-announce/2023/11/msg00012.html", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2MBEPPC36UBVOZZNAXFHKLFGSLCMN5LI", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2MBEPPC36UBVOZZNAXFHKLFGSLCMN5LI/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3N4NJ7FR4X4FPZUGNTQAPSTVB2HB2Y4A", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3N4NJ7FR4X4FPZUGNTQAPSTVB2HB2Y4A/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BFQD3KUEMFBHPAPBGLWQC34L4OWL5HAZ", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BFQD3KUEMFBHPAPBGLWQC34L4OWL5HAZ/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CLB4TW7KALB3EEQWNWCN7OUIWWVWWCG2", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CLB4TW7KALB3EEQWNWCN7OUIWWVWWCG2/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/E72T67UPDRXHIDLO3OROR25YAMN4GGW5", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/E72T67UPDRXHIDLO3OROR25YAMN4GGW5/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FNA62Q767CFAFHBCDKYNPBMZWB7TWYVU", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FNA62Q767CFAFHBCDKYNPBMZWB7TWYVU/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HT7T2R4MQKLIF4ODV4BDLPARWFPCJ5CZ", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HT7T2R4MQKLIF4ODV4BDLPARWFPCJ5CZ/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JIZSEFC3YKCGABA2BZW6ZJRMDZJMB7PJ", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JIZSEFC3YKCGABA2BZW6ZJRMDZJMB7PJ/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JMEXY22BFG5Q64HQCM5CK2Q7KDKVV4TY", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JMEXY22BFG5Q64HQCM5CK2Q7KDKVV4TY/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KSEGD2IWKNUO3DWY4KQGUQM5BISRWHQE", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KSEGD2IWKNUO3DWY4KQGUQM5BISRWHQE/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LKYHSZQFDNR7RSA7LHVLLIAQMVYCUGBG", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LKYHSZQFDNR7RSA7LHVLLIAQMVYCUGBG/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LNMZJCDHGLJJLXO4OXWJMTVQRNWOC7UL", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LNMZJCDHGLJJLXO4OXWJMTVQRNWOC7UL/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VHUHTSXLXGXS7JYKBXTA3VINUPHTNGVU", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VHUHTSXLXGXS7JYKBXTA3VINUPHTNGVU/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VSRDIV77HNKUSM7SJC5BKE5JSHLHU2NK", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VSRDIV77HNKUSM7SJC5BKE5JSHLHU2NK/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WE2I52RHNNU42PX6NZ2RBUHSFFJ2LVZX", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WE2I52RHNNU42PX6NZ2RBUHSFFJ2LVZX/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WLPRQ5TWUQQXYWBJM7ECYDAIL2YVKIUH", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WLPRQ5TWUQQXYWBJM7ECYDAIL2YVKIUH/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X6QXN4ORIVF6XBW4WWFE7VNPVC74S45Y", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X6QXN4ORIVF6XBW4WWFE7VNPVC74S45Y/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XFOIBB4YFICHDM7IBOP7PWXW3FX4HLL2", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XFOIBB4YFICHDM7IBOP7PWXW3FX4HLL2/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZB43REMKRQR62NJEI7I5NQ4FSXNLBKRT", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZB43REMKRQR62NJEI7I5NQ4FSXNLBKRT/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZKQSIKIAT5TJ3WSLU3RDBQ35YX4GY4V3", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZKQSIKIAT5TJ3WSLU3RDBQ35YX4GY4V3/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZLU6U2R2IC2K64NDPNMV55AUAO65MAF4", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZLU6U2R2IC2K64NDPNMV55AUAO65MAF4/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2MBEPPC36UBVOZZNAXFHKLFGSLCMN5LI", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2MBEPPC36UBVOZZNAXFHKLFGSLCMN5LI/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3N4NJ7FR4X4FPZUGNTQAPSTVB2HB2Y4A", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3N4NJ7FR4X4FPZUGNTQAPSTVB2HB2Y4A/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BFQD3KUEMFBHPAPBGLWQC34L4OWL5HAZ", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BFQD3KUEMFBHPAPBGLWQC34L4OWL5HAZ/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CLB4TW7KALB3EEQWNWCN7OUIWWVWWCG2", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CLB4TW7KALB3EEQWNWCN7OUIWWVWWCG2/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/E72T67UPDRXHIDLO3OROR25YAMN4GGW5", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/E72T67UPDRXHIDLO3OROR25YAMN4GGW5/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FNA62Q767CFAFHBCDKYNPBMZWB7TWYVU", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FNA62Q767CFAFHBCDKYNPBMZWB7TWYVU/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HT7T2R4MQKLIF4ODV4BDLPARWFPCJ5CZ", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HT7T2R4MQKLIF4ODV4BDLPARWFPCJ5CZ/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JIZSEFC3YKCGABA2BZW6ZJRMDZJMB7PJ", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JIZSEFC3YKCGABA2BZW6ZJRMDZJMB7PJ/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JMEXY22BFG5Q64HQCM5CK2Q7KDKVV4TY", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JMEXY22BFG5Q64HQCM5CK2Q7KDKVV4TY/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KSEGD2IWKNUO3DWY4KQGUQM5BISRWHQE", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KSEGD2IWKNUO3DWY4KQGUQM5BISRWHQE/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LKYHSZQFDNR7RSA7LHVLLIAQMVYCUGBG", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LKYHSZQFDNR7RSA7LHVLLIAQMVYCUGBG/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LNMZJCDHGLJJLXO4OXWJMTVQRNWOC7UL", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LNMZJCDHGLJJLXO4OXWJMTVQRNWOC7UL/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VHUHTSXLXGXS7JYKBXTA3VINUPHTNGVU", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VHUHTSXLXGXS7JYKBXTA3VINUPHTNGVU/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VSRDIV77HNKUSM7SJC5BKE5JSHLHU2NK", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VSRDIV77HNKUSM7SJC5BKE5JSHLHU2NK/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WE2I52RHNNU42PX6NZ2RBUHSFFJ2LVZX", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WE2I52RHNNU42PX6NZ2RBUHSFFJ2LVZX/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WLPRQ5TWUQQXYWBJM7ECYDAIL2YVKIUH", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WLPRQ5TWUQQXYWBJM7ECYDAIL2YVKIUH/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X6QXN4ORIVF6XBW4WWFE7VNPVC74S45Y", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X6QXN4ORIVF6XBW4WWFE7VNPVC74S45Y/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XFOIBB4YFICHDM7IBOP7PWXW3FX4HLL2", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XFOIBB4YFICHDM7IBOP7PWXW3FX4HLL2/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZB43REMKRQR62NJEI7I5NQ4FSXNLBKRT", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZB43REMKRQR62NJEI7I5NQ4FSXNLBKRT/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZKQSIKIAT5TJ3WSLU3RDBQ35YX4GY4V3", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZKQSIKIAT5TJ3WSLU3RDBQ35YX4GY4V3/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZLU6U2R2IC2K64NDPNMV55AUAO65MAF4", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZLU6U2R2IC2K64NDPNMV55AUAO65MAF4/", + "https://lists.w3.org/Archives/Public/ietf-http-wg/2023OctDec/0025.html", + "https://mailman.nginx.org/pipermail/nginx-devel/2023-October/S36Q5HBXR7CAIMPLLPRSSSYR4PCMWILK.html", + "https://martinthomson.github.io/h2-stream-limits/draft-thomson-httpbis-h2-stream-limits.html", + "https://msrc.microsoft.com/blog/2023/10/microsoft-response-to-distributed-denial-of-service-ddos-attacks-against-http/2", + "https://msrc.microsoft.com/blog/2023/10/microsoft-response-to-distributed-denial-of-service-ddos-attacks-against-http/2/", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-44487", + "https://my.f5.com/manage/s/article/K000137106", + "https://netty.io/news/2023/10/10/4-1-100-Final.html", + "https://news.ycombinator.com/item?id=37830987", + "https://news.ycombinator.com/item?id=37830998", + "https://news.ycombinator.com/item?id=37831062", + "https://news.ycombinator.com/item?id=37837043", + "https://nodejs.org/en/blog/vulnerability/october-2023-security-releases", + "https://nvd.nist.gov/vuln/detail/CVE-2023-44487", + "https://openssf.org/blog/2023/10/10/http-2-rapid-reset-vulnerability-highlights-need-for-rapid-response", + "https://openssf.org/blog/2023/10/10/http-2-rapid-reset-vulnerability-highlights-need-for-rapid-response/", + "https://pkg.go.dev/vuln/GO-2023-2102", + "https://seanmonstar.com/post/730794151136935936/hyper-http2-rapid-reset-unaffected", + "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-http2-reset-d8Kf32vZ", + "https://security.gentoo.org/glsa/202311-09", + "https://security.netapp.com/advisory/ntap-20231016-0001", + "https://security.netapp.com/advisory/ntap-20231016-0001/", + "https://security.netapp.com/advisory/ntap-20240426-0007", + "https://security.netapp.com/advisory/ntap-20240426-0007/", + "https://security.netapp.com/advisory/ntap-20240621-0006", + "https://security.netapp.com/advisory/ntap-20240621-0006/", + "https://security.netapp.com/advisory/ntap-20240621-0007", + "https://security.netapp.com/advisory/ntap-20240621-0007/", + "https://security.paloaltonetworks.com/CVE-2023-44487", + "https://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.1.14", + "https://tomcat.apache.org/security-11.html#Fixed_in_Apache_Tomcat_11.0.0-M12", + "https://tomcat.apache.org/security-8.html", + "https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.94", + "https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.81", + "https://ubuntu.com/security/CVE-2023-44487", + "https://ubuntu.com/security/notices/USN-6427-1", + "https://ubuntu.com/security/notices/USN-6427-2", + "https://ubuntu.com/security/notices/USN-6438-1", + "https://ubuntu.com/security/notices/USN-6505-1", + "https://ubuntu.com/security/notices/USN-6574-1", + "https://ubuntu.com/security/notices/USN-6754-1", + "https://ubuntu.com/security/notices/USN-6994-1", + "https://ubuntu.com/security/notices/USN-7067-1", + "https://ubuntu.com/security/notices/USN-7410-1", + "https://ubuntu.com/security/notices/USN-7469-1", + "https://ubuntu.com/security/notices/USN-7469-2", + "https://ubuntu.com/security/notices/USN-7469-3", + "https://ubuntu.com/security/notices/USN-7469-4", + "https://www.bleepingcomputer.com/news/security/new-http-2-rapid-reset-zero-day-attack-breaks-ddos-records", + "https://www.bleepingcomputer.com/news/security/new-http-2-rapid-reset-zero-day-attack-breaks-ddos-records/", + "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", + "https://www.cisa.gov/news-events/alerts/2023/10/10/http2-rapid-reset-vulnerability-cve-2023-44487", + "https://www.cve.org/CVERecord?id=CVE-2023-44487", + "https://www.darkreading.com/cloud/internet-wide-zero-day-bug-fuels-largest-ever-ddos-event", + "https://www.debian.org/security/2023/dsa-5521", + "https://www.debian.org/security/2023/dsa-5522", + "https://www.debian.org/security/2023/dsa-5540", + "https://www.debian.org/security/2023/dsa-5549", + "https://www.debian.org/security/2023/dsa-5558", + "https://www.debian.org/security/2023/dsa-5570", + "https://www.eclipse.org/lists/jetty-announce/msg00181.html", + "https://www.haproxy.com/blog/haproxy-is-not-affected-by-the-http-2-rapid-reset-attack-cve-2023-44487", + "https://www.mail-archive.com/haproxy@formilux.org/msg44134.html", + "https://www.netlify.com/blog/netlify-successfully-mitigates-cve-2023-44487", + "https://www.netlify.com/blog/netlify-successfully-mitigates-cve-2023-44487/", + "https://www.nginx.com/blog/http-2-rapid-reset-attack-impacting-f5-nginx-products", + "https://www.nginx.com/blog/http-2-rapid-reset-attack-impacting-f5-nginx-products/", + "https://www.openwall.com/lists/oss-security/2023/10/10/6", + "https://www.phoronix.com/news/HTTP2-Rapid-Reset-Attack", + "https://www.theregister.com/2023/10/10/http2_rapid_reset_zeroday", + "https://www.theregister.com/2023/10/10/http2_rapid_reset_zeroday/", + "https://www.vicarius.io/vsociety/posts/rapid-reset-cve-2023-44487-dos-in-http2-understanding-the-root-cause" + ], + "PublishedDate": "2023-10-10T14:15:10.883Z", + "LastModifiedDate": "2025-06-11T17:29:54.137Z" + }, + { + "VulnerabilityID": "CVE-2023-45288", + "PkgID": "golang.org/x/net@v0.7.0", + "PkgName": "golang.org/x/net", + "PkgIdentifier": { + "PURL": "pkg:golang/golang.org/x/net@v0.7.0", + "UID": "5046a7e208675ed5" + }, + "InstalledVersion": "v0.7.0", + "FixedVersion": "0.23.0", + "Status": "fixed", + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2023-45288", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory Go", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Ago" + }, + "Title": "golang: net/http, x/net/http2: unlimited number of CONTINUATION frames causes DoS", + "Description": "An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed MaxHeaderBytes, no memory is allocated to store the excess headers, but they are still parsed. This permits an attacker to cause an HTTP/2 endpoint to read arbitrary amounts of header data, all associated with a request which is going to be rejected. These headers can include Huffman-encoded data which is significantly more expensive for the receiver to decode than for an attacker to send. The fix sets a limit on the amount of excess header frames we will process before closing a connection.", + "Severity": "MEDIUM", + "VendorSeverity": { + "alma": 3, + "amazon": 2, + "azure": 3, + "bitnami": 3, + "cbl-mariner": 3, + "ghsa": 2, + "oracle-oval": 3, + "photon": 3, + "redhat": 3, + "rocky": 3, + "ubuntu": 2 + }, + "CVSS": { + "bitnami": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + }, + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "V3Score": 5.3 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + } + }, + "References": [ + "http://www.openwall.com/lists/oss-security/2024/04/03/16", + "http://www.openwall.com/lists/oss-security/2024/04/05/4", + "https://access.redhat.com/errata/RHSA-2024:2724", + "https://access.redhat.com/security/cve/CVE-2023-45288", + "https://bugzilla.redhat.com/2268017", + "https://bugzilla.redhat.com/2268018", + "https://bugzilla.redhat.com/2268019", + "https://bugzilla.redhat.com/2268273", + "https://bugzilla.redhat.com/show_bug.cgi?id=2268017", + "https://bugzilla.redhat.com/show_bug.cgi?id=2268018", + "https://bugzilla.redhat.com/show_bug.cgi?id=2268019", + "https://bugzilla.redhat.com/show_bug.cgi?id=2268273", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-45288", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-45289", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-45290", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-24783", + "https://errata.almalinux.org/9/ALSA-2024-2724.html", + "https://errata.rockylinux.org/RLSA-2024:2724", + "https://go.dev/cl/576155", + "https://go.dev/issue/65051", + "https://groups.google.com/g/golang-announce/c/YgW0sx8mN3M", + "https://kb.cert.org/vuls/id/421644", + "https://linux.oracle.com/cve/CVE-2023-45288.html", + "https://linux.oracle.com/errata/ELSA-2024-3346.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QRYFHIQ6XRKRYBI2F5UESH67BJBQXUPT", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QRYFHIQ6XRKRYBI2F5UESH67BJBQXUPT/", + "https://nowotarski.info/http2-continuation-flood-technical-details", + "https://nowotarski.info/http2-continuation-flood/", + "https://nvd.nist.gov/vuln/detail/CVE-2023-45288", + "https://pkg.go.dev/vuln/GO-2024-2687", + "https://security.netapp.com/advisory/ntap-20240419-0009", + "https://security.netapp.com/advisory/ntap-20240419-0009/", + "https://ubuntu.com/security/notices/USN-6886-1", + "https://ubuntu.com/security/notices/USN-7109-1", + "https://ubuntu.com/security/notices/USN-7111-1", + "https://www.cve.org/CVERecord?id=CVE-2023-45288", + "https://www.kb.cert.org/vuls/id/421644" + ], + "PublishedDate": "2024-04-04T21:15:16.113Z", + "LastModifiedDate": "2024-11-21T08:26:42.38Z" + }, + { + "VulnerabilityID": "CVE-2025-22870", + "PkgID": "golang.org/x/net@v0.7.0", + "PkgName": "golang.org/x/net", + "PkgIdentifier": { + "PURL": "pkg:golang/golang.org/x/net@v0.7.0", + "UID": "5046a7e208675ed5" + }, + "InstalledVersion": "v0.7.0", + "FixedVersion": "0.36.0", + "Status": "fixed", + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2025-22870", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory Go", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Ago" + }, + "Title": "golang.org/x/net/proxy: golang.org/x/net/http/httpproxy: HTTP Proxy bypass using IPv6 Zone IDs in golang.org/x/net", + "Description": "Matching of hosts against proxy patterns can improperly treat an IPv6 zone ID as a hostname component. For example, when the NO_PROXY environment variable is set to \"*.example.com\", a request to \"[::1%25.example.com]:80` will incorrectly match and not be proxied.", + "Severity": "MEDIUM", + "CweIDs": [ + "CWE-115" + ], + "VendorSeverity": { + "amazon": 2, + "azure": 2, + "cbl-mariner": 2, + "ghsa": 2, + "redhat": 2, + "ubuntu": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L", + "V3Score": 4.4 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L", + "V3Score": 4.4 + } + }, + "References": [ + "http://www.openwall.com/lists/oss-security/2025/03/07/2", + "https://access.redhat.com/security/cve/CVE-2025-22870", + "https://github.com/golang/go/issues/71984", + "https://go-review.googlesource.com/q/project:net", + "https://go.dev/cl/654697", + "https://go.dev/issue/71984", + "https://groups.google.com/g/golang-announce/c/4t3lzH3I0eI/m/b42ImqrBAQAJ", + "https://nvd.nist.gov/vuln/detail/CVE-2025-22870", + "https://pkg.go.dev/vuln/GO-2025-3503", + "https://security.netapp.com/advisory/ntap-20250509-0007", + "https://security.netapp.com/advisory/ntap-20250509-0007/", + "https://ubuntu.com/security/notices/USN-7574-1", + "https://www.cve.org/CVERecord?id=CVE-2025-22870" + ], + "PublishedDate": "2025-03-12T19:15:38.31Z", + "LastModifiedDate": "2025-05-09T20:15:38.727Z" + }, + { + "VulnerabilityID": "CVE-2025-22872", + "PkgID": "golang.org/x/net@v0.7.0", + "PkgName": "golang.org/x/net", + "PkgIdentifier": { + "PURL": "pkg:golang/golang.org/x/net@v0.7.0", + "UID": "5046a7e208675ed5" + }, + "InstalledVersion": "v0.7.0", + "FixedVersion": "0.38.0", + "Status": "fixed", + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2025-22872", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory Go", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Ago" + }, + "Title": "golang.org/x/net/html: Incorrect Neutralization of Input During Web Page Generation in x/net in golang.org/x/net", + "Description": "The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character (/) as self-closing. When directly using Tokenizer, this can result in such tags incorrectly being marked as self-closing, and when using the Parse functions, this can result in content following such tags as being placed in the wrong scope during DOM construction, but only when tags are in foreign content (e.g. \u003cmath\u003e, \u003csvg\u003e, etc contexts).", + "Severity": "MEDIUM", + "VendorSeverity": { + "amazon": 3, + "azure": 2, + "cbl-mariner": 2, + "ghsa": 2, + "redhat": 2 + }, + "CVSS": { + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L", + "V3Score": 6.5 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2025-22872", + "https://github.com/advisories/GHSA-vvgc-356p-c3xw", + "https://go.dev/cl/662715", + "https://go.dev/issue/73070", + "https://groups.google.com/g/golang-announce/c/ezSKR9vqbqA", + "https://nvd.nist.gov/vuln/detail/CVE-2025-22872", + "https://pkg.go.dev/vuln/GO-2025-3595", + "https://security.netapp.com/advisory/ntap-20250516-0007", + "https://security.netapp.com/advisory/ntap-20250516-0007/", + "https://www.cve.org/CVERecord?id=CVE-2025-22872" + ], + "PublishedDate": "2025-04-16T18:16:04.183Z", + "LastModifiedDate": "2025-05-16T23:15:19.707Z" + }, + { + "VulnerabilityID": "CVE-2025-22868", + "PkgID": "golang.org/x/oauth2@v0.0.0-20220822191816-0ebed06d0094", + "PkgName": "golang.org/x/oauth2", + "PkgIdentifier": { + "PURL": "pkg:golang/golang.org/x/oauth2@v0.0.0-20220822191816-0ebed06d0094", + "UID": "52f5d91246cc671d" + }, + "InstalledVersion": "v0.0.0-20220822191816-0ebed06d0094", + "FixedVersion": "0.27.0", + "Status": "fixed", + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2025-22868", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory Go", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Ago" + }, + "Title": "golang.org/x/oauth2/jws: Unexpected memory consumption during token parsing in golang.org/x/oauth2/jws", + "Description": "An attacker can pass a malicious malformed token which causes unexpected memory to be consumed during parsing.", + "Severity": "HIGH", + "CweIDs": [ + "CWE-1286" + ], + "VendorSeverity": { + "amazon": 3, + "azure": 3, + "cbl-mariner": 3, + "ghsa": 3, + "redhat": 3 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2025-22868", + "https://go.dev/cl/652155", + "https://go.dev/issue/71490", + "https://nvd.nist.gov/vuln/detail/CVE-2025-22868", + "https://pkg.go.dev/vuln/GO-2025-3488", + "https://www.cve.org/CVERecord?id=CVE-2025-22868" + ], + "PublishedDate": "2025-02-26T08:14:24.897Z", + "LastModifiedDate": "2025-05-01T19:27:10.43Z" + }, + { + "VulnerabilityID": "GHSA-m425-mq94-257g", + "PkgID": "google.golang.org/grpc@v1.49.0", + "PkgName": "google.golang.org/grpc", + "PkgIdentifier": { + "PURL": "pkg:golang/google.golang.org/grpc@v1.49.0", + "UID": "c0fbf4e27609d08e" + }, + "InstalledVersion": "v1.49.0", + "FixedVersion": "1.56.3, 1.57.1, 1.58.3", + "Status": "fixed", + "SeveritySource": "ghsa", + "PrimaryURL": "https://github.com/advisories/GHSA-m425-mq94-257g", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory Go", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Ago" + }, + "Title": "gRPC-Go HTTP/2 Rapid Reset vulnerability", + "Description": "### Impact\nIn affected releases of gRPC-Go, it is possible for an attacker to send HTTP/2 requests, cancel them, and send subsequent requests, which is valid by the HTTP/2 protocol, but would cause the gRPC-Go server to launch more concurrent method handlers than the configured maximum stream limit.\n\n### Patches\nThis vulnerability was addressed by #6703 and has been included in patch releases: 1.56.3, 1.57.1, 1.58.3. It is also included in the latest release, 1.59.0.\n\nAlong with applying the patch, users should also ensure they are using the `grpc.MaxConcurrentStreams` server option to apply a limit to the server's resources used for any single connection.\n\n### Workarounds\nNone.\n\n### References\n#6703\n", + "Severity": "HIGH", + "VendorSeverity": { + "ghsa": 3 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + } + }, + "References": [ + "https://github.com/grpc/grpc-go", + "https://github.com/grpc/grpc-go/commit/f2180b4d5403d2210b30b93098eb7da31c05c721", + "https://github.com/grpc/grpc-go/pull/6703", + "https://github.com/grpc/grpc-go/security/advisories/GHSA-m425-mq94-257g", + "https://nvd.nist.gov/vuln/detail/CVE-2023-44487" + ], + "PublishedDate": "2023-10-25T21:17:37Z", + "LastModifiedDate": "2024-07-19T16:32:30Z" + }, + { + "VulnerabilityID": "CVE-2023-44487", + "PkgID": "google.golang.org/grpc@v1.49.0", + "PkgName": "google.golang.org/grpc", + "PkgIdentifier": { + "PURL": "pkg:golang/google.golang.org/grpc@v1.49.0", + "UID": "c0fbf4e27609d08e" + }, + "InstalledVersion": "v1.49.0", + "FixedVersion": "1.58.3, 1.57.1, 1.56.3", + "Status": "fixed", + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2023-44487", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory Go", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Ago" + }, + "Title": "HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack)", + "Description": "The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.", + "Severity": "MEDIUM", + "CweIDs": [ + "CWE-400" + ], + "VendorSeverity": { + "alma": 3, + "amazon": 3, + "azure": 3, + "bitnami": 3, + "cbl-mariner": 3, + "ghsa": 2, + "nvd": 3, + "oracle-oval": 3, + "photon": 3, + "redhat": 3, + "rocky": 3, + "ubuntu": 3 + }, + "CVSS": { + "bitnami": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + }, + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "V3Score": 5.3 + }, + "nvd": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + } + }, + "References": [ + "http://www.openwall.com/lists/oss-security/2023/10/10/6", + "http://www.openwall.com/lists/oss-security/2023/10/10/7", + "http://www.openwall.com/lists/oss-security/2023/10/13/4", + "http://www.openwall.com/lists/oss-security/2023/10/13/9", + "http://www.openwall.com/lists/oss-security/2023/10/18/4", + "http://www.openwall.com/lists/oss-security/2023/10/18/8", + "http://www.openwall.com/lists/oss-security/2023/10/19/6", + "http://www.openwall.com/lists/oss-security/2023/10/20/8", + "https://access.redhat.com/errata/RHSA-2023:6746", + "https://access.redhat.com/security/cve/CVE-2023-44487", + "https://access.redhat.com/security/cve/cve-2023-44487", + "https://akka.io/security/akka-http-cve-2023-44487.html", + "https://arstechnica.com/security/2023/10/how-ddosers-used-the-http-2-protocol-to-deliver-attacks-of-unprecedented-size", + "https://arstechnica.com/security/2023/10/how-ddosers-used-the-http-2-protocol-to-deliver-attacks-of-unprecedented-size/", + "https://aws.amazon.com/security/security-bulletins/AWS-2023-011", + "https://aws.amazon.com/security/security-bulletins/AWS-2023-011/", + "https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack", + "https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/", + "https://blog.cloudflare.com/zero-day-rapid-reset-http2-record-breaking-ddos-attack", + "https://blog.cloudflare.com/zero-day-rapid-reset-http2-record-breaking-ddos-attack/", + "https://blog.litespeedtech.com/2023/10/11/rapid-reset-http-2-vulnerablilty", + "https://blog.litespeedtech.com/2023/10/11/rapid-reset-http-2-vulnerablilty/", + "https://blog.qualys.com/vulnerabilities-threat-research/2023/10/10/cve-2023-44487-http-2-rapid-reset-attack", + "https://blog.vespa.ai/cve-2023-44487", + "https://blog.vespa.ai/cve-2023-44487/", + "https://bugzilla.proxmox.com/show_bug.cgi?id=4988", + "https://bugzilla.redhat.com/2242803", + "https://bugzilla.redhat.com/show_bug.cgi?id=2242803", + "https://bugzilla.suse.com/show_bug.cgi?id=1216123", + "https://cgit.freebsd.org/ports/commit/?id=c64c329c2c1752f46b73e3e6ce9f4329be6629f9", + "https://chaos.social/@icing/111210915918780532", + "https://cloud.google.com/blog/products/identity-security/google-cloud-mitigated-largest-ddos-attack-peaking-above-398-million-rps", + "https://cloud.google.com/blog/products/identity-security/google-cloud-mitigated-largest-ddos-attack-peaking-above-398-million-rps/", + "https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack", + "https://community.traefik.io/t/is-traefik-vulnerable-to-cve-2023-44487/20125", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-44487", + "https://devblogs.microsoft.com/dotnet/october-2023-updates/", + "https://discuss.hashicorp.com/t/hcsec-2023-32-vault-consul-and-boundary-affected-by-http-2-rapid-reset-denial-of-service-vulnerability-cve-2023-44487/59715", + "https://edg.io/lp/blog/resets-leaks-ddos-and-the-tale-of-a-hidden-cve", + "https://errata.almalinux.org/9/ALSA-2023-6746.html", + "https://errata.rockylinux.org/RLSA-2023:5838", + "https://forums.swift.org/t/swift-nio-http2-security-update-cve-2023-44487-http-2-dos/67764", + "https://gist.github.com/adulau/7c2bfb8e9cdbe4b35a5e131c66a0c088", + "https://github.com/Azure/AKS/issues/3947", + "https://github.com/Kong/kong/discussions/11741", + "https://github.com/advisories/GHSA-qppj-fm5r-hxr3", + "https://github.com/advisories/GHSA-vx74-f528-fxqg", + "https://github.com/advisories/GHSA-xpw8-rcwv-8f8p", + "https://github.com/akka/akka-http/issues/4323", + "https://github.com/akka/akka-http/pull/4324", + "https://github.com/akka/akka-http/pull/4325", + "https://github.com/alibaba/tengine/issues/1872", + "https://github.com/apache/apisix/issues/10320", + "https://github.com/apache/httpd-site/pull/10", + "https://github.com/apache/httpd/blob/afcdbeebbff4b0c50ea26cdd16e178c0d1f24152/modules/http2/h2_mplx.c#L1101-L1113", + "https://github.com/apache/tomcat/commit/944332bb15bd2f3bf76ec2caeb1ff0a58a3bc628", + "https://github.com/apache/tomcat/tree/main/java/org/apache/coyote/http2", + "https://github.com/apache/trafficserver/pull/10564", + "https://github.com/apple/swift-nio-http2", + "https://github.com/apple/swift-nio-http2/security/advisories/GHSA-qppj-fm5r-hxr3", + "https://github.com/arkrwn/PoC/tree/main/CVE-2023-44487", + "https://github.com/bcdannyboy/CVE-2023-44487", + "https://github.com/caddyserver/caddy/issues/5877", + "https://github.com/caddyserver/caddy/releases/tag/v2.7.5", + "https://github.com/dotnet/announcements/issues/277", + "https://github.com/dotnet/core/blob/e4613450ea0da7fd2fc6b61dfb2c1c1dec1ce9ec/release-notes/6.0/6.0.23/6.0.23.md?plain=1#L73", + "https://github.com/eclipse/jetty.project/issues/10679", + "https://github.com/envoyproxy/envoy/pull/30055", + "https://github.com/etcd-io/etcd/issues/16740", + "https://github.com/facebook/proxygen/pull/466", + "https://github.com/golang/go/issues/63417", + "https://github.com/grpc/grpc-go/pull/6703", + "https://github.com/grpc/grpc-go/releases", + "https://github.com/grpc/grpc/releases/tag/v1.59.2", + "https://github.com/h2o/h2o/pull/3291", + "https://github.com/h2o/h2o/security/advisories/GHSA-2m7v-gc89-fjqf", + "https://github.com/haproxy/haproxy/issues/2312", + "https://github.com/hyperium/hyper/issues/3337", + "https://github.com/icing/mod_h2/blob/0a864782af0a942aa2ad4ed960a6b32cd35bcf0a/mod_http2/README.md?plain=1#L239-L244", + "https://github.com/junkurihara/rust-rpxy/issues/97", + "https://github.com/kazu-yamamoto/http2/commit/f61d41a502bd0f60eb24e1ce14edc7b6df6722a1", + "https://github.com/kazu-yamamoto/http2/issues/93", + "https://github.com/kubernetes/kubernetes/pull/121120", + "https://github.com/line/armeria/pull/5232", + "https://github.com/linkerd/website/pull/1695/commits/4b9c6836471bc8270ab48aae6fd2181bc73fd632", + "https://github.com/micrictor/http2-rst-stream", + "https://github.com/microsoft/CBL-Mariner/pull/6381", + "https://github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61", + "https://github.com/nghttp2/nghttp2/pull/1961", + "https://github.com/nghttp2/nghttp2/releases/tag/v1.57.0", + "https://github.com/ninenines/cowboy/issues/1615", + "https://github.com/nodejs/node/pull/50121", + "https://github.com/openresty/openresty/issues/930", + "https://github.com/opensearch-project/data-prepper/issues/3474", + "https://github.com/oqtane/oqtane.framework/discussions/3367", + "https://github.com/projectcontour/contour/pull/5826", + "https://github.com/tempesta-tech/tempesta/issues/1986", + "https://github.com/varnishcache/varnish-cache/issues/3996", + "https://go.dev/cl/534215", + "https://go.dev/cl/534235", + "https://go.dev/issue/63417", + "https://groups.google.com/g/golang-announce/c/iNNxDTCjZvo", + "https://groups.google.com/g/golang-announce/c/iNNxDTCjZvo/m/UDd7VKQuAAAJ", + "https://istio.io/latest/news/security/istio-security-2023-004", + "https://istio.io/latest/news/security/istio-security-2023-004/", + "https://linkerd.io/2023/10/12/linkerd-cve-2023-44487", + "https://linkerd.io/2023/10/12/linkerd-cve-2023-44487/", + "https://linux.oracle.com/cve/CVE-2023-44487.html", + "https://linux.oracle.com/errata/ELSA-2024-1444.html", + "https://lists.apache.org/thread/5py8h42mxfsn8l1wy6o41xwhsjlsd87q", + "https://lists.debian.org/debian-lts-announce/2023/10/msg00020.html", + "https://lists.debian.org/debian-lts-announce/2023/10/msg00023.html", + "https://lists.debian.org/debian-lts-announce/2023/10/msg00024.html", + "https://lists.debian.org/debian-lts-announce/2023/10/msg00045.html", + "https://lists.debian.org/debian-lts-announce/2023/10/msg00047.html", + "https://lists.debian.org/debian-lts-announce/2023/11/msg00001.html", + "https://lists.debian.org/debian-lts-announce/2023/11/msg00012.html", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2MBEPPC36UBVOZZNAXFHKLFGSLCMN5LI", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2MBEPPC36UBVOZZNAXFHKLFGSLCMN5LI/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3N4NJ7FR4X4FPZUGNTQAPSTVB2HB2Y4A", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3N4NJ7FR4X4FPZUGNTQAPSTVB2HB2Y4A/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BFQD3KUEMFBHPAPBGLWQC34L4OWL5HAZ", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BFQD3KUEMFBHPAPBGLWQC34L4OWL5HAZ/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CLB4TW7KALB3EEQWNWCN7OUIWWVWWCG2", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CLB4TW7KALB3EEQWNWCN7OUIWWVWWCG2/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/E72T67UPDRXHIDLO3OROR25YAMN4GGW5", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/E72T67UPDRXHIDLO3OROR25YAMN4GGW5/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FNA62Q767CFAFHBCDKYNPBMZWB7TWYVU", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FNA62Q767CFAFHBCDKYNPBMZWB7TWYVU/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HT7T2R4MQKLIF4ODV4BDLPARWFPCJ5CZ", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HT7T2R4MQKLIF4ODV4BDLPARWFPCJ5CZ/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JIZSEFC3YKCGABA2BZW6ZJRMDZJMB7PJ", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JIZSEFC3YKCGABA2BZW6ZJRMDZJMB7PJ/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JMEXY22BFG5Q64HQCM5CK2Q7KDKVV4TY", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JMEXY22BFG5Q64HQCM5CK2Q7KDKVV4TY/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KSEGD2IWKNUO3DWY4KQGUQM5BISRWHQE", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KSEGD2IWKNUO3DWY4KQGUQM5BISRWHQE/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LKYHSZQFDNR7RSA7LHVLLIAQMVYCUGBG", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LKYHSZQFDNR7RSA7LHVLLIAQMVYCUGBG/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LNMZJCDHGLJJLXO4OXWJMTVQRNWOC7UL", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LNMZJCDHGLJJLXO4OXWJMTVQRNWOC7UL/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VHUHTSXLXGXS7JYKBXTA3VINUPHTNGVU", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VHUHTSXLXGXS7JYKBXTA3VINUPHTNGVU/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VSRDIV77HNKUSM7SJC5BKE5JSHLHU2NK", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VSRDIV77HNKUSM7SJC5BKE5JSHLHU2NK/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WE2I52RHNNU42PX6NZ2RBUHSFFJ2LVZX", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WE2I52RHNNU42PX6NZ2RBUHSFFJ2LVZX/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WLPRQ5TWUQQXYWBJM7ECYDAIL2YVKIUH", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WLPRQ5TWUQQXYWBJM7ECYDAIL2YVKIUH/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X6QXN4ORIVF6XBW4WWFE7VNPVC74S45Y", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X6QXN4ORIVF6XBW4WWFE7VNPVC74S45Y/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XFOIBB4YFICHDM7IBOP7PWXW3FX4HLL2", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XFOIBB4YFICHDM7IBOP7PWXW3FX4HLL2/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZB43REMKRQR62NJEI7I5NQ4FSXNLBKRT", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZB43REMKRQR62NJEI7I5NQ4FSXNLBKRT/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZKQSIKIAT5TJ3WSLU3RDBQ35YX4GY4V3", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZKQSIKIAT5TJ3WSLU3RDBQ35YX4GY4V3/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZLU6U2R2IC2K64NDPNMV55AUAO65MAF4", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZLU6U2R2IC2K64NDPNMV55AUAO65MAF4/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2MBEPPC36UBVOZZNAXFHKLFGSLCMN5LI", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2MBEPPC36UBVOZZNAXFHKLFGSLCMN5LI/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3N4NJ7FR4X4FPZUGNTQAPSTVB2HB2Y4A", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3N4NJ7FR4X4FPZUGNTQAPSTVB2HB2Y4A/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BFQD3KUEMFBHPAPBGLWQC34L4OWL5HAZ", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BFQD3KUEMFBHPAPBGLWQC34L4OWL5HAZ/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CLB4TW7KALB3EEQWNWCN7OUIWWVWWCG2", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CLB4TW7KALB3EEQWNWCN7OUIWWVWWCG2/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/E72T67UPDRXHIDLO3OROR25YAMN4GGW5", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/E72T67UPDRXHIDLO3OROR25YAMN4GGW5/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FNA62Q767CFAFHBCDKYNPBMZWB7TWYVU", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FNA62Q767CFAFHBCDKYNPBMZWB7TWYVU/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HT7T2R4MQKLIF4ODV4BDLPARWFPCJ5CZ", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HT7T2R4MQKLIF4ODV4BDLPARWFPCJ5CZ/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JIZSEFC3YKCGABA2BZW6ZJRMDZJMB7PJ", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JIZSEFC3YKCGABA2BZW6ZJRMDZJMB7PJ/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JMEXY22BFG5Q64HQCM5CK2Q7KDKVV4TY", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JMEXY22BFG5Q64HQCM5CK2Q7KDKVV4TY/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KSEGD2IWKNUO3DWY4KQGUQM5BISRWHQE", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KSEGD2IWKNUO3DWY4KQGUQM5BISRWHQE/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LKYHSZQFDNR7RSA7LHVLLIAQMVYCUGBG", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LKYHSZQFDNR7RSA7LHVLLIAQMVYCUGBG/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LNMZJCDHGLJJLXO4OXWJMTVQRNWOC7UL", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LNMZJCDHGLJJLXO4OXWJMTVQRNWOC7UL/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VHUHTSXLXGXS7JYKBXTA3VINUPHTNGVU", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VHUHTSXLXGXS7JYKBXTA3VINUPHTNGVU/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VSRDIV77HNKUSM7SJC5BKE5JSHLHU2NK", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VSRDIV77HNKUSM7SJC5BKE5JSHLHU2NK/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WE2I52RHNNU42PX6NZ2RBUHSFFJ2LVZX", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WE2I52RHNNU42PX6NZ2RBUHSFFJ2LVZX/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WLPRQ5TWUQQXYWBJM7ECYDAIL2YVKIUH", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WLPRQ5TWUQQXYWBJM7ECYDAIL2YVKIUH/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X6QXN4ORIVF6XBW4WWFE7VNPVC74S45Y", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X6QXN4ORIVF6XBW4WWFE7VNPVC74S45Y/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XFOIBB4YFICHDM7IBOP7PWXW3FX4HLL2", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XFOIBB4YFICHDM7IBOP7PWXW3FX4HLL2/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZB43REMKRQR62NJEI7I5NQ4FSXNLBKRT", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZB43REMKRQR62NJEI7I5NQ4FSXNLBKRT/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZKQSIKIAT5TJ3WSLU3RDBQ35YX4GY4V3", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZKQSIKIAT5TJ3WSLU3RDBQ35YX4GY4V3/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZLU6U2R2IC2K64NDPNMV55AUAO65MAF4", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZLU6U2R2IC2K64NDPNMV55AUAO65MAF4/", + "https://lists.w3.org/Archives/Public/ietf-http-wg/2023OctDec/0025.html", + "https://mailman.nginx.org/pipermail/nginx-devel/2023-October/S36Q5HBXR7CAIMPLLPRSSSYR4PCMWILK.html", + "https://martinthomson.github.io/h2-stream-limits/draft-thomson-httpbis-h2-stream-limits.html", + "https://msrc.microsoft.com/blog/2023/10/microsoft-response-to-distributed-denial-of-service-ddos-attacks-against-http/2", + "https://msrc.microsoft.com/blog/2023/10/microsoft-response-to-distributed-denial-of-service-ddos-attacks-against-http/2/", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-44487", + "https://my.f5.com/manage/s/article/K000137106", + "https://netty.io/news/2023/10/10/4-1-100-Final.html", + "https://news.ycombinator.com/item?id=37830987", + "https://news.ycombinator.com/item?id=37830998", + "https://news.ycombinator.com/item?id=37831062", + "https://news.ycombinator.com/item?id=37837043", + "https://nodejs.org/en/blog/vulnerability/october-2023-security-releases", + "https://nvd.nist.gov/vuln/detail/CVE-2023-44487", + "https://openssf.org/blog/2023/10/10/http-2-rapid-reset-vulnerability-highlights-need-for-rapid-response", + "https://openssf.org/blog/2023/10/10/http-2-rapid-reset-vulnerability-highlights-need-for-rapid-response/", + "https://pkg.go.dev/vuln/GO-2023-2102", + "https://seanmonstar.com/post/730794151136935936/hyper-http2-rapid-reset-unaffected", + "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-http2-reset-d8Kf32vZ", + "https://security.gentoo.org/glsa/202311-09", + "https://security.netapp.com/advisory/ntap-20231016-0001", + "https://security.netapp.com/advisory/ntap-20231016-0001/", + "https://security.netapp.com/advisory/ntap-20240426-0007", + "https://security.netapp.com/advisory/ntap-20240426-0007/", + "https://security.netapp.com/advisory/ntap-20240621-0006", + "https://security.netapp.com/advisory/ntap-20240621-0006/", + "https://security.netapp.com/advisory/ntap-20240621-0007", + "https://security.netapp.com/advisory/ntap-20240621-0007/", + "https://security.paloaltonetworks.com/CVE-2023-44487", + "https://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.1.14", + "https://tomcat.apache.org/security-11.html#Fixed_in_Apache_Tomcat_11.0.0-M12", + "https://tomcat.apache.org/security-8.html", + "https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.94", + "https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.81", + "https://ubuntu.com/security/CVE-2023-44487", + "https://ubuntu.com/security/notices/USN-6427-1", + "https://ubuntu.com/security/notices/USN-6427-2", + "https://ubuntu.com/security/notices/USN-6438-1", + "https://ubuntu.com/security/notices/USN-6505-1", + "https://ubuntu.com/security/notices/USN-6574-1", + "https://ubuntu.com/security/notices/USN-6754-1", + "https://ubuntu.com/security/notices/USN-6994-1", + "https://ubuntu.com/security/notices/USN-7067-1", + "https://ubuntu.com/security/notices/USN-7410-1", + "https://ubuntu.com/security/notices/USN-7469-1", + "https://ubuntu.com/security/notices/USN-7469-2", + "https://ubuntu.com/security/notices/USN-7469-3", + "https://ubuntu.com/security/notices/USN-7469-4", + "https://www.bleepingcomputer.com/news/security/new-http-2-rapid-reset-zero-day-attack-breaks-ddos-records", + "https://www.bleepingcomputer.com/news/security/new-http-2-rapid-reset-zero-day-attack-breaks-ddos-records/", + "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", + "https://www.cisa.gov/news-events/alerts/2023/10/10/http2-rapid-reset-vulnerability-cve-2023-44487", + "https://www.cve.org/CVERecord?id=CVE-2023-44487", + "https://www.darkreading.com/cloud/internet-wide-zero-day-bug-fuels-largest-ever-ddos-event", + "https://www.debian.org/security/2023/dsa-5521", + "https://www.debian.org/security/2023/dsa-5522", + "https://www.debian.org/security/2023/dsa-5540", + "https://www.debian.org/security/2023/dsa-5549", + "https://www.debian.org/security/2023/dsa-5558", + "https://www.debian.org/security/2023/dsa-5570", + "https://www.eclipse.org/lists/jetty-announce/msg00181.html", + "https://www.haproxy.com/blog/haproxy-is-not-affected-by-the-http-2-rapid-reset-attack-cve-2023-44487", + "https://www.mail-archive.com/haproxy@formilux.org/msg44134.html", + "https://www.netlify.com/blog/netlify-successfully-mitigates-cve-2023-44487", + "https://www.netlify.com/blog/netlify-successfully-mitigates-cve-2023-44487/", + "https://www.nginx.com/blog/http-2-rapid-reset-attack-impacting-f5-nginx-products", + "https://www.nginx.com/blog/http-2-rapid-reset-attack-impacting-f5-nginx-products/", + "https://www.openwall.com/lists/oss-security/2023/10/10/6", + "https://www.phoronix.com/news/HTTP2-Rapid-Reset-Attack", + "https://www.theregister.com/2023/10/10/http2_rapid_reset_zeroday", + "https://www.theregister.com/2023/10/10/http2_rapid_reset_zeroday/", + "https://www.vicarius.io/vsociety/posts/rapid-reset-cve-2023-44487-dos-in-http2-understanding-the-root-cause" + ], + "PublishedDate": "2023-10-10T14:15:10.883Z", + "LastModifiedDate": "2025-06-11T17:29:54.137Z" + }, + { + "VulnerabilityID": "CVE-2024-24786", + "PkgID": "google.golang.org/protobuf@v1.28.1", + "PkgName": "google.golang.org/protobuf", + "PkgIdentifier": { + "PURL": "pkg:golang/google.golang.org/protobuf@v1.28.1", + "UID": "3963038e789311e1" + }, + "InstalledVersion": "v1.28.1", + "FixedVersion": "1.33.0", + "Status": "fixed", + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-24786", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory Go", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Ago" + }, + "Title": "golang-protobuf: encoding/protojson, internal/encoding/json: infinite loop in protojson.Unmarshal when unmarshaling certain forms of invalid JSON", + "Description": "The protojson.Unmarshal function can enter an infinite loop when unmarshaling certain forms of invalid JSON. This condition can occur when unmarshaling into a message which contains a google.protobuf.Any value, or when the UnmarshalOptions.DiscardUnknown option is set.", + "Severity": "MEDIUM", + "VendorSeverity": { + "alma": 2, + "amazon": 2, + "azure": 3, + "cbl-mariner": 3, + "ghsa": 2, + "oracle-oval": 2, + "redhat": 2, + "rocky": 2, + "ubuntu": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 5.9 + } + }, + "References": [ + "http://www.openwall.com/lists/oss-security/2024/03/08/4", + "https://access.redhat.com/errata/RHSA-2024:2550", + "https://access.redhat.com/security/cve/CVE-2024-24786", + "https://bugzilla.redhat.com/2268046", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-24786", + "https://errata.almalinux.org/9/ALSA-2024-2550.html", + "https://errata.rockylinux.org/RLSA-2024:2550", + "https://github.com/protocolbuffers/protobuf-go", + "https://github.com/protocolbuffers/protobuf-go/commit/f01a588e5810b90996452eec4a28f22a0afae023", + "https://github.com/protocolbuffers/protobuf-go/releases/tag/v1.33.0", + "https://go-review.googlesource.com/c/protobuf/+/569356", + "https://go.dev/cl/569356", + "https://groups.google.com/g/golang-announce/c/ArQ6CDgtEjY/", + "https://linux.oracle.com/cve/CVE-2024-24786.html", + "https://linux.oracle.com/errata/ELSA-2024-4246.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JDMBHAVSDU2FBDZ45U3A2VLSM35OJ2HU", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JDMBHAVSDU2FBDZ45U3A2VLSM35OJ2HU/", + "https://nvd.nist.gov/vuln/detail/CVE-2024-24786", + "https://pkg.go.dev/vuln/GO-2024-2611", + "https://security.netapp.com/advisory/ntap-20240517-0002", + "https://security.netapp.com/advisory/ntap-20240517-0002/", + "https://ubuntu.com/security/notices/USN-6746-1", + "https://ubuntu.com/security/notices/USN-6746-2", + "https://www.cve.org/CVERecord?id=CVE-2024-24786" + ], + "PublishedDate": "2024-03-05T23:15:07.82Z", + "LastModifiedDate": "2024-11-21T08:59:42.117Z" + }, + { + "VulnerabilityID": "CVE-2024-28180", + "PkgID": "gopkg.in/square/go-jose.v2@v2.6.0", + "PkgName": "gopkg.in/square/go-jose.v2", + "PkgIdentifier": { + "PURL": "pkg:golang/gopkg.in/square/go-jose.v2@v2.6.0", + "UID": "99d621f48e8a1b4f" + }, + "InstalledVersion": "v2.6.0", + "Status": "affected", + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-28180", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory Go", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Ago" + }, + "Title": "jose-go: improper handling of highly compressed data", + "Description": "Package jose aims to provide an implementation of the Javascript Object Signing and Encryption set of standards. An attacker could send a JWE containing compressed data that used large amounts of memory and CPU when decompressed by Decrypt or DecryptMulti. Those functions now return an error if the decompressed data would exceed 250kB or 10x the compressed size (whichever is larger). This vulnerability has been patched in versions 4.0.1, 3.0.3 and 2.6.3.", + "Severity": "MEDIUM", + "CweIDs": [ + "CWE-409" + ], + "VendorSeverity": { + "alma": 2, + "amazon": 2, + "azure": 2, + "cbl-mariner": 2, + "ghsa": 2, + "oracle-oval": 2, + "redhat": 2, + "rocky": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", + "V3Score": 4.3 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", + "V3Score": 4.3 + } + }, + "References": [ + "https://access.redhat.com/errata/RHSA-2024:3827", + "https://access.redhat.com/security/cve/CVE-2024-28180", + "https://bugzilla.redhat.com/2268017", + "https://bugzilla.redhat.com/2268820", + "https://bugzilla.redhat.com/2268854", + "https://bugzilla.redhat.com/show_bug.cgi?id=2268017", + "https://bugzilla.redhat.com/show_bug.cgi?id=2268820", + "https://bugzilla.redhat.com/show_bug.cgi?id=2268854", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-45290", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-28176", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-28180", + "https://errata.almalinux.org/9/ALSA-2024-3827.html", + "https://errata.rockylinux.org/RLSA-2024:3827", + "https://github.com/go-jose/go-jose", + "https://github.com/go-jose/go-jose/commit/0dd4dd541c665fb292d664f77604ba694726f298", + "https://github.com/go-jose/go-jose/commit/add6a284ea0f844fd6628cba637be5451fe4b28a", + "https://github.com/go-jose/go-jose/commit/f4c051a0653d78199a053892f7619ebf96339502", + "https://github.com/go-jose/go-jose/security/advisories/GHSA-c5q2-7r4c-mv6g", + "https://linux.oracle.com/cve/CVE-2024-28180.html", + "https://linux.oracle.com/errata/ELSA-2024-3968.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GD2GSBQTBLYADASUBHHZV2CZPTSLIPQJ", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GD2GSBQTBLYADASUBHHZV2CZPTSLIPQJ/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I6MMWFBOXJA6ZCXNVPDFJ4XMK5PVG5RG", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I6MMWFBOXJA6ZCXNVPDFJ4XMK5PVG5RG/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IJ6LAJJ2FTA2JVVOACCV5RZTOIZLXUNJ", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IJ6LAJJ2FTA2JVVOACCV5RZTOIZLXUNJ/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JNPMXL36YGS3GQEVI3Q5HKHJ7YAAQXL5", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JNPMXL36YGS3GQEVI3Q5HKHJ7YAAQXL5/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KXKGNCRU7OTM5AHC7YIYBNOWI742PRMY", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KXKGNCRU7OTM5AHC7YIYBNOWI742PRMY/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MSOMHDKRPU3A2JEMRODT2IREDFBLVPGS", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MSOMHDKRPU3A2JEMRODT2IREDFBLVPGS/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UG5FSEYJ3GP27FZXC5YAAMMEC5XWKJHG", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UG5FSEYJ3GP27FZXC5YAAMMEC5XWKJHG/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UJO2U5ACZVACNQXJ5EBRFLFW6DP5BROY", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UJO2U5ACZVACNQXJ5EBRFLFW6DP5BROY/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XJDO5VSIAOGT2WP63AXAAWNRSVJCNCRH", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XJDO5VSIAOGT2WP63AXAAWNRSVJCNCRH/", + "https://nvd.nist.gov/vuln/detail/CVE-2024-28180", + "https://www.cve.org/CVERecord?id=CVE-2024-28180" + ], + "PublishedDate": "2024-03-09T01:15:07.34Z", + "LastModifiedDate": "2025-02-13T18:17:48.353Z" + } + ] + } + ] +}