Unititialized memory access in h2o

h2o is an open source http server. In code prior to the `8c0eca3` commit h2o may attempt to access uninitialized memory. When receiving QUIC frames in certain order, HTTP/3 server-side implementation of h2o can be misguided to treat uninitialized memory as HTTP/3 frames that have been received. When h2o is used as a reverse proxy, an attacker can abuse this vulnerability to send internal state of h2o to backend servers controlled by the attacker or third party. Also, if there is an HTTP endpoint that reflects the traffic sent from the client, an attacker can use that reflector to obtain internal state of h2o. This internal state includes traffic of other connections in unencrypted form and TLS session tickets. This vulnerability exists in h2o server with HTTP/3 support, between commit 93af138 and d1f0f65. None of the released versions of h2o are affected by this vulnerability. There are no known workarounds. Users of unreleased versions of h2o using HTTP/3 are advised to upgrade immediately.

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H

对未经初始化资源的使用

h2o 安全漏洞

h2o是新一代的 HTTP 服务器。与老一代的 HTTP 服务器相比，它不仅速度非常快，而且还为最终用户提供了更快的响应。 h2o 存在安全漏洞，该漏洞源于当以特定顺序接收 QUIC 帧时，h2o 的 HTTP/3 服务器端实现可能会被误导，将未初始化的内存视为已接收的 HTTP/3 帧。当 h2o 用作反向代理时，攻击者可以利用此漏洞将 h2o 的内部状态发送到攻击者或第三方控制的后端服务器。此外，如果有一个 HTTP 端点反映从客户端发送的流量，攻击者可以使用该反射器获取 h2o 的内部状态。此内部状

N/A

N/A