Improper Verification of Cryptographic Signature Affecting h2o/h2o package, versions [0,]


Severity

Recommended
0.0
medium
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Threat Intelligence

Exploit Maturity
Not Defined
EPSS
0.04% (12th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-UNMANAGED-H2OH2O-6125594
  • published14 Dec 2023
  • disclosed12 Dec 2023
  • creditUnknown

Introduced: 12 Dec 2023

CVE-2023-41337  (opens in a new tab)
CWE-347  (opens in a new tab)

How to fix?

A fix was pushed into the master branch but not yet published.

Overview

Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature when it is configured to listen to multiple addresses or ports, with each of them using different backend servers. An attacker with the ability to observe or manipulate packets between the client and server and who is also configured as a backend for the server, can misdirect client requests to an unintended backend, potentially exposing the contents of HTTPS requests.

Notes:

An H2O instance is vulnerable to this attack only if all of the following conditions are met:

  1. The instance is configured to listen to different addresses or ports using the listen directive at the host level.
  2. The instance is configured to connect to backend servers managed by multiple entities.

Workaround

This vulnerability can be mitigated by stopping the use of host-level listen directives in favor of global-level ones.

References

CVSS Scores

version 3.1