{"dataType":"CVE_RECORD","dataVersion":"5.1","cveMetadata":{"cveId":"CVE-2023-35945","assignerOrgId":"a0819718-46f1-4df5-94e2-005712e83aaa","state":"PUBLISHED","assignerShortName":"GitHub_M","dateReserved":"2023-06-20T14:02:45.597Z","datePublished":"2023-07-13T20:41:15.690Z","dateUpdated":"2024-10-31T16:24:53.808Z"},"containers":{"cna":{"title":"Envoy vulnerable to HTTP/2 memory leak in nghttp2 codec","problemTypes":[{"descriptions":[{"cweId":"CWE-400","lang":"en","description":"CWE-400: Uncontrolled Resource Consumption","type":"CWE"}]}],"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":7.5,"baseSeverity":"HIGH","confidentialityImpact":"NONE","integrityImpact":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","version":"3.1"}}],"references":[{"name":"https://github.com/envoyproxy/envoy/security/advisories/GHSA-jfxv-29pc-x22r","tags":["x_refsource_CONFIRM"],"url":"https://github.com/envoyproxy/envoy/security/advisories/GHSA-jfxv-29pc-x22r"},{"name":"https://github.com/nghttp2/nghttp2/blob/e7f59406556c80904b81b593d38508591bb7523a/lib/nghttp2_session.c#L3346","tags":["x_refsource_MISC"],"url":"https://github.com/nghttp2/nghttp2/blob/e7f59406556c80904b81b593d38508591bb7523a/lib/nghttp2_session.c#L3346"}],"affected":[{"vendor":"envoyproxy","product":"envoy","versions":[{"version":">= 1.26.0, < 1.26.3","status":"affected"},{"version":">= 1.25.0, < 1.25.8","status":"affected"},{"version":">= 1.24.0, < 1.24.9","status":"affected"},{"version":">= 1.23.0, < 1.23.11","status":"affected"}]}],"providerMetadata":{"orgId":"a0819718-46f1-4df5-94e2-005712e83aaa","shortName":"GitHub_M","dateUpdated":"2023-07-13T20:41:15.690Z"},"descriptions":[{"lang":"en","value":"Envoy is a cloud-native high-performance edge/middle/service proxy. Envoy’s HTTP/2 codec may leak a header map and bookkeeping structures upon receiving `RST_STREAM` immediately followed by the `GOAWAY` frames from an upstream server. In nghttp2, cleanup of pending requests due to receipt of the `GOAWAY` frame skips de-allocation of the bookkeeping structure and pending compressed header. The error return [code path] is taken if connection is already marked for not sending more requests due to `GOAWAY` frame. The clean-up code is right after the return statement, causing memory leak. Denial of service through memory exhaustion. This vulnerability was patched in versions(s) 1.26.3, 1.25.8, 1.24.9, 1.23.11."}],"source":{"advisory":"GHSA-jfxv-29pc-x22r","discovery":"UNKNOWN"}},"adp":[{"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2024-08-02T16:37:40.544Z"},"title":"CVE Program Container","references":[{"name":"https://github.com/envoyproxy/envoy/security/advisories/GHSA-jfxv-29pc-x22r","tags":["x_refsource_CONFIRM","x_transferred"],"url":"https://github.com/envoyproxy/envoy/security/advisories/GHSA-jfxv-29pc-x22r"},{"name":"https://github.com/nghttp2/nghttp2/blob/e7f59406556c80904b81b593d38508591bb7523a/lib/nghttp2_session.c#L3346","tags":["x_refsource_MISC","x_transferred"],"url":"https://github.com/nghttp2/nghttp2/blob/e7f59406556c80904b81b593d38508591bb7523a/lib/nghttp2_session.c#L3346"}]},{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2024-10-31T16:24:45.853511Z","id":"CVE-2023-35945","options":[{"Exploitation":"poc"},{"Automatable":"yes"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2024-10-31T16:24:53.808Z"}}]}}