Attacker Value
Unknown
(0 users assessed)
Exploitability
Unknown
(0 users assessed)
User Interaction
None
Privileges Required
None
Attack Vector
Network
1

CVE-2023-44487

Disclosure Date: October 10, 2023
Exploited in the Wild
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.

Add Assessment

No one has assessed this topic. Be the first to add your voice to the community.

CVSS V3 Severity and Metrics
Base Score:
7.5 High
Impact Score:
3.6
Exploitability Score:
3.9
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector (AV):
Network
Attack Complexity (AC):
Low
Privileges Required (PR):
None
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
None
Integrity (I):
None
Availability (A):
High

General Information

Vendors

  • akka,
  • amazon,
  • apache,
  • apple,
  • caddyserver,
  • cisco,
  • debian,
  • dena,
  • eclipse,
  • envoyproxy,
  • f5,
  • facebook,
  • fedoraproject,
  • golang,
  • grpc,
  • ietf,
  • istio,
  • jenkins,
  • kazu-yamamoto,
  • konghq,
  • linecorp,
  • linkerd,
  • microsoft,
  • netapp,
  • netty,
  • nghttp2,
  • nodejs,
  • openresty,
  • projectcontour,
  • redhat,
  • traefik,
  • varnish cache project

Products

  • .net,
  • 3scale api management platform 2.0,
  • advanced cluster management for kubernetes 2.0,
  • advanced cluster security 3.0,
  • advanced cluster security 4.0,
  • ansible automation platform 2.0,
  • apisix,
  • armeria,
  • asp.net core,
  • astra control center -,
  • azure kubernetes service,
  • big-ip access policy manager,
  • big-ip access policy manager 17.1.0,
  • big-ip advanced firewall manager,
  • big-ip advanced firewall manager 17.1.0,
  • big-ip advanced web application firewall,
  • big-ip advanced web application firewall 17.1.0,
  • big-ip analytics,
  • big-ip analytics 17.1.0,
  • big-ip application acceleration manager,
  • big-ip application acceleration manager 17.1.0,
  • big-ip application security manager,
  • big-ip application security manager 17.1.0,
  • big-ip application visibility and reporting,
  • big-ip application visibility and reporting 17.1.0,
  • big-ip carrier-grade nat,
  • big-ip carrier-grade nat 17.1.0,
  • big-ip ddos hybrid defender,
  • big-ip ddos hybrid defender 17.1.0,
  • big-ip domain name system,
  • big-ip domain name system 17.1.0,
  • big-ip fraud protection service,
  • big-ip fraud protection service 17.1.0,
  • big-ip global traffic manager,
  • big-ip global traffic manager 17.1.0,
  • big-ip link controller,
  • big-ip link controller 17.1.0,
  • big-ip local traffic manager,
  • big-ip local traffic manager 17.1.0,
  • big-ip next 20.0.1,
  • big-ip next service proxy for kubernetes,
  • big-ip policy enforcement manager,
  • big-ip policy enforcement manager 17.1.0,
  • big-ip ssl orchestrator,
  • big-ip ssl orchestrator 17.1.0,
  • big-ip webaccelerator,
  • big-ip webaccelerator 17.1.0,
  • big-ip websafe,
  • big-ip websafe 17.1.0,
  • build of optaplanner 8.0,
  • build of quarkus -,
  • caddy,
  • cbl-mariner,
  • ceph storage 5.0,
  • cert-manager operator for red hat openshift -,
  • certification for red hat enterprise linux 8.0,
  • certification for red hat enterprise linux 9.0,
  • connected mobile experiences,
  • contour,
  • cost management -,
  • crosswork data gateway,
  • crosswork data gateway 5.0,
  • crosswork zero touch provisioning,
  • cryostat 2.0,
  • data center network manager -,
  • debian linux 10.0,
  • debian linux 11.0,
  • debian linux 12.0,
  • decision manager 7.0,
  • enterprise chat and email -,
  • enterprise linux 6.0,
  • enterprise linux 8.0,
  • enterprise linux 9.0,
  • envoy 1.24.10,
  • envoy 1.25.9,
  • envoy 1.26.4,
  • envoy 1.27.0,
  • expressway,
  • fedora 37,
  • fedora 38,
  • fence agents remediation operator -,
  • firepower threat defense,
  • fog director,
  • go,
  • grpc,
  • grpc 1.57.0,
  • h2o,
  • http 2.0,
  • http server,
  • http2,
  • integration camel for spring boot -,
  • integration camel k -,
  • integration service registry -,
  • ios xe,
  • ios xr,
  • iot field network director,
  • istio,
  • jboss a-mq 7,
  • jboss a-mq streams -,
  • jboss core services -,
  • jboss data grid 7.0.0,
  • jboss enterprise application platform 6.0.0,
  • jboss enterprise application platform 7.0.0,
  • jboss fuse 6.0.0,
  • jboss fuse 7.0.0,
  • jenkins,
  • jetty,
  • kong gateway,
  • linkerd,
  • linkerd 2.13.0,
  • linkerd 2.13.1,
  • linkerd 2.14.0,
  • linkerd 2.14.1,
  • logging subsystem for red hat openshift -,
  • machine deletion remediation operator -,
  • migration toolkit for applications 6.0,
  • migration toolkit for containers -,
  • migration toolkit for virtualization -,
  • netty,
  • network observability operator -,
  • networking,
  • nghttp2,
  • nginx,
  • nginx ingress controller,
  • nginx plus,
  • nginx plus r29,
  • nginx plus r30,
  • node healthcheck operator -,
  • node maintenance operator -,
  • node.js,
  • nx-os,
  • openresty,
  • opensearch data prepper,
  • openshift -,
  • openshift api for data protection -,
  • openshift container platform 4.0,
  • openshift container platform assisted installer -,
  • openshift data science -,
  • openshift dev spaces -,
  • openshift developer tools and services -,
  • openshift distributed tracing -,
  • openshift gitops -,
  • openshift pipelines -,
  • openshift sandboxed containers -,
  • openshift secondary scheduler operator -,
  • openshift serverless -,
  • openshift service mesh 2.0,
  • openshift virtualization 4,
  • openstack platform 16.1,
  • openstack platform 16.2,
  • openstack platform 17.1,
  • prime access registrar,
  • prime cable provisioning,
  • prime infrastructure,
  • prime network registrar,
  • process automation 7.0,
  • proxygen,
  • quay 3.0.0,
  • run once duration override operator -,
  • satellite 6.0,
  • secure dynamic attributes connector,
  • secure malware analytics,
  • secure web appliance firmware,
  • self node remediation operator -,
  • service interconnect 1.0,
  • service telemetry framework 1.5,
  • single sign-on 7.0,
  • solr,
  • support for spring boot -,
  • swiftnio http/2,
  • telepresence video communication server,
  • tomcat,
  • tomcat 11.0.0,
  • traefik,
  • traefik 3.0.0,
  • traffic server,
  • ultra cloud core - policy control function,
  • ultra cloud core - policy control function 2024.01.0,
  • ultra cloud core - serving gateway function,
  • ultra cloud core - session management function,
  • unified attendant console advanced -,
  • unified contact center domain manager -,
  • unified contact center enterprise -,
  • unified contact center enterprise - live data server,
  • unified contact center management portal -,
  • varnish cache,
  • visual studio 2022,
  • web terminal -,
  • windows 10 1607,
  • windows 10 1809,
  • windows 10 21h2,
  • windows 10 22h2,
  • windows 11 21h2,
  • windows 11 22h2,
  • windows server 2016 -,
  • windows server 2019 -,
  • windows server 2022 -

References

Advisory
Exploit
The following exploit POCs have not been verified by Rapid7 researchers, but are sourced from: nomi-sec/PoC-in-GitHub.
Additional sources will be added here as they become relevant.
Notes: We will only add the top 3 POCs for a given CVE. POCs added here must have at least 2 GitHub stars.
Miscellaneous

Additional Info

Technical Analysis