CVE-2023-41337: 
NixOS vulnerability analysis and mitigation

The vulnerability (CVE-2023-41337) affects h2o, an HTTP server with support for HTTP/1.x, HTTP/2, and HTTP/3. Discovered and disclosed on December 12, 2023, this vulnerability impacts all versions up to commit 69f2690. The issue allows for TLS session resumption misdirection when h2o is configured to listen to multiple addresses or ports with different backend servers (GitHub Advisory).

The vulnerability stems from session IDs and tickets generated by h2o not being bound to information specific to the server address, port, or X.509 certificate. This allows an attacker to force victim connections to wrongfully resume against a different server address or port on the same h2o instance. The vulnerability has been assigned a CVSS v3.1 score of 6.1 (Medium) with the vector string CVSS:3.1/AV:A/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N, indicating adjacent network access, high attack complexity, low privileges required, and user interaction required (GitHub Advisory).

When successfully exploited, the vulnerability allows a malicious backend entity to misdirect HTTPS requests intended for other backends and observe the contents of those requests. This is particularly impactful in configurations where h2o is set up with multiple backend servers managed by different entities. The attacker can potentially intercept and redirect sensitive HTTPS traffic, leading to unauthorized access to request contents (GitHub Advisory).

A patch has been released in commit 35760540337a47e5150da0f4a66a609fad2ef0ab. Users can either update h2o to this commit or later versions, or implement the workaround of stopping the use of host-level listen directives in favor of global-level ones. The vulnerability only affects instances where the server is configured to listen to different addresses or ports using the listen directive at the host level and is configured to connect to backend servers managed by multiple entities (GitHub Advisory).