oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

CVE-2024-36387: Apache HTTP Server: DoS by Null pointer in websocket over HTTP/2

From: Eric Covener <covener () apache org>
Date: Mon, 01 Jul 2024 12:40:54 +0000
Severity: low

Affected versions:

- Apache HTTP Server 2.4.55 through 2.4.59

Description:

Serving WebSocket protocol upgrades over a HTTP/2 connection could result in a Null Pointer dereference, leading to a 
crash of the server process, degrading performance.

Credit:

Marc Stern (<marc.stern approach.be>) (finder)

References:

https://httpd.apache.org/security/vulnerabilities_24.html
https://httpd.apache.org/
https://www.cve.org/CVERecord?id=CVE-2024-36387

Timeline:

2024-05-27: fixed in r1918003 in trunk
Previous By Date Next
Previous By Thread Next

Current thread: