Main Vulnerability Database SB2017051221

SB2017051221 - Format string error in h2o.examp1e.net h2o

Published: May 12, 2017 Updated: July 28, 2020

Security Bulletin ID SB2017051221

CSH Severity

Medium

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Denial of service

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 vulnerability.

1) Format string error (CVE-ID: CVE-2016-4864)

The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.

H2O versions 2.0.3 and earlier and 2.1.0-beta2 and earlier allows remote attackers to cause a denial-of-service (DoS) via format string specifiers in a template file via fastcgi, mruby, proxy, redirect or reproxy.

Remediation

Install update from vendor's website.

References

https://github.com/h2o/h2o/issues/1077
https://jvn.jp/en/jp/JVN94779084/index.html