CVE-2023-43622

Advisory lineage Upstream: 0 Downstream: 8

Downstream

ALPINE-CVE-2023-43622 DEBIAN-CVE-2023-43622 DSA-5662-1 MGASA-2023-0304 OPENSUSE-SU-2024:13350-1 RHSA-2024:2368

Modified

Published: 23 Oct 2023, 06:50

Last modified:13 Feb 2025, 17:13

Vulnerability Summary

Overall Risk (default)

medium

42/100

CVSS Score

7.5 HIGH

v3.1 (nvd)

EPSS Score

59.54% CRITICAL

60% probability +0.48%

KEV

Not listed

Ransomware

No reports

Public exploits

None found

Dark Web

Not detected

Timeline

23 Oct 2023, 06:50

Published

Vulnerability first disclosed

13 Feb 2025, 17:13

Last Modified

Vulnerability information updated

Description

An attacker, opening a HTTP/2 connection with an initial window size of 0, was able to block handling of that connection indefinitely in Apache HTTP Server. This could be used to exhaust worker resources in the server, similar to the well known "slow loris" attack pattern. This has been fixed in version 2.4.58, so that such connection are terminated properly after the configured connection timeout. This issue affects Apache HTTP Server: from 2.4.55 through 2.4.57. Users are recommended to upgrade to version 2.4.58, which fixes the issue.

CVSS Metrics

v3.1•HIGH•Score: 7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS Trends

Current EPSS score: 59.54%• Percentile: 98%

Techniques & Countermeasures

CWE-400•Uncontrolled Resource Consumption
The product does not properly control the allocation and maintenance of a limited resource.

Affected Systems

apache software foundation•apache http server
≥ 2.4.55, ≤ 2.4.57
Unknown•HTTP Server
≥ 2.4.55, < 2.4.58