Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS01d3ByLWNqOXAtOTU5cs4ABADn
HTTP Request Smuggling Leading to Client Timeouts in resteasy-netty4
A vulnerability was found in the resteasy-netty4 library arising from improper handling of HTTP requests using smuggling techniques. When an HTTP smuggling request with an ASCII control character is sent, it causes the Netty HttpObjectDecoder to transition into a BAD_MESSAGE state. As a result, any subsequent legitimate requests on the same connection are ignored, leading to client timeouts, which may impact systems using load balancers and expose them to risk.
Permalink: https://github.com/advisories/GHSA-5wpr-cj9p-959rJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS01d3ByLWNqOXAtOTU5cs4ABADn
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 7 days ago
Updated: 7 days ago
CVSS Score: 5.3
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Identifiers: GHSA-5wpr-cj9p-959r, CVE-2024-9622
References:
- https://nvd.nist.gov/vuln/detail/CVE-2024-9622
- https://access.redhat.com/security/cve/CVE-2024-9622
- https://bugzilla.redhat.com/show_bug.cgi?id=2317179
- https://github.com/orgs/resteasy/discussions/4351
- https://github.com/resteasy/resteasy
- https://github.com/advisories/GHSA-5wpr-cj9p-959r
Blast Radius: 5.7
Affected Packages
maven:org.jboss.resteasy:resteasy-netty4-cdi
Dependent packages: 5Dependent repositories: 12
Downloads:
Affected Version Ranges: < 7.0.0.Alpha3
No known fixed version
All affected versions: