CVE-2024-52530
published 2024-11-11CVE-2024-52530: GNOME libsoup before 3.6.0 allows HTTP request smuggling in some configurations because '\0' characters at the end of header names are ignored, i.e., a…
high7.5CVSS 3.1
AVNACLPRNUINSUCNIHAN
GNOME libsoup before 3.6.0 allows HTTP request smuggling in some configurations because '\0' characters at the end of header names are ignored, i.e., a "Transfer-Encoding\0: chunked" header is treated the same as a "Transfer-Encoding: chunked" header.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | libsoup2.4 | < libsoup2.4 2.74.3-1+deb12u1 (bookworm) | libsoup2.4 2.74.3-1+deb12u1 (bookworm) |
| debian | libsoup3 | < libsoup2.4 2.74.3-1+deb12u1 (bookworm) | libsoup2.4 2.74.3-1+deb12u1 (bookworm) |
| gnome | libsoup | < 3.6.0 | 3.6.0 |
| msrc | azl3_libsoup_3.4.4-2_on_azure_linux_3.0 | — | — |
| msrc | azl3_libsoup_3.4.4-6_on_azure_linux_3.0 | — | — |
| msrc | cbl2_libsoup_3.0.4-2_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_libsoup_3.0.4-6_on_cbl_mariner_2.0 | — | — |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
osv7.5HIGH