Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTJ3N3ctMmo5Mi00NGh4
HTTP Request Smuggling in akka-http-core
A vulnerable Akka HTTP server will accept a malformed message and hand it over to the user. If the user application proxies this message to another server unchanged and that server also accepts that message but interprets it as two HTTP messages, the second message has reached the second server without having been inspected by the proxy.
Permalink: https://github.com/advisories/GHSA-2w7w-2j92-44hxJSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTJ3N3ctMmo5Mi00NGh4
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: over 2 years ago
Updated: 7 months ago
CVSS Score: 6.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Identifiers: GHSA-2w7w-2j92-44hx, CVE-2021-23339
References:
- https://nvd.nist.gov/vuln/detail/CVE-2021-23339
- https://github.com/akka/akka-http/pull/3754%23issuecomment-779265201
- https://github.com/akka/akka-http/commit/e3a4935151c91cee28e65e6b894dd50839ef9d34
- https://doc.akka.io/docs/akka-http/10.1/security/2021-02-24-incorrect-handling-of-Transfer-Encoding-header.html
- https://snyk.io/vuln/SNYK-JAVA-COMTYPESAFEAKKA-1075043
- https://github.com/advisories/GHSA-2w7w-2j92-44hx
Affected Packages
maven:com.typesafe.akka:akka-http-core
Versions: < 10.1.14, >= 10.2.0, < 10.2.4Fixed in: 10.1.14, 10.2.4