CVE-2023-30847: H2O vulnerable to read from uninitialized pointer in the reverse proxy handler

Published Apr 27, 2023
·
Updated

H2O is an HTTP server. In versions 2.3.0-beta2 and prior, when the reverse proxy handler tries to processes a certain type of invalid HTTP request, it tries to build an upstream URL by reading from uninitialized pointer. This behavior can lead to crashes or leak of information to back end HTTP servers. Pull request number 3229 fixes the issue. The pull request has been merged to the `master` branch in commit f010336. Users should upgrade to commit f010336 or later.

Affected Software

3 affected components
Dena H2o<=2.2.6
Dena H2o=2.3.0-beta1
Dena H2o=2.3.0-beta2

Remediation

Patch Available

https://github.com/h2o/h2o/commit/f010336bab162839df43d9e87570897466c97e33

Patch Available

https://github.com/h2o/h2o/security/advisories/GHSA-p5hj-phwj-hrvx

Event History

Apr 27, 2023
CVE Published
via MITRE·02:08 PM
Data Sourced
via MITRE·02:08 PM
DescriptionSeverityWeakness
Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is the vulnerability ID of this H2O vulnerability?

The vulnerability ID of this H2O vulnerability is CVE-2023-30847.

2

What is the severity of CVE-2023-30847?

The severity of CVE-2023-30847 is high with a CVSS score of 8.2.

3

What is the affected software for CVE-2023-30847?

The affected software for CVE-2023-30847 is H2O version 2.3.0-beta2 and prior.

4

How does CVE-2023-30847 affect H2O?

CVE-2023-30847 in H2O can lead to crashes or information leakage to the back-end HTTP server.

5

Are there any fixes or patches available for CVE-2023-30847?

Yes, fixes for CVE-2023-30847 are available. It is recommended to update to a version that includes the fix.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203