CVE-2023-44487

CVE Database · CVE-2023-44487

CVE-2023-44487

· HIGHAnalyzed

CVSS v3.1

7.5

EPSS

100.00%

Published

Oct 10, 2023

Modified

May 12, 2026

CISA Known Exploited Vulnerability

Added: 2023-10-10 · Due: 2023-10-31

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Public PoC / Exploit (10)

All weaponized →

Exploit-DBHTTP/2 2.0 - Denial Of Service (DOS)TrickestTrickest PoC index GitHub PoCbcdannyboy/CVE-2023-44487★245 GitHub PoCsecengjeff/rapidresetclient★75 GitHub PoCAppsynergy-io/CVE-2023-44487★55 GitHub PoCstudiogangster/CVE-2023-44487★21 GitHub PoCnxenon/cve-2023-44487★14 GitHub PoCthreatlabindonesia/CVE-2023-44487-HTTP-2-Rapid-Reset-Exploit-PoC★8 GitHub PoCndrscodes/http2-rst-stream-attacker★6 GitHub PoCReToCode/golang-CVE-2023-44487★2

Links to public security research (Exploit-DB, Nuclei, Trickest, GitHub) for defensive use only.

Description

The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Weaknesses (CWE)

CWE-400

Affected Products (464)

siemens · simatic_s7-1500_cpu_1518f-4_pn\/dp_mfp_firmwarevulnerable

siemens · simatic_s7-1500_cpu_1518f-4_pn\/dp_mfp

siemens · sinec_ins (up to 1.0)vulnerable

siemens · sinec_insvulnerable

siemens · sinec_nms (up to 3.0)vulnerable

siemens · st7_scadaconnect (up to 1.1)

References (20)

http://www.openwall.com/lists/oss-security/2023/10/10/6

Mailing ListThird Party Advisory

http://www.openwall.com/lists/oss-security/2023/10/10/7

Mailing ListThird Party Advisory

http://www.openwall.com/lists/oss-security/2023/10/13/4

Mailing ListThird Party Advisory

http://www.openwall.com/lists/oss-security/2023/10/13/9

Mailing ListThird Party Advisory

http://www.openwall.com/lists/oss-security/2023/10/18/4

Mailing ListThird Party Advisory

KEV Catalog EPSS Scores Vendors All CVEs

siemens · ruggedcom_ape1808_firmwarevulnerable

siemens · ruggedcom_ape1808

siemens · simatic_s7-1500_cpu_1518-4_pn\/dp_mfp_firmwarevulnerable

siemens · simatic_s7-1500_cpu_1518-4_pn\/dp

siemens · siplus_s7-1500_cpu_1518-4_pn\/dp_mfp_firmwarevulnerable

siemens · siplus_s7-1500_cpu_1518-4_pn\/dp_mfp

ietf · httpvulnerable

nghttp2 · nghttp2 (up to 1.57.0)vulnerable

netty · netty (up to 4.1.100)vulnerable

envoyproxy · envoyvulnerable

eclipse · jetty (up to 9.4.53)vulnerable

eclipse · jetty (up to 10.0.17)vulnerable

eclipse · jetty (up to 11.0.17)vulnerable

eclipse · jetty (up to 12.0.2)vulnerable

caddyserver · caddy (up to 2.7.5)vulnerable

golang · go (up to 1.20.10)vulnerable

golang · go (up to 1.21.3)vulnerable

golang · http2 (up to 0.17.0)vulnerable

golang · networking (up to 0.17.0)vulnerable

f5 · big-ip_access_policy_managervulnerable

f5 · big-ip_advanced_firewall_managervulnerable

f5 · big-ip_advanced_web_application_firewallvulnerable

f5 · big-ip_analyticsvulnerable

Mailing ListThird Party Advisory

https://bugzilla.proxmox.com/show_bug.cgi?id=4988

Issue TrackingThird Party Advisory