I mentioned this in a previous post for this CVE. How much heavy lifting is the phrase "along with conditions beyond their control" doing for this exploit?
> When NGINX Open Source is configured to use the HTTP/3 QUIC module, a remote unauthenticated attacker along with conditions beyond their control can use a specially crafted HTTP/3 session to reopen a QPACK encoder stream.
These commits [1] are related to the issue. I am not too familiar with the code, but it appears nginx manages/closes streams in a pool at times the attacker cannot control, and during short windows, it is vulnerable.
I mentioned this in a previous post for this CVE. How much heavy lifting is the phrase "along with conditions beyond their control" doing for this exploit?
> When NGINX Open Source is configured to use the HTTP/3 QUIC module, a remote unauthenticated attacker along with conditions beyond their control can use a specially crafted HTTP/3 session to reopen a QPACK encoder stream.
These commits [1] are related to the issue. I am not too familiar with the code, but it appears nginx manages/closes streams in a pool at times the attacker cannot control, and during short windows, it is vulnerable.
[1]:
https://github.com/nginx/nginx/commit/ceccdbd2ee799d020a371b...
https://github.com/nginx/nginx/commit/9e293766e73c469c015df5...