VulnerableCode Vulnerability Details

Search for vulnerabilities

Vulnerability details: VCID-byqk-ch43-6fde

Essentials
Severities (17)
References (24)
Severity details (4)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-byqk-ch43-6fde
Aliases	CVE-2023-45802
Summary	When a HTTP/2 stream was reset (RST frame) by a client, there was a time window were the request's memory resources were not reclaimed immediately. Instead, de-allocation was deferred to connection close. A client could send new requests and resets, keeping the connection busy and open and causing the memory footprint to keep on growing. On connection close, all resources were reclaimed, but the process might run out of memory before that. This was found by the reporter during testing of CVE-2023-44487 (HTTP/2 Rapid Reset Exploit) with their own test client. During "normal" HTTP/2 use, the probability to hit this bug is very low. The kept memory would not become noticeable before the connection closes or times out. Users are recommended to upgrade to version 2.4.58, which fixes the issue.
Status	Published
Exploitability	0.5
Weighted Severity	6.8
Risk	3.4
Affected and Fixed Packages	Package Details

Weaknesses (2)

CWE-400	Uncontrolled Resource Consumption
CWE-404	Improper Resource Shutdown or Release

System	Score	Found at
cvssv3	7.5	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-45802.json
epss	0.0064	https://api.first.org/data/v1/epss?cve=CVE-2023-45802
epss	0.0064	https://api.first.org/data/v1/epss?cve=CVE-2023-45802
epss	0.0064	https://api.first.org/data/v1/epss?cve=CVE-2023-45802
epss	0.02757	https://api.first.org/data/v1/epss?cve=CVE-2023-45802
epss	0.02757	https://api.first.org/data/v1/epss?cve=CVE-2023-45802
epss	0.02757	https://api.first.org/data/v1/epss?cve=CVE-2023-45802
epss	0.02757	https://api.first.org/data/v1/epss?cve=CVE-2023-45802
epss	0.02757	https://api.first.org/data/v1/epss?cve=CVE-2023-45802
epss	0.02757	https://api.first.org/data/v1/epss?cve=CVE-2023-45802
epss	0.02757	https://api.first.org/data/v1/epss?cve=CVE-2023-45802
epss	0.02757	https://api.first.org/data/v1/epss?cve=CVE-2023-45802
epss	0.02757	https://api.first.org/data/v1/epss?cve=CVE-2023-45802
epss	0.02832	https://api.first.org/data/v1/epss?cve=CVE-2023-45802
cvssv3.1	7.5	https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
ssvc	Track	https://httpd.apache.org/security/vulnerabilities_24.html
cvssv3.1	5.9	https://nvd.nist.gov/vuln/detail/CVE-2023-45802

Reference id	Reference type	URL
		https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-45802.json
		https://api.first.org/data/v1/epss?cve=CVE-2023-45802
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-31122
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-38709
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-43622
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-45802
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-24795
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-27316
		https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
		https://httpd.apache.org/security/vulnerabilities_24.html
2243877		https://bugzilla.redhat.com/show_bug.cgi?id=2243877
cpe:2.3:a:apache:http_server::::::::		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:http_server::::::::
cpe:2.3:o:debian:debian_linux:10.0:::::::*		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:debian:debian_linux:10.0:::::::*
cpe:2.3:o:fedoraproject:fedora:37:::::::*		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:fedoraproject:fedora:37:::::::*
cpe:2.3:o:fedoraproject:fedora:38:::::::*		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:fedoraproject:fedora:38:::::::*
cpe:2.3:o:fedoraproject:fedora:39:::::::*		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:fedoraproject:fedora:39:::::::*
CVE-2023-45802		https://httpd.apache.org/security/json/CVE-2023-45802.json
CVE-2023-45802		https://nvd.nist.gov/vuln/detail/CVE-2023-45802
RHSA-2023:7625		https://access.redhat.com/errata/RHSA-2023:7625
RHSA-2023:7626		https://access.redhat.com/errata/RHSA-2023:7626
RHSA-2024:2368		https://access.redhat.com/errata/RHSA-2024:2368
RHSA-2024:2891		https://access.redhat.com/errata/RHSA-2024:2891
RHSA-2024:3121		https://access.redhat.com/errata/RHSA-2024:3121
USN-6506-1		https://usn.ubuntu.com/6506-1/

No exploits are available.

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-45802.json

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-12T18:03:47Z/ Found at https://httpd.apache.org/security/vulnerabilities_24.html

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2023-45802

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Exploit Prediction Scoring System (EPSS)

Percentile	0.6976
EPSS Score	0.0064
Published At	Aug. 1, 2025, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2025-07-31T08:29:09.743564+00:00	Apache HTTPD Importer	Import	https://httpd.apache.org/security/json/CVE-2023-45802.json	37.0.0