No, our API in general uses HTTP/1.1. And all public reachable endpoints are only reachable via HTTP/1.1.
Only Proxmox Backup server has support for HTTP 2.2, and there it's only accessible to users or API tokens that one gave access to making or reading backups.
And even if one has the relevant access, which normally means already some higher trust relation to that user, those two special endpoints cannot really be abused by rapid reset, as this "attack" works with requesting data from a server, not sending some to it, the writer endpoint is unaffected by definition. Misusing the reader one has a higher chance, but still adds some cost to the attacker and is not trivially possible – and still, as this requires read access and knowing chunk IDs, which requires reading some indexes, we see it as non-problematic, especially as there's built-in rate-limiting available too.
EDIT: The main author of the underlying http and http/2 stack
hyper, which is used by Proxmox Backup Server, is
stating that it's not affected in the version we use.
tl;dr:
Proxmox VE ->
no, only HTTP/1.1
Proxmox Mail Gateway ->
no, only HTTP/1.1
Proxmox Backup Server ->
no, as all but two restricted endpoints are HTTP/1.1 only. From the restricted endpoint only one could be misused, but not cheaply so we do not see this as real issue.
EDIT: The main author of the underlying http and http/2 stack
hyper, which is used by Proxmox Backup Server, is
stating that it's not affected in the version we use.
For reference: also opened by you (please don't "spam" our communication channels..)
https://bugzilla.proxmox.com/show_bug.cgi?id=4988
tl;dr;tl;dr: no, no up-to-date Proxmox project is affected.
