Search for vulnerabilities
Vulnerability details: VCID-7cfb-52z9-aaad
Vulnerability ID VCID-7cfb-52z9-aaad
Aliases CVE-2023-45802
Summary When a HTTP/2 stream was reset (RST frame) by a client, there was a time window were the request's memory resources were not reclaimed immediately. Instead, de-allocation was deferred to connection close. A client could send new requests and resets, keeping the connection busy and open and causing the memory footprint to keep on growing. On connection close, all resources were reclaimed, but the process might run out of memory before that. This was found by the reporter during testing of CVE-2023-44487 (HTTP/2 Rapid Reset Exploit) with their own test client. During "normal" HTTP/2 use, the probability to hit this bug is very low. The kept memory would not become noticeable before the connection closes or times out. Users are recommended to upgrade to version 2.4.58, which fixes the issue.
Status Published
Exploitability 0.5
Weighted Severity 6.8
Risk 3.4
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-400 Uncontrolled Resource Consumption
CWE-770 Allocation of Resources Without Limits or Throttling
CWE-404 Improper Resource Shutdown or Release
System Score Found at
cvssv3 7.5 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-45802.json
epss 0.00112 https://api.first.org/data/v1/epss?cve=CVE-2023-45802
epss 0.00112 https://api.first.org/data/v1/epss?cve=CVE-2023-45802
epss 0.00112 https://api.first.org/data/v1/epss?cve=CVE-2023-45802
epss 0.00112 https://api.first.org/data/v1/epss?cve=CVE-2023-45802
epss 0.00112 https://api.first.org/data/v1/epss?cve=CVE-2023-45802
epss 0.00112 https://api.first.org/data/v1/epss?cve=CVE-2023-45802
epss 0.00112 https://api.first.org/data/v1/epss?cve=CVE-2023-45802
epss 0.00112 https://api.first.org/data/v1/epss?cve=CVE-2023-45802
epss 0.00112 https://api.first.org/data/v1/epss?cve=CVE-2023-45802
epss 0.00112 https://api.first.org/data/v1/epss?cve=CVE-2023-45802
epss 0.00112 https://api.first.org/data/v1/epss?cve=CVE-2023-45802
epss 0.00159 https://api.first.org/data/v1/epss?cve=CVE-2023-45802
epss 0.00159 https://api.first.org/data/v1/epss?cve=CVE-2023-45802
epss 0.00159 https://api.first.org/data/v1/epss?cve=CVE-2023-45802
epss 0.00159 https://api.first.org/data/v1/epss?cve=CVE-2023-45802
epss 0.00159 https://api.first.org/data/v1/epss?cve=CVE-2023-45802
epss 0.0046 https://api.first.org/data/v1/epss?cve=CVE-2023-45802
epss 0.0046 https://api.first.org/data/v1/epss?cve=CVE-2023-45802
epss 0.0046 https://api.first.org/data/v1/epss?cve=CVE-2023-45802
epss 0.0046 https://api.first.org/data/v1/epss?cve=CVE-2023-45802
epss 0.0046 https://api.first.org/data/v1/epss?cve=CVE-2023-45802
epss 0.0046 https://api.first.org/data/v1/epss?cve=CVE-2023-45802
epss 0.0046 https://api.first.org/data/v1/epss?cve=CVE-2023-45802
epss 0.0046 https://api.first.org/data/v1/epss?cve=CVE-2023-45802
epss 0.00619 https://api.first.org/data/v1/epss?cve=CVE-2023-45802
epss 0.00619 https://api.first.org/data/v1/epss?cve=CVE-2023-45802
epss 0.00619 https://api.first.org/data/v1/epss?cve=CVE-2023-45802
epss 0.01998 https://api.first.org/data/v1/epss?cve=CVE-2023-45802
epss 0.01998 https://api.first.org/data/v1/epss?cve=CVE-2023-45802
epss 0.01998 https://api.first.org/data/v1/epss?cve=CVE-2023-45802
epss 0.01998 https://api.first.org/data/v1/epss?cve=CVE-2023-45802
epss 0.01998 https://api.first.org/data/v1/epss?cve=CVE-2023-45802
epss 0.01998 https://api.first.org/data/v1/epss?cve=CVE-2023-45802
epss 0.01998 https://api.first.org/data/v1/epss?cve=CVE-2023-45802
epss 0.01998 https://api.first.org/data/v1/epss?cve=CVE-2023-45802
epss 0.01998 https://api.first.org/data/v1/epss?cve=CVE-2023-45802
epss 0.01998 https://api.first.org/data/v1/epss?cve=CVE-2023-45802
epss 0.01998 https://api.first.org/data/v1/epss?cve=CVE-2023-45802
epss 0.01998 https://api.first.org/data/v1/epss?cve=CVE-2023-45802
epss 0.01998 https://api.first.org/data/v1/epss?cve=CVE-2023-45802
epss 0.01998 https://api.first.org/data/v1/epss?cve=CVE-2023-45802
epss 0.01998 https://api.first.org/data/v1/epss?cve=CVE-2023-45802
epss 0.01998 https://api.first.org/data/v1/epss?cve=CVE-2023-45802
epss 0.01998 https://api.first.org/data/v1/epss?cve=CVE-2023-45802
epss 0.01998 https://api.first.org/data/v1/epss?cve=CVE-2023-45802
epss 0.01998 https://api.first.org/data/v1/epss?cve=CVE-2023-45802
epss 0.01998 https://api.first.org/data/v1/epss?cve=CVE-2023-45802
epss 0.01998 https://api.first.org/data/v1/epss?cve=CVE-2023-45802
epss 0.01998 https://api.first.org/data/v1/epss?cve=CVE-2023-45802
epss 0.01998 https://api.first.org/data/v1/epss?cve=CVE-2023-45802
epss 0.01998 https://api.first.org/data/v1/epss?cve=CVE-2023-45802
epss 0.01998 https://api.first.org/data/v1/epss?cve=CVE-2023-45802
epss 0.01998 https://api.first.org/data/v1/epss?cve=CVE-2023-45802
epss 0.01998 https://api.first.org/data/v1/epss?cve=CVE-2023-45802
epss 0.01998 https://api.first.org/data/v1/epss?cve=CVE-2023-45802
epss 0.01998 https://api.first.org/data/v1/epss?cve=CVE-2023-45802
epss 0.01998 https://api.first.org/data/v1/epss?cve=CVE-2023-45802
epss 0.01998 https://api.first.org/data/v1/epss?cve=CVE-2023-45802
epss 0.01998 https://api.first.org/data/v1/epss?cve=CVE-2023-45802
epss 0.026 https://api.first.org/data/v1/epss?cve=CVE-2023-45802
epss 0.026 https://api.first.org/data/v1/epss?cve=CVE-2023-45802
epss 0.026 https://api.first.org/data/v1/epss?cve=CVE-2023-45802
epss 0.026 https://api.first.org/data/v1/epss?cve=CVE-2023-45802
epss 0.026 https://api.first.org/data/v1/epss?cve=CVE-2023-45802
epss 0.026 https://api.first.org/data/v1/epss?cve=CVE-2023-45802
epss 0.026 https://api.first.org/data/v1/epss?cve=CVE-2023-45802
epss 0.026 https://api.first.org/data/v1/epss?cve=CVE-2023-45802
epss 0.026 https://api.first.org/data/v1/epss?cve=CVE-2023-45802
epss 0.026 https://api.first.org/data/v1/epss?cve=CVE-2023-45802
epss 0.026 https://api.first.org/data/v1/epss?cve=CVE-2023-45802
epss 0.026 https://api.first.org/data/v1/epss?cve=CVE-2023-45802
epss 0.0267 https://api.first.org/data/v1/epss?cve=CVE-2023-45802
epss 0.0267 https://api.first.org/data/v1/epss?cve=CVE-2023-45802
epss 0.0267 https://api.first.org/data/v1/epss?cve=CVE-2023-45802
epss 0.0267 https://api.first.org/data/v1/epss?cve=CVE-2023-45802
epss 0.0267 https://api.first.org/data/v1/epss?cve=CVE-2023-45802
epss 0.0267 https://api.first.org/data/v1/epss?cve=CVE-2023-45802
epss 0.0267 https://api.first.org/data/v1/epss?cve=CVE-2023-45802
epss 0.0267 https://api.first.org/data/v1/epss?cve=CVE-2023-45802
epss 0.0267 https://api.first.org/data/v1/epss?cve=CVE-2023-45802
epss 0.0267 https://api.first.org/data/v1/epss?cve=CVE-2023-45802
epss 0.0287 https://api.first.org/data/v1/epss?cve=CVE-2023-45802
epss 0.04822 https://api.first.org/data/v1/epss?cve=CVE-2023-45802
cvssv3.1 7.5 https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv3.1 7.5 https://httpd.apache.org/security/vulnerabilities_24.html
generic_textual HIGH https://httpd.apache.org/security/vulnerabilities_24.html
cvssv3 5.9 https://nvd.nist.gov/vuln/detail/CVE-2023-45802
cvssv3.1 5.9 https://nvd.nist.gov/vuln/detail/CVE-2023-45802
Reference id Reference type URL
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-45802.json
https://api.first.org/data/v1/epss?cve=CVE-2023-45802
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-31122
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-38709
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-43622
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-45802
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-24795
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-27316
https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
https://httpd.apache.org/security/vulnerabilities_24.html
https://lists.debian.org/debian-lts-announce/2024/05/msg00013.html
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2MBEPPC36UBVOZZNAXFHKLFGSLCMN5LI/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BFQD3KUEMFBHPAPBGLWQC34L4OWL5HAZ/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WE2I52RHNNU42PX6NZ2RBUHSFFJ2LVZX/
https://security.netapp.com/advisory/ntap-20231027-0011/
2243877 https://bugzilla.redhat.com/show_bug.cgi?id=2243877
cpe:2.3:a:apache:http_server:*:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:http_server:*:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:38:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:fedoraproject:fedora:38:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:39:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:fedoraproject:fedora:39:*:*:*:*:*:*:*
CVE-2023-45802 https://httpd.apache.org/security/json/CVE-2023-45802.json
CVE-2023-45802 https://nvd.nist.gov/vuln/detail/CVE-2023-45802
RHSA-2023:7625 https://access.redhat.com/errata/RHSA-2023:7625
RHSA-2023:7626 https://access.redhat.com/errata/RHSA-2023:7626
RHSA-2024:2368 https://access.redhat.com/errata/RHSA-2024:2368
RHSA-2024:2891 https://access.redhat.com/errata/RHSA-2024:2891
RHSA-2024:3121 https://access.redhat.com/errata/RHSA-2024:3121
USN-6506-1 https://usn.ubuntu.com/6506-1/
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-45802.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N Found at https://httpd.apache.org/security/vulnerabilities_24.html
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2023-45802
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2023-45802
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.45984
EPSS Score 0.00112
Published At Nov. 24, 2024, midnight
Date Actor Action Source VulnerableCode Version
There are no relevant records.