CVE-2023-44487 HTTP/2 DoS. Analysis of vulnerability
Description
is defined by
Checklist
hideTestRail: Results
Activity
Show:
Craig McNally November 2, 2023 at 3:32 PM
This is an HTTP/2 issue therefore only Okapi and edge modules can be affected.
That means that all of the backend modules listed in the description are not affected. The edge modules however are.
TODO: update the description accordingly and create issues for the edge modules which are affected.
Julian Ladisch November 1, 2023 at 11:22 PM
This is an HTTP/2 issue therefore only Okapi and edge modules can be affected.
Julian Ladisch November 1, 2023 at 11:21 PM
Releases with a fix:
RMB: https://github.com/folio-org/raml-module-builder/releases/tag/v35.1.1
Okapi: https://github.com/folio-org/okapi/releases/tag/v5.1.2
Done
Details
Details
Assignee
Unassigned
UnassignedReporter
Denis
DenisPriority
TBDRCA Group
TBD
TestRail: Cases
Open TestRail: Cases
TestRail: Runs
Open TestRail: Runs
Created November 1, 2023 at 8:42 PM
Updated May 23, 2024 at 3:51 PM
Resolved May 23, 2024 at 3:51 PM
TestRail: Cases
TestRail: Runs
https://nvd.nist.gov/vuln/detail/CVE-2023-44487 = https://github.com/advisories/GHSA-xpw8-rcwv-8f8p
Severity: High
Modules impacted:
mod-permissions Core Platform
mod-login Core Platform
mod-user-import Core Platform
mod-authtoken Core Platform
mod-configuration Core Platform
mod-login-saml Core Platform
edge-fqm Corsair - 1.0.0 vulnerable - (https://folio-org.atlassian.net/browse/EDGFQM-12#icft=EDGFQM-12)
mod-lists Corsair
mod-oai-pmh Firebird
edge-oai-pmh Firebird - 2.7.0 vulnerable - (https://folio-org.atlassian.net/browse/EDGOAIPMH-108#icft=EDGOAIPMH-108)
mod-data-export Firebird
mod-source-record-storage Folijet
mod-source-record-manager Folijet
mod-data-import Folijet
mod-inventory Folijet
mod-erm-usage Leipzig
mod-erm-usage-harvester Leipzig
edge-connexion Mjolnir - 1.1.0 vulnerable - (https://folio-org.atlassian.net/browse/EDGCONX-37#icft=EDGCONX-37)
mod-inventory-update Sif
mod-inventory-storage Spitfire
mod-entities-links Spitfire
mod-search Spitfire
edge-rtac - 2.6.0 vulnerable, 2.6.1 fixed (EDGRTAC-79, EDGRTAC-80)
mod-rtac TBD
mod-courses Thor
mod-settings Thor
mod-finance-storage Thunderjet
mod-organizations-storage Thunderjet
mod-orders-storage Thunderjet
mod-invoice-storage Thunderjet
mod-organizations Thunderjet
mod-finance Thunderjet
mod-orders Thunderjet
mod-invoice Thunderjet
mod-gobi Thunderjet
edge-orders Thunderjet - 2.9.0 vulnerable - (https://folio-org.atlassian.net/browse/EDGORDERS-78#icft=EDGORDERS-78)
mod-circulation-storage Vega
mod-patron-blocks Vega
mod-feesfines Vega
mod-circulation Vega
mod-patron Vega
edge-patron Vega - 5.0.0 vulnerable, 5.0.1 fixed (https://folio-org.atlassian.net/browse/EDGPATRON-123#icft=EDGPATRON-123, https://folio-org.atlassian.net/browse/EDGPATRON-124#icft=EDGPATRON-124)
mod-event-config Volaris
mod-users Volaris
mod-template-engine Volaris
mod-email Volaris
mod-users-bl Volaris
mod-notify Volaris
mod-audit Volaris
edge-sip2 Volaris - 3.1.0 vulnerable, 3.0.1 fixed (https://folio-org.atlassian.net/browse/SIP2-178#icft=SIP2-178, https://folio-org.atlassian.net/browse/SIP2-179#icft=SIP2-179)
edge-dematic Volaris - 2.1.0 vulnerable - (https://folio-org.atlassian.net/browse/EDGDEMATIC-95#icft=EDGDEMATIC-95)
edge-caiasoft Volaris - 2.1.0 vulnerable - (https://folio-org.atlassian.net/browse/EDGCSOFT-57#icft=EDGCSOFT-57)
mod-sender Volaris
mod-remote-storage Volaris
okapi Core-Platform - 5.1.1 vulnerable, 5.1.2 fixed
mod-licenses Bienenvolk (fka ERM)
mod-data-export-spring Firebird
mod-data-export-worker Firebird
mod-bulk-operations Firebird
mod-agreements Bienenvolk (fka ERM)