FreshPorts - VuXML
This page displays vulnerability information about FreeBSD Ports.
The VUXML data was last processed by FreshPorts on 2024-05-09 05:46:40 UTC
List all Vulnerabilities, by package
List all Vulnerabilities, by date
k68
These are the vulnerabilities relating to the commit you have selected:
| VuXML ID | Description |
|---|
| c092be0e-f7cc-11ee-aa6b-b42e991fc52e | forgejo -- HTTP/2 CONTINUATION flood in net/http
security@golang.org reports:
An attacker may cause an HTTP/2 endpoint to read arbitrary amounts
of header data by sending an excessive number of CONTINUATION frames.
Maintaining HPACK state requires parsing and processing all HEADERS
and CONTINUATION frames on a connection. When a request's
headers exceed MaxHeaderBytes, no memory is allocated to store the
excess headers, but they are still parsed. This permits an attacker
to cause an HTTP/2 endpoint to read arbitrary amounts of header
data, all associated with a request which is going to be rejected.
These headers can include Huffman-encoded data which is significantly
more expensive for the receiver to decode than for an attacker to
send. The fix sets a limit on the amount of excess header frames
we will process before closing a connection.
Discovery 2024-04-04
Entry 2024-04-11
forgejo
< 1.21.8
CVE-2023-45288
https://nvd.nist.gov/vuln/detail/CVE-2023-45288
|