Netty BinaryHttpParser Vulnerability
CVE-2024-40642

8.1HIGH

Key Information:

Vendor
Netty
Status
Netty-incubator-codec-ohttp
Vendor
CVE Published:
18 July 2024

Summary

The vulnerability in Netty's incubator codec.bhttp arises from the improper validation of input values in the BinaryHttpParser class. Attackers could leverage this lack of validation to gain substantial control over constructed HTTP requests. The flaws may lead to multiple injection attacks including HTTP request smuggling, desynchronization attacks, and HTTP header injections, among others. Furthermore, malicious actors may combine these vulnerabilities to formulate well-crafted messages for various text-based protocols, extending the potential impact beyond simple HTTP interactions. The vulnerable method, readRequestHead, inadequately processes input, ultimately allowing for serious exploitation without sufficient safeguards. To mitigate these vulnerabilities, users are strongly urged to upgrade to version 0.0.13.Final, as there are no known workarounds.

Affected Version(s)

netty-incubator-codec-ohttp < 0.0.13.Final

References

https://github.com/netty/netty-incubator-codec-ohttp/secu...
x_refsource_CONFIRM
https://github.com/netty/netty-incubator-codec-ohttp/comm...
x_refsource_MISC

CVSS V3.1

Score:
8.1
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

.
CVE-2024-40642 : Netty BinaryHttpParser Vulnerability | SecurityVulnerability.io