CVE-2023-44487

Description

The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.

How to fix CVE-2023-44487

To remediate CVE-2023-44487, upgrade the affected package to a fixed version below.

Alpine/lighttpd—upgrade to 1.4.73-r0 or later
—upgrade to 1.46.0-r2 or later
—upgrade to 1.20.2-r2 or later
—upgrade to 0 or later
—upgrade to 7.3.2-r0 or later
—upgrade to 3.6.1 or later
—upgrade to 6.0.23 or later
—upgrade to 1.24.6 or later
—upgrade to 6.0.23 or later
—upgrade to 6.0.23 or later
—upgrade to 1.24.12 or later
—upgrade to 1.20.10 or later
—upgrade to 2.414.3 or later
—upgrade to 3.4.2 or later
—upgrade to 1.25.3 or later
—upgrade to 1.25.3 or later
—upgrade to 1.9.3 or later
—upgrade to 18.18.2 or later
—upgrade to 18.18.2 or later
—upgrade to 9.4.0 or later
—upgrade to 8.5.94 or later
—upgrade to 6.0.12 or later
—no fix listed
—no fix listed
—upgrade to 2.2.5+dfsg2-2+deb10u2 or later
—no fix listed
—upgrade to 1.8.13-1 or later
—upgrade to 9.4.50-4+deb11u1 or later
—upgrade to 1:4.1.33-1+deb10u4 or later
—upgrade to 1:4.1.48-4+deb11u2 or later
—upgrade to 1.43.0-1+deb11u1 or later
—upgrade to 1.43.0-1+deb11u1 or later
—no fix listed
—upgrade to 10.1.6-1+deb12u1 or later
—upgrade to 9.0.43-2~deb11u7 or later
—upgrade to 8.1.9+ds-1~deb11u1 or later
—no fix listed
—upgrade to 1.57.0 or later
—upgrade to 0.17.0 or later
—upgrade to 1.56.3 or later
—upgrade to 10.5.3 or later
—no fix listed
—upgrade to 10.5.3 or later
—upgrade to 10.5.3 or later
—upgrade to 4.1.100.Final or later
—upgrade to 11.0.0-M12 or later
—upgrade to 11.0.0-M12 or later
—upgrade to 9.4.53 or later
—upgrade to 9.4.53 or later
—upgrade to 12.0.2 or later
—upgrade to 12.0.2 or later

Is CVE-2023-44487 being exploited?

Yes — CVE-2023-44487 is on the CISA Known Exploited Vulnerabilities (KEV) catalog. Patch immediately.

Affected packages (51)

from 0, < 1.4.73-r0
from 0, < 1.46.0-r2
from 0, < 1.20.2-r2
from 0, < 0
from 0, < 7.3.2-r0
from 0, < 3.6.1
>= 6.0.0, < 6.0.23, >= 7.0.0, < 7.0.12
from 0, < 1.24.6
>= 6.0.0, < 6.0.23, >= 7.0.0, < 7.0.12
>= 6.0.0, < 6.0.23, >= 7.0.0, < 7.0.12
from 0, < 1.24.12, >= 1.25.0, < 1.25.11, >= 1.26.0, < 1.26.6, >= 1.27.0, < 1.27.2

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 4.0	—	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:A
osv	CVSS 3.1	MEDIUM5.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:H

Description

How to fix CVE-2023-44487

Is CVE-2023-44487 being exploited?

Affected packages (51)

CVSS scores

References (266)