org.apache.httpcomponents.core5:httpcore5-h2@5.2.3

  • latest version

    5.4.3

  • latest non vulnerable version

  • first published

    9 years ago

  • latest version published

    13 days ago

  • licenses detected

  • package registry

  • Direct Vulnerabilities

    Known vulnerabilities in the org.apache.httpcomponents.core5:httpcore5-h2 package. This does not include vulnerabilities belonging to this package’s dependencies.

    Fix vulnerabilities automatically

    Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

    Fix for free
    VulnerabilityVulnerable Version
    • H
    Allocation of Resources Without Limits or Throttling

    Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the HTTP/1.1 message parsing process. An attacker can exhaust system memory by sending messages with an excessive number of headers or excessively long headers.

    How to fix Allocation of Resources Without Limits or Throttling?

    Upgrade org.apache.httpcomponents.core5:httpcore5-h2 to version 5.4.2, 5.5-beta1 or higher.

    [,5.4.2)[5.5-alpha1,5.5-beta1)
    • H
    Allocation of Resources Without Limits or Throttling

    Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling due to the lack of enforced limits in the HPackDecoder process. An attacker can exhaust system memory by sending oversized compressed header blocks before the HTTP/2 SETTINGS acknowledgement applies the configured header list size limit.

    How to fix Allocation of Resources Without Limits or Throttling?

    Upgrade org.apache.httpcomponents.core5:httpcore5-h2 to version 5.4.2, 5.5-beta1 or higher.

    [,5.4.2)[5.5-alpha1,5.5-beta1)
    • H
    Denial of Service (DoS)

    Affected versions of this package are vulnerable to Denial of Service (DoS) due to incorrect stream accounting in the handling of server-sent stream resets. An attacker can cause excessive server resource consumption by rapidly opening streams and triggering resets using malformed frames or flow control errors, resulting in the server processing an unbounded number of concurrent streams on a single connection.

    How to fix Denial of Service (DoS)?

    Upgrade org.apache.httpcomponents.core5:httpcore5-h2 to version 5.3.5 or higher.

    [,5.3.5)