CVE-2023-44487

Updated: 2025-04-21 16:34:26.764585

Description:

The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.


Links NIST CIRCL RHEL Ubuntu

Severity

Severity Score
CVSS Version 2.x 0
CVSS Version 3.x HIGH 7.5

Known exploits

Added Date Description Due Date Notes
2023-10-10 HTTP/2 contains a rapid reset vulnerability that allows for a distributed denial-of-service attack (DDoS). 2023-10-31 This vulnerability affects a common open-source component, third-party library, or protocol used by different products. For more information, please see: HTTP/2 Rapid Reset Vulnerability, CVE-2023-44487 | CISA: https://www.cisa.gov/news-events/alerts/2023/10/10/http2-rapid-reset-vulnerability-cve-2023-44487; https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/; https://nvd.nist.gov/vuln/detail/CVE-2023-44487

Status

OS name Project name Version Score Severity Status Errata Last updated

Statement
AlmaLinux 9.2 ESU nginx 1.20.1 7.5 HIGH Already Fixed 2025-03-20 03:51:24
AlmaLinux 9.2 ESU tomcat 9.0.62 7.5 HIGH Already Fixed 2025-01-17 01:23:37
AlmaLinux 9.2 ESU mysql 8.0.32 7.5 HIGH In Testing 2025-04-23 06:46:19
AlmaLinux 9.2 ESU httpd 2.4.53 7.5 HIGH Not Vulnerable 2024-06-20 05:58:18
AlmaLinux 9.2 ESU haproxy 2.4.17 7.5 HIGH Not Vulnerable 2024-12-19 02:38:04
CentOS 6 ELS mysql 5.1.73 7.5 HIGH Not Vulnerable 2025-04-25 03:49:26
CentOS 6 ELS httpd 2.2.15 7.5 HIGH Not Vulnerable 2023-10-17 09:28:55
CentOS 6 ELS haproxy 1.5.18 7.5 HIGH Ignored 2023-10-19 09:29:07
CentOS 6 ELS nginx 1.10.3 7.5 HIGH Released CLSA-2023:1698101447 2023-11-06 04:09:29
CentOS 6 ELS tomcat6 6.0.24 7.5 HIGH Ignored 2023-10-19 09:29:03
Total: 51