CVE-2024-27983

Scores

EPSS

0.759medium75.9%

0%20%40%60%80%100%

Percentile: 75.9%

CVSS

7.5high3.x

0246810

CVSS Score: 7.5/10

All CVSS Scores

CVSS 3.x

7.5

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Description

An attacker can make the Node.js HTTP/2 server completely unavailable by sending a small amount of HTTP/2 frames packets with a few HTTP/2 frames inside. It is possible to leave some data in nghttp2 memory after reset when headers with HTTP/2 CONTINUATION frame are sent to the server and then a TCP connection is abruptly closed by the client triggering the Http2Session destructor while header frames are still being processed (and stored in memory) causing a race condition.

Scaner-VS 7 — a modern vulnerability management solution

Uses this database for vulnerability detection. High-speed search, cross-platform, advanced configuration audit, and flexible filtering. Suitable for organizations of any size.

Learn more about Scaner-VS 7

Sources

anchore_overridesastradebianredhatubuntu

CWEs

CWE-362CWE-400

Related Vulnerabilities

BDU:2024-02689 ROS-20240425-03

Exploits

Exploit ID: CVE-2024-27983

Source: github-poc

URL: https://github.com/lirantal/CVE-2024-27983-nodejs-http2

Vulnerable Software (19)

Type: Configuration

Operating System:

Trait:

{  "children": [    {      "cpe_match": [        {          "cpe23uri": "cpe:2.3:a:nodejs:node.js:*:*:*:*:*:*:*:*",          "versionEndExcluding": "21.7.2",          "versionStartIncluding": "...

{  "children": [    {      "cpe_match": [        {          "cpe23uri": "cpe:2.3:a:nodejs:node.js:*:*:*:*:*:*:*:*",          "versionEndExcluding": "21.7.2",          "versionStartIncluding": "21"        },        {          "cpe23uri": "cpe:2.3:a:nodejs:node.js:*:*:*:*:*:*:*:*",          "versionEndExcluding": "20.12.1",          "versionStartIncluding": "19"        },        {          "cpe23uri": "cpe:2.3:a:nodejs:node.js:*:*:*:*:*:*:*:*",          "versionEndExcluding": "18.20.1"        }      ],      "negate": false,      "operator": "OR"    }  ],  "operator": "OR"}

Source: anchore_overrides

Type: Configuration

Product: nodejs

Operating System: rhel

Trait:

{  "fixed": "20-8090020240422150739.a75119d5"}

Source: redhat

Type: Configuration

Product: nodejs

Operating System: rhel

Trait:

{  "fixed": "18-8090020240429131734.a75119d5"}

Source: redhat

Type: Configuration

Product: nodejs

Operating System: rhel

Trait:

{  "fixed": "16-8060020240515105144.ad008a3a"}

Source: redhat

Type: Configuration

Product: nodejs

Operating System: rhel

Trait:

{  "fixed": "16-8060020240515105144.ad008a3a"}

Source: redhat

Type: Configuration

Product: nodejs

Operating System: rhel

Trait:

{  "fixed": "16-8060020240515105144.ad008a3a"}

Source: redhat

Type: Configuration

Product: nodejs

Operating System: rhel

Trait:

{  "fixed": "16-8080020240510090838.63b34585"}

Source: redhat

Type: Configuration

Product: nodejs

Operating System: rhel

Trait:

{  "fixed": "18-8080020240621122004.63b34585"}

Source: redhat

Type: Configuration

Product: nodejs

Operating System: rhel

Trait:

{  "fixed": "18-9040020240422140329.rhel9"}

Source: redhat

Type: Configuration

Product: nodejs

Operating System: rhel

Trait:

{  "fixed": "20-9040020240419140200.rhel9"}

Source: redhat

Russian Vulnerability Scanner Database

CVE-2024-27983

Scores

EPSS

CVSS

All CVSS Scores

Vector Breakdown

CVSS

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality Impact

Integrity Impact

Availability Impact

Description

Scaner-VS 7 — a modern vulnerability management solution

Sources

CWEs

Related Vulnerabilities

Exploits

Vulnerable Software (19)