CVE-2024-23452

CWE-444 — HTTP Request Smuggling3 documents3 sources

Severity

7.5HIGH

EPSS

0.2%

top 52.67%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Software Foundation Apache Brpc Apache Brpc

Timeline

PublishedFeb 8

Description

Request smuggling vulnerability in HTTP server in Apache bRPC 0.9.5~1.7.0 on all platforms allows attacker to smuggle request. Vulnerability Cause Description： The http_parser does not comply with the RFC-7230 HTTP 1.1 specification. Attack scenario: If a message is received with both a Transfer-Encoding and a Content-Length header field, such a message might indicate an attempt to perform request smuggling or response splitting. One particular attack scenario is that a bRPC made http server …

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages2 packages

▶NVDapache/brpc0.9.5 — 1.8.0

▶CVEListV5apache_software_foundation/apache_brpc0.9.5 — 1.8.0

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

GHSA-2862-59r4-c989: Request smuggling vulnerability in HTTP server in Apache bRPC 0↗2024-02-08

▶

CVEList

Apache bRPC: HTTP request smuggling vulnerability↗2024-02-08

▶