{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-43622", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "state": "PUBLISHED", "assignerShortName": "apache", "dateReserved": "2023-09-20T07:45:21.299Z", "datePublished": "2023-10-23T06:50:51.555Z", "dateUpdated": "2025-02-13T17:13:24.282Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Apache HTTP Server", "vendor": "Apache Software Foundation", "versions": [{"lessThanOrEqual": "2.4.57", "status": "affected", "version": "2.4.55", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Prof. Sven Dietrich (City University of New York)"}, {"lang": "en", "type": "finder", "value": "Isa Jafarov (City University of New York)"}, {"lang": "en", "type": "finder", "value": "Prof. Heejo Lee (Korea University)"}, {"lang": "en", "type": "finder", "value": "Choongin Lee (Korea University)"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "An attacker, opening a HTTP/2 connection with an initial window size of 0, was able to block handling of that connection indefinitely in Apache HTTP Server. This could be used to exhaust worker resources in the server, similar to the well known \"slow loris\" attack pattern.<br><p>This has been fixed in version 2.4.58, so that such connection are terminated properly after the configured connection timeout.</p><p>This issue affects Apache HTTP Server: from 2.4.55 through 2.4.57.</p><p>Users are recommended to upgrade to version 2.4.58, which fixes the issue.</p>"}], "value": "An attacker, opening a HTTP/2 connection with an initial window size of 0, was able to block handling of that connection indefinitely in Apache HTTP Server. This could be used to exhaust worker resources in the server, similar to the well known \"slow loris\" attack pattern.\nThis has been fixed in version 2.4.58, so that such connection are terminated properly after the configured connection timeout.\n\nThis issue affects Apache HTTP Server: from 2.4.55 through 2.4.57.\n\nUsers are recommended to upgrade to version 2.4.58, which fixes the issue."}], "metrics": [{"other": {"content": {"text": "low"}, "type": "Textual description of severity"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-400", "description": "CWE-400 Uncontrolled Resource Consumption", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2023-10-27T14:06:25.665Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://httpd.apache.org/security/vulnerabilities_24.html"}, {"url": "https://security.netapp.com/advisory/ntap-20231027-0011/"}], "source": {"discovery": "EXTERNAL"}, "timeline": [{"lang": "en", "time": "2023-09-15T09:51:00.000Z", "value": "reported"}], "title": "Apache HTTP Server: DoS in HTTP/2 with initial windows size 0", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T19:44:43.773Z"}, "title": "CVE Program Container", "references": [{"tags": ["vendor-advisory", "x_transferred"], "url": "https://httpd.apache.org/security/vulnerabilities_24.html"}, {"url": "https://security.netapp.com/advisory/ntap-20231027-0011/", "tags": ["x_transferred"]}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-09-11T16:02:28.689513Z", "id": "CVE-2023-43622", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-17T14:19:24.281Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://httpd.apache.org/security/vulnerabilities_24.html", "tags": ["vendor-advisory", "x_transferred"]}, {"url": "https://security.netapp.com/advisory/ntap-20231027-0011/", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T19:44:43.773Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-43622", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-11T16:02:28.689513Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-17T14:19:20.544Z"}}], "cna": {"title": "Apache HTTP Server: DoS in HTTP/2 with initial windows size 0", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Prof. Sven Dietrich (City University of New York)"}, {"lang": "en", "type": "finder", "value": "Isa Jafarov (City University of New York)"}, {"lang": "en", "type": "finder", "value": "Prof. Heejo Lee (Korea University)"}, {"lang": "en", "type": "finder", "value": "Choongin Lee (Korea University)"}], "metrics": [{"other": {"type": "Textual description of severity", "content": {"text": "low"}}}], "affected": [{"vendor": "Apache Software Foundation", "product": "Apache HTTP Server", "versions": [{"status": "affected", "version": "2.4.55", "versionType": "semver", "lessThanOrEqual": "2.4.57"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2023-09-15T09:51:00.000Z", "value": "reported"}], "references": [{"url": "https://httpd.apache.org/security/vulnerabilities_24.html", "tags": ["vendor-advisory"]}, {"url": "https://security.netapp.com/advisory/ntap-20231027-0011/"}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "An attacker, opening a HTTP/2 connection with an initial window size of 0, was able to block handling of that connection indefinitely in Apache HTTP Server. This could be used to exhaust worker resources in the server, similar to the well known \"slow loris\" attack pattern.\nThis has been fixed in version 2.4.58, so that such connection are terminated properly after the configured connection timeout.\n\nThis issue affects Apache HTTP Server: from 2.4.55 through 2.4.57.\n\nUsers are recommended to upgrade to version 2.4.58, which fixes the issue.\n\n", "supportingMedia": [{"type": "text/html", "value": "An attacker, opening a HTTP/2 connection with an initial window size of 0, was able to block handling of that connection indefinitely in Apache HTTP Server. This could be used to exhaust worker resources in the server, similar to the well known \"slow loris\" attack pattern.<br><p>This has been fixed in version 2.4.58, so that such connection are terminated properly after the configured connection timeout.</p><p>This issue affects Apache HTTP Server: from 2.4.55 through 2.4.57.</p><p>Users are recommended to upgrade to version 2.4.58, which fixes the issue.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-400", "description": "CWE-400 Uncontrolled Resource Consumption"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2023-10-23T06:50:51.555Z"}}}, "cveMetadata": {"cveId": "CVE-2023-43622", "state": "PUBLISHED", "dateUpdated": "2024-09-17T14:19:24.281Z", "dateReserved": "2023-09-20T07:45:21.299Z", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "datePublished": "2023-10-23T06:50:51.555Z", "assignerShortName": "apache"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:http_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "F9F28355-B47B-463B-862A-E493D0743CC9", "versionEndExcluding": "2.4.58", "versionStartIncluding": "2.4.55", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "An attacker, opening a HTTP/2 connection with an initial window size of 0, was able to block handling of that connection indefinitely in Apache HTTP Server. This could be used to exhaust worker resources in the server, similar to the well known \"slow loris\" attack pattern.\nThis has been fixed in version 2.4.58, so that such connection are terminated properly after the configured connection timeout.\n\nThis issue affects Apache HTTP Server: from 2.4.55 through 2.4.57.\n\nUsers are recommended to upgrade to version 2.4.58, which fixes the issue."}, {"lang": "es", "value": "Un atacante, al abrir una conexi\u00f3n HTTP/2 con un tama\u00f1o de ventana inicial de 0, pudo bloquear el manejo de esa conexi\u00f3n indefinidamente en el servidor HTTP Apache. Esto podr\u00eda usarse para agotar los recursos de los trabajadores en el servidor, similar al conocido patr\u00f3n de ataque \"slow loris\". Esto se solucion\u00f3 en la versi\u00f3n 2.4.58, de modo que dicha conexi\u00f3n finalice correctamente despu\u00e9s del tiempo de espera de conexi\u00f3n configurado. Este problema afecta al servidor HTTP Apache: desde 2.4.55 hasta 2.4.57. Se recomienda a los usuarios actualizar a la versi\u00f3n 2.4.58, que soluciona el problema."}], "id": "CVE-2023-43622", "lastModified": "2025-02-13T17:17:13.110", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-10-23T07:15:11.243", "references": [{"source": "security@apache.org", "tags": ["Vendor Advisory"], "url": "https://httpd.apache.org/security/vulnerabilities_24.html"}, {"source": "security@apache.org", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20231027-0011/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://httpd.apache.org/security/vulnerabilities_24.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20231027-0011/"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-400"}], "source": "security@apache.org", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2024:2368", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "mod_http2-0:2.0.26-1.el9", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2024-04-30T00:00:00Z"}], "bugzilla": {"description": "httpd: mod_http2: DoS in HTTP/2 with initial window size 0", "id": "2245153", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2245153"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "verified"}, "cwe": "CWE-400", "details": ["An attacker, opening a HTTP/2 connection with an initial window size of 0, was able to block handling of that connection indefinitely in Apache HTTP Server. This could be used to exhaust worker resources in the server, similar to the well known \"slow loris\" attack pattern.\nThis has been fixed in version 2.4.58, so that such connection are terminated properly after the configured connection timeout.\nThis issue affects Apache HTTP Server: from 2.4.55 through 2.4.57.\nUsers are recommended to upgrade to version 2.4.58, which fixes the issue.", "A flaw was found in the mod_http2 module of httpd. This flaw allows an attacker opening an HTTP/2 connection with an initial window size of 0 to block handling of that connection indefinitely. This vulnerability can exhaust worker resources in the server, similar to the well-known \"slow loris\" attack pattern."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2023-43622", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "httpd:2.4/mod_http2", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/a:redhat:jboss_core_services:1", "fix_state": "Not affected", "package_name": "mod_http2", "product_name": "Red Hat JBoss Core Services"}], "public_date": "2023-10-10T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2023-43622\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-43622\nhttps://httpd.apache.org/security/vulnerabilities_24.html#CVE-2023-43622"], "statement": "This flaw only affects configurations with mod_http2 loaded and being used. Also, if there is no HTTP2 server configured, the httpd server is not affected and no further mitigation is needed.\nThe httpd mod_http2 module is enabled by default on Red Hat Enterprise Linux 8 and 9 via the mod_http2 package. However, there is no HTTP2 server configured by default.", "threat_severity": "Moderate", "upstream_fix": "mod_http2 2.0.23"}