Описание
HTTP Request Smuggling in akka-http-core
A vulnerable Akka HTTP server will accept a malformed message and hand it over to the user. If the user application proxies this message to another server unchanged and that server also accepts that message but interprets it as two HTTP messages, the second message has reached the second server without having been inspected by the proxy.
Ссылки
- https://nvd.nist.gov/vuln/detail/CVE-2021-23339
- https://github.com/akka/akka-http/pull/3754%23issuecomment-779265201
- https://github.com/akka/akka-http/commit/e3a4935151c91cee28e65e6b894dd50839ef9d34
- https://doc.akka.io/docs/akka-http/10.1/security/2021-02-24-incorrect-handling-of-Transfer-Encoding-header.html
- https://snyk.io/vuln/SNYK-JAVA-COMTYPESAFEAKKA-1075043
Пакеты
Наименование
com.typesafe.akka:akka-http-core
maven
Затронутые версииВерсия исправления
>= 10.2.0, < 10.2.4
10.2.4
Наименование
com.typesafe.akka:akka-http-core
maven
Затронутые версииВерсия исправления
< 10.1.14
10.1.14
Связанные уязвимости
CVSS3: 5
nvd
почти 5 лет назад
This affects all versions before 10.1.14 and from 10.2.0 to 10.2.4 of package com.typesafe.akka:akka-http-core. It allows multiple Transfer-Encoding headers.