Uncontrolled Resource Consumption in tempesta
CVE-2024-2758
- tempesta
Summary
As part of a class of vulnerabilities known as "HTTP/2 CONTINUATION Flood," an attacker can exploit the HTTP/2 protocol's CONTINUATION frame handling in certain implementations to cause a Denial-of-Service (DoS) attack by forcing an HTTP/2 endpoint to process and decode arbitrary amounts of header data. Tempesta FW rate limits are not enabled by default, which makes it vulnerable. They are either set too large to capture empty "CONTINUATION" frames attacks or too small to handle normal HTTP requests appropriately. This issue affects tempesta versions prior to 0.7.1.
- LOW
- NETWORK
- NONE
- UNCHANGED
- NONE
- NONE
- NONE
- HIGH
CWE-400 - Uncontrolled resource consumption
An uncontrolled resource allocation attack (also known as resource exhaustion attack) triggers unauthorized overconsumption of the limited resources in an application, such as memory, file system storage, database connection pool entries, and CPU. This may lead to denial of service for valid users and degradation of the application's functionality as well as that of the host operating system.
References
Advisory Timeline
- Published
