Search for vulnerabilities
Vulnerability details: VCID-2sh1-yqq9-aaah
Vulnerability ID VCID-2sh1-yqq9-aaah
Aliases CVE-2024-27983
Summary An attacker can make the Node.js HTTP/2 server completely unavailable by sending a small amount of HTTP/2 frames packets with a few HTTP/2 frames inside. It is possible to leave some data in nghttp2 memory after reset when headers with HTTP/2 CONTINUATION frame are sent to the server and then a TCP connection is abruptly closed by the client triggering the Http2Session destructor while header frames are still being processed (and stored in memory) causing a race condition.
Status Published
Exploitability 2.0
Weighted Severity 8.0
Risk 10.0
Affected and Fixed Packages Package Details
Weaknesses (1)
CWE-400 Uncontrolled Resource Consumption
System Score Found at
cvssv3 7.5 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-27983.json
epss 0.00045 https://api.first.org/data/v1/epss?cve=CVE-2024-27983
epss 0.00045 https://api.first.org/data/v1/epss?cve=CVE-2024-27983
epss 0.00045 https://api.first.org/data/v1/epss?cve=CVE-2024-27983
epss 0.00045 https://api.first.org/data/v1/epss?cve=CVE-2024-27983
epss 0.00045 https://api.first.org/data/v1/epss?cve=CVE-2024-27983
epss 0.00045 https://api.first.org/data/v1/epss?cve=CVE-2024-27983
epss 0.00045 https://api.first.org/data/v1/epss?cve=CVE-2024-27983
epss 0.00045 https://api.first.org/data/v1/epss?cve=CVE-2024-27983
epss 0.00045 https://api.first.org/data/v1/epss?cve=CVE-2024-27983
epss 0.00045 https://api.first.org/data/v1/epss?cve=CVE-2024-27983
epss 0.00045 https://api.first.org/data/v1/epss?cve=CVE-2024-27983
epss 0.00045 https://api.first.org/data/v1/epss?cve=CVE-2024-27983
epss 0.00045 https://api.first.org/data/v1/epss?cve=CVE-2024-27983
epss 0.00045 https://api.first.org/data/v1/epss?cve=CVE-2024-27983
epss 0.00045 https://api.first.org/data/v1/epss?cve=CVE-2024-27983
epss 0.00045 https://api.first.org/data/v1/epss?cve=CVE-2024-27983
epss 0.35446 https://api.first.org/data/v1/epss?cve=CVE-2024-27983
epss 0.35446 https://api.first.org/data/v1/epss?cve=CVE-2024-27983
epss 0.35446 https://api.first.org/data/v1/epss?cve=CVE-2024-27983
epss 0.35446 https://api.first.org/data/v1/epss?cve=CVE-2024-27983
epss 0.35446 https://api.first.org/data/v1/epss?cve=CVE-2024-27983
epss 0.35446 https://api.first.org/data/v1/epss?cve=CVE-2024-27983
epss 0.35446 https://api.first.org/data/v1/epss?cve=CVE-2024-27983
epss 0.35446 https://api.first.org/data/v1/epss?cve=CVE-2024-27983
epss 0.35446 https://api.first.org/data/v1/epss?cve=CVE-2024-27983
epss 0.35446 https://api.first.org/data/v1/epss?cve=CVE-2024-27983
epss 0.35446 https://api.first.org/data/v1/epss?cve=CVE-2024-27983
epss 0.35446 https://api.first.org/data/v1/epss?cve=CVE-2024-27983
epss 0.59194 https://api.first.org/data/v1/epss?cve=CVE-2024-27983
epss 0.59194 https://api.first.org/data/v1/epss?cve=CVE-2024-27983
epss 0.59194 https://api.first.org/data/v1/epss?cve=CVE-2024-27983
epss 0.66576 https://api.first.org/data/v1/epss?cve=CVE-2024-27983
epss 0.66875 https://api.first.org/data/v1/epss?cve=CVE-2024-27983
epss 0.66875 https://api.first.org/data/v1/epss?cve=CVE-2024-27983
epss 0.6865 https://api.first.org/data/v1/epss?cve=CVE-2024-27983
epss 0.6865 https://api.first.org/data/v1/epss?cve=CVE-2024-27983
epss 0.6865 https://api.first.org/data/v1/epss?cve=CVE-2024-27983
epss 0.6865 https://api.first.org/data/v1/epss?cve=CVE-2024-27983
epss 0.6865 https://api.first.org/data/v1/epss?cve=CVE-2024-27983
epss 0.6865 https://api.first.org/data/v1/epss?cve=CVE-2024-27983
epss 0.6865 https://api.first.org/data/v1/epss?cve=CVE-2024-27983
epss 0.6865 https://api.first.org/data/v1/epss?cve=CVE-2024-27983
epss 0.6865 https://api.first.org/data/v1/epss?cve=CVE-2024-27983
epss 0.6865 https://api.first.org/data/v1/epss?cve=CVE-2024-27983
epss 0.6865 https://api.first.org/data/v1/epss?cve=CVE-2024-27983
epss 0.6865 https://api.first.org/data/v1/epss?cve=CVE-2024-27983
epss 0.69546 https://api.first.org/data/v1/epss?cve=CVE-2024-27983
epss 0.69546 https://api.first.org/data/v1/epss?cve=CVE-2024-27983
epss 0.69546 https://api.first.org/data/v1/epss?cve=CVE-2024-27983
epss 0.69546 https://api.first.org/data/v1/epss?cve=CVE-2024-27983
epss 0.69546 https://api.first.org/data/v1/epss?cve=CVE-2024-27983
epss 0.76175 https://api.first.org/data/v1/epss?cve=CVE-2024-27983
epss 0.76175 https://api.first.org/data/v1/epss?cve=CVE-2024-27983
epss 0.78197 https://api.first.org/data/v1/epss?cve=CVE-2024-27983
epss 0.78197 https://api.first.org/data/v1/epss?cve=CVE-2024-27983
epss 0.78197 https://api.first.org/data/v1/epss?cve=CVE-2024-27983
epss 0.78197 https://api.first.org/data/v1/epss?cve=CVE-2024-27983
epss 0.80092 https://api.first.org/data/v1/epss?cve=CVE-2024-27983
epss 0.80092 https://api.first.org/data/v1/epss?cve=CVE-2024-27983
epss 0.80092 https://api.first.org/data/v1/epss?cve=CVE-2024-27983
epss 0.80092 https://api.first.org/data/v1/epss?cve=CVE-2024-27983
epss 0.80092 https://api.first.org/data/v1/epss?cve=CVE-2024-27983
epss 0.80092 https://api.first.org/data/v1/epss?cve=CVE-2024-27983
cvssv3.1 7.5 https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
archlinux High https://security.archlinux.org/AVG-2852
archlinux High https://security.archlinux.org/AVG-2853
archlinux High https://security.archlinux.org/AVG-2854
cvssv3.1 8.2 http://www.openwall.com/lists/oss-security/2024/04/03/16
generic_textual HIGH http://www.openwall.com/lists/oss-security/2024/04/03/16
Reference id Reference type URL
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-27983.json
https://api.first.org/data/v1/epss?cve=CVE-2024-27983
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-27983
https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
https://hackerone.com/reports/2319584
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JDECX4BYZLMM4S4LALN4DPZ2HUTTPLKE/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YDVFUH7ACZPYB3BS4SVILNOY7NQU73VW/
https://security.netapp.com/advisory/ntap-20240510-0002/
http://www.openwall.com/lists/oss-security/2024/04/03/16
1068347 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068347
2272764 https://bugzilla.redhat.com/show_bug.cgi?id=2272764
AVG-2852 https://security.archlinux.org/AVG-2852
AVG-2853 https://security.archlinux.org/AVG-2853
AVG-2854 https://security.archlinux.org/AVG-2854
CVE-2024-27983 https://nvd.nist.gov/vuln/detail/CVE-2024-27983
GLSA-202505-11 https://security.gentoo.org/glsa/202505-11
RHSA-2024:2778 https://access.redhat.com/errata/RHSA-2024:2778
RHSA-2024:2779 https://access.redhat.com/errata/RHSA-2024:2779
RHSA-2024:2780 https://access.redhat.com/errata/RHSA-2024:2780
RHSA-2024:2853 https://access.redhat.com/errata/RHSA-2024:2853
RHSA-2024:2910 https://access.redhat.com/errata/RHSA-2024:2910
RHSA-2024:2937 https://access.redhat.com/errata/RHSA-2024:2937
RHSA-2024:3472 https://access.redhat.com/errata/RHSA-2024:3472
RHSA-2024:3544 https://access.redhat.com/errata/RHSA-2024:3544
RHSA-2024:3545 https://access.redhat.com/errata/RHSA-2024:3545
RHSA-2024:3553 https://access.redhat.com/errata/RHSA-2024:3553
RHSA-2024:4353 https://access.redhat.com/errata/RHSA-2024:4353
RHSA-2024:4824 https://access.redhat.com/errata/RHSA-2024:4824
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-27983.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H Found at http://www.openwall.com/lists/oss-security/2024/04/03/16
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.16666
EPSS Score 0.00045
Published At Nov. 1, 2024, midnight
Date Actor Action Source VulnerableCode Version
2024-04-23T17:19:14.060612+00:00 NVD Importer Import https://nvd.nist.gov/vuln/detail/CVE-2024-27983 34.0.0rc4