CVE-2024-23452
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
08/02/2024
Last modified:
04/06/2025
Description
Request smuggling vulnerability in HTTP server in Apache bRPC 0.9.5~1.7.0 on all platforms allows attacker to smuggle request.<br />
<br />
Vulnerability Cause Description:<br />
<br />
The http_parser does not comply with the RFC-7230 HTTP 1.1 specification.<br />
<br />
Attack scenario:<br />
If a message is received with both a Transfer-Encoding and a Content-Length header field, such a message might indicate an attempt to perform request smuggling or response splitting.<br />
One particular attack scenario is that a bRPC made http server on the backend receiving requests in one persistent connection from frontend server that uses TE to parse request with the logic that &#39;chunk&#39; is contained in the TE field. in that case an attacker can smuggle a request into the connection to the backend server. <br />
<br />
Solution:<br />
You can choose one solution from below:<br />
1. Upgrade bRPC to version 1.8.0, which fixes this issue. Download link: https://github.com/apache/brpc/releases/tag/1.8.0<br />
2. Apply this patch: https://github.com/apache/brpc/pull/2518
Impact
Base Score 3.x
7.50
Severity 3.x
HIGH
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:apache:brpc:*:*:*:*:*:*:*:* | 0.9.5 (including) | 1.8.0 (excluding) |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- http://www.openwall.com/lists/oss-security/2024/02/08/1
- https://github.com/apache/brpc/pull/2518
- https://github.com/apache/brpc/releases/tag/1.8.0
- https://lists.apache.org/thread/kkvdpwyr2s2yt9qvvxfdzon012898vxd
- http://www.openwall.com/lists/oss-security/2024/02/08/1
- https://github.com/apache/brpc/pull/2518
- https://github.com/apache/brpc/releases/tag/1.8.0
- https://lists.apache.org/thread/kkvdpwyr2s2yt9qvvxfdzon012898vxd