{"dataType": "CVE_RECORD", "cveMetadata": {"cveId": "CVE-2024-36387", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "state": "PUBLISHED", "assignerShortName": "apache", "dateReserved": "2024-05-27T11:13:32.415Z", "datePublished": "2024-07-01T18:10:25.512Z", "dateUpdated": "2025-02-13T17:52:53.571Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Apache HTTP Server", "vendor": "Apache Software Foundation", "versions": [{"lessThanOrEqual": "2.4.59", "status": "affected", "version": "2.4.55", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Marc Stern (<marc.stern@approach-cyber.com>)"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Serving WebSocket protocol upgrades over a HTTP/2 connection could result in a Null Pointer dereference, leading to a crash of the server process, degrading performance."}], "value": "Serving WebSocket protocol upgrades over a HTTP/2 connection could result in a Null Pointer dereference, leading to a crash of the server process, degrading performance."}], "metrics": [{"other": {"content": {"text": "low"}, "type": "Textual description of severity"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-476", "description": "CWE-476 NULL Pointer Dereference", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2024-07-12T14:06:19.347Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://httpd.apache.org/security/vulnerabilities_24.html"}, {"url": "https://security.netapp.com/advisory/ntap-20240712-0001/"}], "source": {"discovery": "EXTERNAL"}, "timeline": [{"lang": "en", "time": "2024-05-27T13:23:00.000Z", "value": "fixed in r1918003 in trunk"}], "title": "Apache HTTP Server: DoS by Null pointer in websocket over HTTP/2", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2024-07-22T16:22:03.472412Z", "id": "CVE-2024-36387", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-11-25T17:28:29.258Z"}}, {"title": "CVE Program Container", "references": [{"tags": ["vendor-advisory", "x_transferred"], "url": "https://httpd.apache.org/security/vulnerabilities_24.html"}, {"url": "https://security.netapp.com/advisory/ntap-20240712-0001/", "tags": ["x_transferred"]}, {"url": "http://www.openwall.com/lists/oss-security/2024/07/01/4"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-09-13T17:04:49.998Z"}}]}, "dataVersion": "5.1"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://httpd.apache.org/security/vulnerabilities_24.html", "tags": ["vendor-advisory", "x_transferred"]}, {"url": "https://security.netapp.com/advisory/ntap-20240712-0001/", "tags": ["x_transferred"]}, {"url": "http://www.openwall.com/lists/oss-security/2024/07/01/4"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-09-13T17:04:49.998Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2024-36387", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-07-22T16:22:03.472412Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-22T16:22:11.141Z"}}], "cna": {"title": "Apache HTTP Server: DoS by Null pointer in websocket over HTTP/2", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Marc Stern (<marc.stern@approach-cyber.com>)"}], "metrics": [{"other": {"type": "Textual description of severity", "content": {"text": "low"}}}], "affected": [{"vendor": "Apache Software Foundation", "product": "Apache HTTP Server", "versions": [{"status": "affected", "version": "2.4.55", "versionType": "semver", "lessThanOrEqual": "2.4.59"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2024-05-27T13:23:00.000Z", "value": "fixed in r1918003 in trunk"}], "references": [{"url": "https://httpd.apache.org/security/vulnerabilities_24.html", "tags": ["vendor-advisory"]}, {"url": "https://security.netapp.com/advisory/ntap-20240712-0001/"}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "Serving WebSocket protocol upgrades over a HTTP/2 connection could result in a Null Pointer dereference, leading to a crash of the server process, degrading performance.", "supportingMedia": [{"type": "text/html", "value": "Serving WebSocket protocol upgrades over a HTTP/2 connection could result in a Null Pointer dereference, leading to a crash of the server process, degrading performance.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-476", "description": "CWE-476 NULL Pointer Dereference"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2024-07-12T14:06:19.347Z"}}}, "cveMetadata": {"cveId": "CVE-2024-36387", "state": "PUBLISHED", "dateUpdated": "2025-02-13T17:52:53.571Z", "dateReserved": "2024-05-27T11:13:32.415Z", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "datePublished": "2024-07-01T18:10:25.512Z", "assignerShortName": "apache"}, "dataVersion": "5.1"}

{"descriptions": [{"lang": "en", "value": "Serving WebSocket protocol upgrades over a HTTP/2 connection could result in a Null Pointer dereference, leading to a crash of the server process, degrading performance."}, {"lang": "es", "value": "Ofrecer actualizaciones del protocolo WebSocket a trav\u00e9s de una conexi\u00f3n HTTP/2 podr\u00eda provocar una desreferencia del puntero nulo, lo que provocar\u00eda una falla del proceso del servidor y degradar\u00eda el rendimiento."}], "id": "CVE-2024-36387", "lastModified": "2024-11-25T18:15:12.440", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.5, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2024-07-01T19:15:03.497", "references": [{"source": "security@apache.org", "url": "https://httpd.apache.org/security/vulnerabilities_24.html"}, {"source": "security@apache.org", "url": "https://security.netapp.com/advisory/ntap-20240712-0001/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.openwall.com/lists/oss-security/2024/07/01/4"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://httpd.apache.org/security/vulnerabilities_24.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://security.netapp.com/advisory/ntap-20240712-0001/"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-476"}], "source": "security@apache.org", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2025:3452", "cpe": "cpe:/a:redhat:jboss_core_services:1::el8", "package": "jbcs-httpd24-apr-0:1.7.5-3.el8jbcs", "product_name": "JBoss Core Services for RHEL 8", "release_date": "2025-04-02T00:00:00Z"}, {"advisory": "RHSA-2025:3452", "cpe": "cpe:/a:redhat:jboss_core_services:1::el8", "package": "jbcs-httpd24-apr-util-0:1.6.3-2.el8jbcs", "product_name": "JBoss Core Services for RHEL 8", "release_date": "2025-04-02T00:00:00Z"}, {"advisory": "RHSA-2025:3452", "cpe": "cpe:/a:redhat:jboss_core_services:1::el8", "package": "jbcs-httpd24-httpd-0:2.4.62-5.el8jbcs", "product_name": "JBoss Core Services for RHEL 8", "release_date": "2025-04-02T00:00:00Z"}, {"advisory": "RHSA-2025:3452", "cpe": "cpe:/a:redhat:jboss_core_services:1::el8", "package": "jbcs-httpd24-mod_http2-0:2.0.29-3.el8jbcs", "product_name": "JBoss Core Services for RHEL 8", "release_date": "2025-04-02T00:00:00Z"}, {"advisory": "RHSA-2025:3452", "cpe": "cpe:/a:redhat:jboss_core_services:1::el8", "package": "jbcs-httpd24-mod_jk-0:1.2.50-8.redhat_1.el8jbcs", "product_name": "JBoss Core Services for RHEL 8", "release_date": "2025-04-02T00:00:00Z"}, {"advisory": "RHSA-2025:3452", "cpe": "cpe:/a:redhat:jboss_core_services:1::el8", "package": "jbcs-httpd24-mod_md-1:2.4.28-9.el8jbcs", "product_name": "JBoss Core Services for RHEL 8", "release_date": "2025-04-02T00:00:00Z"}, {"advisory": "RHSA-2025:3452", "cpe": "cpe:/a:redhat:jboss_core_services:1::el8", "package": "jbcs-httpd24-mod_proxy_cluster-0:1.3.22-3.el8jbcs", "product_name": "JBoss Core Services for RHEL 8", "release_date": "2025-04-02T00:00:00Z"}, {"advisory": "RHSA-2025:3452", "cpe": "cpe:/a:redhat:jboss_core_services:1::el8", "package": "jbcs-httpd24-mod_security-0:2.9.6-10.el8jbcs", "product_name": "JBoss Core Services for RHEL 8", "release_date": "2025-04-02T00:00:00Z"}, {"advisory": "RHSA-2025:3452", "cpe": "cpe:/a:redhat:jboss_core_services:1::el7", "package": "jbcs-httpd24-apr-0:1.7.5-3.el7jbcs", "product_name": "JBoss Core Services on RHEL 7", "release_date": "2025-04-02T00:00:00Z"}, {"advisory": "RHSA-2025:3452", "cpe": "cpe:/a:redhat:jboss_core_services:1::el7", "package": "jbcs-httpd24-apr-util-0:1.6.3-2.el7jbcs", "product_name": "JBoss Core Services on RHEL 7", "release_date": "2025-04-02T00:00:00Z"}, {"advisory": "RHSA-2025:3452", "cpe": "cpe:/a:redhat:jboss_core_services:1::el7", "package": "jbcs-httpd24-brotli-0:1.1.0-5.el7jbcs", "product_name": "JBoss Core Services on RHEL 7", "release_date": "2025-04-02T00:00:00Z"}, {"advisory": "RHSA-2025:3452", "cpe": "cpe:/a:redhat:jboss_core_services:1::el7", "package": "jbcs-httpd24-curl-0:8.11.0-2.el7jbcs", "product_name": "JBoss Core Services on RHEL 7", "release_date": "2025-04-02T00:00:00Z"}, {"advisory": "RHSA-2025:3452", "cpe": "cpe:/a:redhat:jboss_core_services:1::el7", "package": "jbcs-httpd24-httpd-0:2.4.62-5.el7jbcs", "product_name": "JBoss Core Services on RHEL 7", "release_date": "2025-04-02T00:00:00Z"}, {"advisory": "RHSA-2025:3452", "cpe": "cpe:/a:redhat:jboss_core_services:1::el7", "package": "jbcs-httpd24-jansson-0:2.14-4.el7jbcs", "product_name": "JBoss Core Services on RHEL 7", "release_date": "2025-04-02T00:00:00Z"}, {"advisory": "RHSA-2025:3452", "cpe": "cpe:/a:redhat:jboss_core_services:1::el7", "package": "jbcs-httpd24-mod_http2-0:2.0.29-3.el7jbcs", "product_name": "JBoss Core Services on RHEL 7", "release_date": "2025-04-02T00:00:00Z"}, {"advisory": "RHSA-2025:3452", "cpe": "cpe:/a:redhat:jboss_core_services:1::el7", "package": "jbcs-httpd24-mod_jk-0:1.2.50-8.redhat_1.el7jbcs", "product_name": "JBoss Core Services on RHEL 7", "release_date": "2025-04-02T00:00:00Z"}, {"advisory": "RHSA-2025:3452", "cpe": "cpe:/a:redhat:jboss_core_services:1::el7", "package": "jbcs-httpd24-mod_md-1:2.4.28-9.el7jbcs", "product_name": "JBoss Core Services on RHEL 7", "release_date": "2025-04-02T00:00:00Z"}, {"advisory": "RHSA-2025:3452", "cpe": "cpe:/a:redhat:jboss_core_services:1::el7", "package": "jbcs-httpd24-mod_proxy_cluster-0:1.3.22-3.el7jbcs", "product_name": "JBoss Core Services on RHEL 7", "release_date": "2025-04-02T00:00:00Z"}, {"advisory": "RHSA-2025:3452", "cpe": "cpe:/a:redhat:jboss_core_services:1::el7", "package": "jbcs-httpd24-mod_security-0:2.9.6-10.el7jbcs", "product_name": "JBoss Core Services on RHEL 7", "release_date": "2025-04-02T00:00:00Z"}, {"advisory": "RHSA-2025:3452", "cpe": "cpe:/a:redhat:jboss_core_services:1::el7", "package": "jbcs-httpd24-nghttp2-0:1.64.0-2.el7jbcs", "product_name": "JBoss Core Services on RHEL 7", "release_date": "2025-04-02T00:00:00Z"}, {"advisory": "RHSA-2025:3452", "cpe": "cpe:/a:redhat:jboss_core_services:1::el7", "package": "jbcs-httpd24-openssl-1:1.1.1k-19.el7jbcs", "product_name": "JBoss Core Services on RHEL 7", "release_date": "2025-04-02T00:00:00Z"}, {"advisory": "RHSA-2025:3452", "cpe": "cpe:/a:redhat:jboss_core_services:1::el7", "package": "jbcs-httpd24-openssl-chil-0:1.0.0-23.el7jbcs", "product_name": "JBoss Core Services on RHEL 7", "release_date": "2025-04-02T00:00:00Z"}, {"advisory": "RHSA-2025:3452", "cpe": "cpe:/a:redhat:jboss_core_services:1::el7", "package": "jbcs-httpd24-openssl-pkcs11-0:0.4.12-3.el7jbcs", "product_name": "JBoss Core Services on RHEL 7", "release_date": "2025-04-02T00:00:00Z"}, {"advisory": "RHSA-2024:8680", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "mod_http2-0:2.0.26-2.el9_4.1", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2024-10-31T00:00:00Z"}, {"advisory": "RHSA-2025:3453", "cpe": "cpe:/a:redhat:jboss_core_services:1", "package": "mod_http2", "product_name": "Text-Only JBCS", "release_date": "2025-04-02T00:00:00Z"}], "bugzilla": {"description": "mod_http2: DoS by null pointer in websocket over HTTP/2", "id": "2295006", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2295006"}, "csaw": false, "cvss3": {"cvss3_base_score": "3.7", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L", "status": "verified"}, "cwe": "CWE-476", "details": ["Serving WebSocket protocol upgrades over a HTTP/2 connection could result in a Null Pointer dereference, leading to a crash of the server process, degrading performance.", "A flaw was found in the Apache HTTP Server. Serving WebSocket protocol upgrades over an HTTP/2 connection could result in a NULL pointer dereference, leading to a crash of the server process."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2024-36387", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "httpd:2.4/mod_http2", "product_name": "Red Hat Enterprise Linux 8"}], "public_date": "2024-07-01T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-36387\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-36387\nhttps://httpd.apache.org/security/vulnerabilities_24.html"], "threat_severity": "Low"}