CVE-2024-52530 — HTTP Request Smuggling in Libsoup

CWE-444 — HTTP Request Smuggling12 documents8 sources
Severity
7.5HIGHNVD
EPSS
0.4%
top 41.35%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Gnome Libsoup
Timeline
PublishedNov 11
Latest updateNov 27

Description

GNOME libsoup before 3.6.0 allows HTTP request smuggling in some configurations because '\0' characters at the end of header names are ignored, i.e., a "Transfer-Encoding\0: chunked" header is treated the same as a "Transfer-Encoding: chunked" header.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages1 packages

â–¶NVDgnome/libsoup< 3.6.0

🔴Vulnerability Details

6
OSV
libsoup3 vulnerabilities↗2024-11-27
â–¶
OSV
libsoup2.4 vulnerabilities↗2024-11-27
â–¶
GHSA
GHSA-37r8-854r-595c: GNOME libsoup before 3↗2024-11-11
â–¶
OSV
CVE-2024-52530: GNOME libsoup before 3↗2024-11-11
â–¶
CVEList
CVE-2024-52530: GNOME libsoup before 3↗2024-11-11
â–¶

📋Vendor Advisories

5
Ubuntu
libsoup vulnerabilities↗2024-11-27
â–¶
Ubuntu
libsoup3 vulnerabilities↗2024-11-27
â–¶
Microsoft
GNOME libsoup before 3.6.0 allows HTTP request smuggling in some configurations↗2024-11-12
â–¶
Red Hat
libsoup: HTTP request smuggling via stripping null bytes from the ends of header names↗2024-11-11
â–¶
Debian
CVE-2024-52530: libsoup2.4 - GNOME libsoup before 3.6.0 allows HTTP request smuggling in some configurations ...↗2024
â–¶
CVE-2024-52530 — HTTP Request Smuggling in Libsoup | cvebase