Project

General

Profile

Actions

Security #5926

closed

http2: evasion by splitting header fields over frames

Added by Philippe Antoine almost 2 years ago. Updated 10 months ago.

Status:
Closed
Priority:
Normal
Target version:
Affected Versions:
Label:
Git IDs:

aff54f29f8c3f583ae0524a661aa90dc7a2d3f92

Severity:
HIGH
Disclosure Date:

Description

Beginning in a headers frame, and continuing in so-called continuation frames, with reassembly needed to be done...

Then, we need to avoid quadratic complexity of Huffman decoding as golang CVE 2023-1571


Files

cont.pcap (2.53 KB) cont.pcap Philippe Antoine, 12/19/2023 08:33 PM

Subtasks 2 (0 open2 closed)

Security #6717: http2: evasion by splitting header fields over frames (7.0.x backport)ClosedPhilippe AntoineActions
Security #6751: http2: evasion by splitting header fields over frames (6.0.x backport)ClosedPhilippe AntoineActions
Actions

Also available in: Atom PDF