CVE-2024-28182

Name
CVE-2024-28182
Description
nghttp2 is an implementation of the Hypertext Transfer Protocol version 2 in C. The nghttp2 library prior to version 1.61.0 keeps reading the unbounded number of HTTP/2 CONTINUATION frames even after a stream is reset to keep HPACK context in sync. This causes excessive CPU usage to decode HPACK stream. nghttp2 v1.61.0 mitigates this vulnerability by limiting the number of CONTINUATION frames it accepts per stream. There is no workaround for this vulnerability.
NVD Severity
medium
Other trackers
Mailing lists
Exploits
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
MISC https://github.com/nghttp2/nghttp2/commit/00201ecd8f982da3b67d4f6868af72a1b03b14e0
MISC https://github.com/nghttp2/nghttp2/commit/d71a4668c6bead55805d18810d633fbb98315af9
CONFIRM https://github.com/nghttp2/nghttp2/security/advisories/GHSA-x6x3-gv8h-m57q
security-advisories@github.com https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AGOME6ZXJG7664IPQNVE3DL67E3YP3HY/
security-advisories@github.com https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/J6ZMXUGB66VAXDW5J6QSTHM5ET25FGSA/
security-advisories@github.com https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PXJO2EASHM2OQQLGVDY5ZSO7UVDVHTDK/
security-advisories@github.com https://lists.debian.org/debian-lts-announce/2024/04/msg00026.html
security-advisories@github.com http://www.openwall.com/lists/oss-security/2024/04/03/16

Match rules

CPE URI Source package Min version Max version
nghttp2 >= 0 < 1.61.0

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
nghttp2 3.19-main 1.58.0-r0 Francesco Colista <fcolista@alpinelinux.org> possibly vulnerable
nghttp2 3.18-main 1.57.0-r0 Francesco Colista <fcolista@alpinelinux.org> possibly vulnerable
nghttp2 3.17-main 1.51.0-r2 Francesco Colista <fcolista@alpinelinux.org> possibly vulnerable