ALPINE-CVE-2023-43622
Advisory lineage Upstream: 1 Downstream: 0
Upstream
Published: 23 Oct 2023, 07:15
Last modified:03 Dec 2025, 22:53
Vulnerability Summary
Overall Risk (default)
medium
30/100 CVSS Score
7.5 HIGH
3.1 (osv_alpine)
EPSS Score
No data
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected
Timeline
23 Oct 2023, 07:15
Published
Vulnerability first disclosed
03 Dec 2025, 22:53
Last Modified
Vulnerability information updated
Description
An attacker, opening a HTTP/2 connection with an initial window size of 0, was able to block handling of that connection indefinitely in Apache HTTP Server. This could be used to exhaust worker resources in the server, similar to the well known "slow loris" attack pattern. This has been fixed in version 2.4.58, so that such connection are terminated properly after the configured connection timeout. This issue affects Apache HTTP Server: from 2.4.55 through 2.4.57. Users are recommended to upgrade to version 2.4.58, which fixes the issue.
CVSS Metrics
- v3.1•HIGH•Score: 7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Affected Systems
- alpine•apache2
< 2.4.58-r0 | < 2.4.58-r0 | < 2.4.58-r0 | < 2.4.58-r0 | < 2.4.58-r0 | < 2.4.58-r0 | < 2.4.58-r0 | < 2.4.58-r0 | < 2.4.58-r0