CVE-2023-44487 — HTTP/2 Rapid Reset Attack Vulnerability

2023-10-10 • CISA Known Exploited Vulnerability

[event] HTTP/2 contains a rapid reset vulnerability that allows for a distributed denial-of-service attack (DDoS).

> AFFECTED SOFTWARE

Field	Value
Vendor	IETF
Product	HTTP/2
CWE	CWE-400
CVE ID	CVE-2023-44487
Date Added	2023-10-10
Due Date	2023-10-31
Ransomware Campaign	Unknown

> MITIGATION

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Due Date: 2023-10-31

> REFERENCES

[1] https://www.cisa.gov/news-events/alerts/2023/10/10/http2-rapid-reset-vulnerabili...
[2] https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/
[3] https://nvd.nist.gov/vuln/detail/CVE-2023-44487