Impact of HTTP Smuggling on Load Balancers and Systems
CVE-2024-9622

5.3MEDIUM

Key Information:

Vendor: Red Hat
Status: Red Hat Jboss Data Grid 7; Red Hat Jboss Enterprise Application Platform 7; Red Hat Jboss Enterprise Application Platform 8; Red Hat Jboss Enterprise Application Platform Expansion Pack
Vendor: CVE Published:; 8 October 2024

Summary

The Resteasy-Netty4 library contains a vulnerability linked to improper handling of HTTP requests that employs smuggling techniques. Specifically, this issue arises when an HTTP smuggling request containing an ASCII control character triggers the Netty HttpObjectDecoder to enter a BAD_MESSAGE state. As a consequence, any subsequent legitimate requests on the same connection are disregarded, resulting in client timeouts. This behavior can significantly impact systems that utilize load balancers, thereby increasing their exposure to potential risks.

References

https://access.redhat.com/security/cve/CVE-2024-9622

vdb-entryx_refsource_REDHAT

https://bugzilla.redhat.com/show_bug.cgi?id=2317179

issue-trackingx_refsource_REDHAT

https://github.com/orgs/resteasy/discussions/4351

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Oct 8, 2024
Vulnerability Reserved
Oct 8, 2024

Collectors

NVD DatabaseMitre Database