Null Pointer deref on WebSocket over HTTP/2 upgrade in Jetty
CVE-2024-36387 Published on July 1, 2024
Apache HTTP Server: DoS by Null pointer in websocket over HTTP/2
Serving WebSocket protocol upgrades over a HTTP/2 connection could result in a Null Pointer dereference, leading to a crash of the server process, degrading performance.
Vulnerability Analysis
CVE-2024-36387 can be exploited with network access, and requires small amount of user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality, with no impact on integrity and availability.
Timeline
fixed in r1918003 in trunk
Weakness Type
NULL Pointer Dereference
A NULL pointer dereference occurs when the application dereferences a pointer that it expects to be valid, but is NULL, typically causing a crash or exit. NULL pointer dereference issues can occur through a number of flaws, including race conditions, and simple programming omissions.
Products Associated with CVE-2024-36387
You can be notified by email with stack.watch whenever vulnerabilities like CVE-2024-36387 are published in these products:
Affected Versions
Apache Software Foundation Apache HTTP Server:- Version 2.4.55, <= 2.4.59 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.