Vulnerability Description
lib/http2/connection.c in H2O before 1.7.3 and 2.x before 2.0.0-beta5 mishandles HTTP/2 disconnection, which allows remote attackers to cause a denial of service (use-after-free and application crash) or possibly execute arbitrary code via a crafted packet.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Dena | H2O | <= 1.7.2 |
References
- http://jvn.jp/en/jp/JVN87859762/index.htmlVendor Advisory
- http://jvndb.jvn.jp/jvndb/JVNDB-2016-000091Vendor Advisory
- https://github.com/h2o/h2o/commit/1c0808d580da09fdec5a9a74ff09e103ea058dd4
- https://github.com/h2o/h2o/pull/920Vendor Advisory
- http://jvn.jp/en/jp/JVN87859762/index.htmlVendor Advisory
- http://jvndb.jvn.jp/jvndb/JVNDB-2016-000091Vendor Advisory
- https://github.com/h2o/h2o/commit/1c0808d580da09fdec5a9a74ff09e103ea058dd4
- https://github.com/h2o/h2o/pull/920Vendor Advisory
FAQ
What is CVE-2016-4817?
CVE-2016-4817 is a vulnerability with a CVSS score of 7.5 (HIGH). lib/http2/connection.c in H2O before 1.7.3 and 2.x before 2.0.0-beta5 mishandles HTTP/2 disconnection, which allows remote attackers to cause a denial of service (use-after-free and application crash)...
How severe is CVE-2016-4817?
CVE-2016-4817 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2016-4817?
Check the references section above for vendor advisories and patch information. Affected products include: Dena H2O.