CVE-2024-8062

Summary

A vulnerability in the typeahead endpoint of h2oai/h2o-3 version 3.46.0 allows for a denial of service. The endpoint performs a HEAD request to verify the existence of a specified resource without setting a timeout. An attacker can exploit this by sending multiple requests to an attacker-controlled server that hangs, causing the application to block and become unresponsive to other requests.

Affected Software

VendorProductVersion RangeStatus
h2oaih2oai/h2o-3unspecified <= latestaffected

Weaknesses

  • CWE-1088: CWE-1088 Synchronous Access of Remote Resource without Timeout

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: yes
    • Technical Impact: partial

Additional References

References