A vulnerability was found in the resteasy-netty4 library arising from improper handling of HTTP requests using smuggling techniques. When an HTTP smuggling request with an ASCII control character is sent, it causes the Netty HttpObjectDecoder to transition into a BAD_MESSAGE state. As a result, any subsequent legitimate requests on the same connection are ignored, leading to client timeouts, which may impact systems using load balancers and expose them to risk.
History

Wed, 09 Oct 2024 14:45:00 +0000

Type Values Removed Values Added
Metrics threat_severity

Moderate

threat_severity

Low


Wed, 09 Oct 2024 06:45:00 +0000

Type Values Removed Values Added
Title Resteasy-netty4-cdi: resteasy-netty4: http request smuggling leading to client timeouts in resteasy-netty4 Resteasy-netty4-cdi: resteasy-netty4: resteasy-reactor-netty: http request smuggling leading to client timeouts in resteasy-netty4

Tue, 08 Oct 2024 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Tue, 08 Oct 2024 16:45:00 +0000

Type Values Removed Values Added
Description No description is available for this CVE. A vulnerability was found in the resteasy-netty4 library arising from improper handling of HTTP requests using smuggling techniques. When an HTTP smuggling request with an ASCII control character is sent, it causes the Netty HttpObjectDecoder to transition into a BAD_MESSAGE state. As a result, any subsequent legitimate requests on the same connection are ignored, leading to client timeouts, which may impact systems using load balancers and expose them to risk.
Title resteasy-netty4-cdi: resteasy-netty4: HTTP Request Smuggling Leading to Client Timeouts in resteasy-netty4 Resteasy-netty4-cdi: resteasy-netty4: http request smuggling leading to client timeouts in resteasy-netty4
First Time appeared Redhat
Redhat jboss Data Grid
Redhat jboss Enterprise Application Platform
Redhat jbosseapxp
CPEs cpe:/a:redhat:jboss_data_grid:7
cpe:/a:redhat:jboss_enterprise_application_platform:7
cpe:/a:redhat:jboss_enterprise_application_platform:8
cpe:/a:redhat:jbosseapxp
Vendors & Products Redhat
Redhat jboss Data Grid
Redhat jboss Enterprise Application Platform
Redhat jbosseapxp
References

Tue, 08 Oct 2024 13:30:00 +0000

Type Values Removed Values Added
Description No description is available for this CVE.
Title resteasy-netty4-cdi: resteasy-netty4: HTTP Request Smuggling Leading to Client Timeouts in resteasy-netty4
Weaknesses CWE-444
References
Metrics threat_severity

None

cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}

threat_severity

Moderate


cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2024-10-08T16:26:13.413Z

Updated: 2024-10-09T09:01:52.037Z

Reserved: 2024-10-08T08:48:41.620Z

Link: CVE-2024-9622

cve-icon Vulnrichment

Updated: 2024-10-08T17:41:38.585Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2024-10-08T17:15:57.790

Modified: 2024-10-10T12:56:30.817

Link: CVE-2024-9622

cve-icon Redhat

Severity : Low

Publid Date: 2024-10-08T00:00:00Z

Links: CVE-2024-9622 - Bugzilla