The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
| Package (Ecosystem) | Introduced | Fixed | Limit |
|---|---|---|---|
| github.com/apple/swift-nio-http2(SwiftURL) | 0 | 1.28.0 | N/A |
| golang.org/x/net(Go) | 0 | 0.17.0 | N/A |
| org.apache.tomcat:tomcat-coyote(Maven) | 11.0.0-M1 | 11.0.0-M12 | N/A |
| org.apache.tomcat:tomcat-coyote(Maven) | 10.0.0 | 10.1.14 | N/A |
| org.apache.tomcat:tomcat-coyote(Maven) | 9.0.0 | 9.0.81 | N/A |
| org.apache.tomcat:tomcat-coyote(Maven) | 8.5.0 | 8.5.94 | N/A |
| org.apache.tomcat.embed:tomcat-embed-core(Maven) | 11.0.0-M1 | 11.0.0-M12 | N/A |
| org.apache.tomcat.embed:tomcat-embed-core(Maven) | 10.0.0 | 10.1.14 | N/A |
| org.apache.tomcat.embed:tomcat-embed-core(Maven) | 9.0.0 | 9.0.81 | N/A |
| org.apache.tomcat.embed:tomcat-embed-core(Maven) | 8.5.0 | 8.5.94 | N/A |
| org.eclipse.jetty.http2:http2-common(Maven) | 9.3.0 | 9.4.53 | N/A |
| org.eclipse.jetty.http2:http2-common(Maven) | 10.0.0 | 10.0.17 | N/A |
| org.eclipse.jetty.http2:http2-common(Maven) | 11.0.0 | 11.0.17 | N/A |
| org.eclipse.jetty.http2:http2-server(Maven) | 9.3.0 | 9.4.53 | N/A |
| org.eclipse.jetty.http2:http2-server(Maven) | 10.0.0 | 10.0.17 | N/A |
| org.eclipse.jetty.http2:http2-server(Maven) | 11.0.0 | 11.0.17 | N/A |
| org.eclipse.jetty.http2:jetty-http2-common(Maven) | 12.0.0 | 12.0.2 | N/A |
| org.eclipse.jetty.http2:jetty-http2-server(Maven) | 12.0.0 | 12.0.2 | N/A |
| com.typesafe.akka:akka-http-core(Maven) | 0 | 10.5.3 | N/A |
| com.typesafe.akka:akka-http-core_2.13(Maven) | 0 | 10.5.3 | N/A |
| com.typesafe.akka:akka-http-core_2.12(Maven) | 0 | 10.5.3 | N/A |
| com.typesafe.akka:akka-http-core_2.11(Maven) | 0 | N/A | N/A |
CVSS Metrics
