CVE-2024-28182

CVE Details

Release Date:

2024-04-03

Description

nghttp2 is an implementation of the Hypertext Transfer Protocol version 2 in C. The nghttp2 library prior to version 1.61.0 keeps reading the unbounded number of HTTP/2 CONTINUATION frames even after a stream is reset to keep HPACK context in sync. This causes excessive CPU usage to decode HPACK stream. nghttp2 v1.61.0 mitigates this vulnerability by limiting the number of CONTINUATION frames it accepts per stream. There is no workaround for this vulnerability.

See more information about CVE-2024-28182 from MITRE CVE dictionary and NIST NVD

CVSS v3.0 metrics

NOTE: The following CVSS v3.0 metrics and score provided are preliminary and subject to review.

Base Score:	5.3	Base Metrics:	AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Access Vector:	Network	Attack Complexity:	Low
Privileges Required:	None	User Interaction:	None
Scope:	Unchanged	Confidentiality Impact:	None
Integrity Impact:	None	Availability Impact:	Low

Errata information

Platform	Errata	Release Date
Oracle Linux version 8 (nodejs)	ELSA-2024-2778	2024-05-09
Oracle Linux version 8 (nodejs)	ELSA-2024-2780	2024-05-10
Oracle Linux version 8 (nodejs-nodemon)	ELSA-2024-2778	2024-05-09
Oracle Linux version 8 (nodejs-nodemon)	ELSA-2024-2780	2024-05-10
Oracle Linux version 8 (nodejs-packaging)	ELSA-2024-2778	2024-05-09
Oracle Linux version 8 (nodejs-packaging)	ELSA-2024-2780	2024-05-10
Oracle Linux version 9 (nodejs)	ELSA-2024-2779	2024-05-14
Oracle Linux version 9 (nodejs)	ELSA-2024-2853	2024-05-16
Oracle Linux version 9 (nodejs-nodemon)	ELSA-2024-2779	2024-05-14
Oracle Linux version 9 (nodejs-nodemon)	ELSA-2024-2853	2024-05-16
Oracle Linux version 9 (nodejs-packaging)	ELSA-2024-2779	2024-05-14
Oracle Linux version 9 (nodejs-packaging)	ELSA-2024-2853	2024-05-16

This page is generated automatically and has not been checked for errors or omissions. For clarification or corrections please contact the Oracle Linux ULN team