SB2024112151 - Multiple HTTP/2 CONTINUATION frames vulnerabilities in FortiSandbox 

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2024112151

SB2024112151 - Multiple HTTP/2 CONTINUATION frames vulnerabilities in FortiSandbox

Published: November 21, 2024 Updated: December 13, 2024

Security Bulletin ID SB2024112151
Severity
Medium
Patch available
YES
Number of vulnerabilities 7
Exploitation vector Remote access
Highest impact Denial of service

Breakdown by Severity

Medium 86% Low 14%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 7 secuirty vulnerabilities.


1) Resource exhaustion (CVE-ID: CVE-2024-27316)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources when handling HTTP/2 requests. A remote attacker can send specially crafted HTTP/2 requests to the server and perform a denial of service (DoS) attack.


2) Input validation error (CVE-ID: CVE-2024-24549)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input when handling HTTP/2 requests. A remote attacker can send specially crafted HTTP/2 requests to the server and perform a denial of service (DoS) attack.


3) Resource exhaustion (CVE-ID: CVE-2024-30255)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient limitations placed on the amount of CONTINUATION frames that can be sent within a single HTTP/2 stream. A remote attacker can send specially crafted HTTP/2 requests to the server and perform a denial of service (DoS) attack.

4) Resource exhaustion (CVE-ID: CVE-2023-45288)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient limitations placed on the amount of CONTINUATION frames that can be sent within a single HTTP/2 stream. A remote attacker can send specially crafted HTTP/2 requests to the server and perform a denial of service (DoS) attack.

5) Input validation error (CVE-ID: CVE-2024-28182)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to reading the unbounded number of HTTP/2 CONTINUATION frames. A remote attacker can pass specially crafted input to the application and perform a denial of service (DoS) attack.


6) Reachable Assertion (CVE-ID: CVE-2024-27983)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a reachable assertion when handling HTTP/2 packets. A remote attacker can send a small amount of HTTP/2 frames packets with a few HTTP/2 frames inside and perform a denial of service (DoS) attack.


7) Resource exhaustion (CVE-ID: CVE-2024-3302)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources when handling HTTP/2 CONTINUATION frames. A remote attacker can trick the victim to visit a specially crated website and perform a denial of service (DoS) attack.


Remediation

Install update from vendor's website.

References