CVE-2023-41337

Source
https://nvd.nist.gov/vuln/detail/CVE-2023-41337
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-41337.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2023-41337
Aliases
  • GHSA-5v5r-rghf-rm6q
Related
Published
2023-12-12T20:15:07Z
Modified
2024-10-20T04:51:06.259826Z
Severity
  • 6.7 (Medium) CVSS_V3 - CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N CVSS Calculator
Summary
[none]
Details

h2o is an HTTP server with support for HTTP/1.x, HTTP/2 and HTTP/3. In version 2.3.0-beta2 and prior, when h2o is configured to listen to multiple addresses or ports with each of them using different backend servers managed by multiple entities, a malicious backend entity that also has the opportunity to observe or inject packets exchanged between the client and h2o may misdirect HTTPS requests going to other backends and observe the contents of that HTTPS request being sent.

The attack involves a victim client trying to resume a TLS connection and an attacker redirecting the packets to a different address or port than that intended by the client. The attacker must already have been configured by the administrator of h2o to act as a backend to one of the addresses or ports that the h2o instance listens to. Session IDs and tickets generated by h2o are not bound to information specific to the server address, port, or the X.509 certificate, and therefore it is possible for an attacker to force the victim connection to wrongfully resume against a different server address or port on which the same h2o instance is listening.

Once a TLS session is misdirected to resume to a server address / port that is configured to use an attacker-controlled server as the backend, depending on the configuration, HTTPS requests from the victim client may be forwarded to the attacker's server.

An H2O instance is vulnerable to this attack only if the instance is configured to listen to different addresses or ports using the listen directive at the host level and the instance is configured to connect to backend servers managed by multiple entities.

A patch is available at commit 35760540337a47e5150da0f4a66a609fad2ef0ab. As a workaround, one may stop using using host-level listen directives in favor of global-level ones.

References

Affected packages

Debian:11 / h2o

Package

Name
h2o
Purl
pkg:deb/debian/h2o?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

2.*

2.2.5+dfsg2-6
2.2.5+dfsg2-6.1
2.2.5+dfsg2-6.2
2.2.5+dfsg2-7
2.2.5+dfsg2-8
2.2.5+dfsg2-8.1~exp1
2.2.5+dfsg2-8.1
2.2.5+dfsg2-9

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / h2o

Package

Name
h2o
Purl
pkg:deb/debian/h2o?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

2.*

2.2.5+dfsg2-7
2.2.5+dfsg2-8
2.2.5+dfsg2-8.1~exp1
2.2.5+dfsg2-8.1
2.2.5+dfsg2-9

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / h2o

Package

Name
h2o
Purl
pkg:deb/debian/h2o?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

2.*

2.2.5+dfsg2-7
2.2.5+dfsg2-8
2.2.5+dfsg2-8.1~exp1
2.2.5+dfsg2-8.1
2.2.5+dfsg2-9

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Git / github.com/h2o/h2o

Affected ranges

Type
GIT
Repo
https://github.com/h2o/h2o
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed

Affected versions

v0.*

v0.9.0
v0.9.1
v0.9.2

v1.*

v1.0.0
v1.0.1
v1.1.0
v1.1.1
v1.2.0
v1.3.0
v1.3.0-beta1
v1.3.1
v1.4.0
v1.4.1
v1.4.2
v1.5.0
v1.5.0-beta1
v1.5.0-beta2
v1.5.0-beta3
v1.5.0-beta4
v1.5.1
v1.5.2
v1.5.3
v1.6.0
v1.6.0-beta1
v1.6.0-beta2
v1.7.0
v1.7.0-beta1
v1.7.0-beta2
v1.7.0-beta3
v1.7.0-beta4
v1.7.0-beta5

v2.*

v2.1.0-beta1
v2.1.0-beta2
v2.1.0-beta3
v2.2.0
v2.2.0-beta1
v2.2.0-beta2
v2.2.0-beta3