CVE-2024-24791

EUVD-2024-22168

02.07.2024, 22:15

The net/http HTTP/1.1 client mishandled the case where a server responds to a request with an "Expect: 100-continue" header with a non-informational (200 or higher) status. This mishandling could leave a client connection in an invalid state, where the next request sent on the connection will fail. An attacker sending a request to a net/http/httputil.ReverseProxy proxy can exploit this mishandling to cause a denial of service by sending "Expect: 100-continue" requests which elicit a non-informational response from the backend. Each such request leaves the proxy with an invalid connection, and causes one subsequent request using that connection to fail.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	7.5 HIGH	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 77%

Early Detection

Affected products identified ahead of NVD analysis through intelligence sources.

Vendor	Product	Version	Source
go_standard_library	net\/http	𝑥 < 1.21.12	ADP
go_standard_library	net\/http	1.22.0-0 ≤ 𝑥 < 1.22.5	ADP

Debian Releases

Debian Product

Codename

golang-1.15

bookworm	no-dsa
bullseye	vulnerable

golang-1.19

bookworm	vulnerable
bullseye	no-dsa

Ubuntu Releases

Ubuntu Product

Codename

golang

focal	dne
jammy	dne
mantic	dne
noble	dne
oracular	dne
plucky	dne
questing	dne

golang-1.6

focal	dne
jammy	dne
mantic	dne
noble	dne
oracular	dne
plucky	dne
questing	dne
xenial	needs-triage

golang-1.8

bionic	needs-triage
focal	dne
jammy	dne
mantic	dne
noble	dne
oracular	dne
plucky	dne
questing	dne

golang-1.9

bionic	needs-triage
focal	dne
jammy	dne
mantic	dne
noble	dne
oracular	dne
plucky	dne
questing	dne

golang-1.10

bionic	needs-triage
focal	dne
jammy	dne
mantic	dne
noble	dne
oracular	dne
plucky	dne
questing	dne
trusty	needs-triage
xenial	needs-triage

golang-1.13

bionic	needs-triage
focal	needs-triage
jammy	needs-triage
mantic	dne
noble	dne
oracular	dne
plucky	dne
questing	dne
xenial	needs-triage

golang-1.14

focal	needs-triage
jammy	dne
mantic	dne
noble	dne
oracular	dne
plucky	dne
questing	dne

golang-1.16

bionic	needs-triage
focal	needs-triage
jammy	dne
mantic	dne
noble	dne
oracular	dne
plucky	dne
questing	dne

golang-1.17

focal	dne
jammy	Fixed 1.17.13-3ubuntu1.3 released
mantic	dne
noble	dne
oracular	dne
plucky	dne
questing	dne

golang-1.18

bionic	Fixed 1.18.1-1ubuntu1~18.04.4+esm1 released
focal	Fixed 1.18.1-1ubuntu1~20.04.3 released
jammy	Fixed 1.18.1-1ubuntu1.2 released
mantic	dne
noble	dne
oracular	dne
plucky	dne
questing	dne
xenial	Fixed 1.18.1-1ubuntu1~16.04.6+esm1 released

golang-1.19

focal	dne
jammy	dne
mantic	dne
noble	dne
oracular	dne
plucky	dne
questing	dne

golang-1.20

focal	needs-triage
jammy	needs-triage
mantic	ignored
noble	dne
oracular	dne
plucky	dne
questing	dne

golang-1.21

focal	needs-triage
jammy	needs-triage
mantic	ignored
noble	needs-triage
oracular	dne
plucky	dne
questing	dne

golang-1.22

focal	Fixed 1.22.2-2~20.04.2 released
jammy	Fixed 1.22.2-2~22.04.2 released
mantic	ignored
noble	Fixed 1.22.2-2ubuntu0.3 released
oracular	not-affected
plucky	dne
questing	dne

openSUSE / SLES Releases

openSUSE Product

Release

container-suseconnect

suse enterprise server 15 SP3	2.5.0-150000.4.55.1 fixed
suse enterprise server 15 SP4	2.5.0-150000.4.55.1 fixed

Red Hat Enterprise Linux Releases

Red Hat Product

Release

buildah

RHEL 9

2:1.37.2-1.el9

fixed

buildah-tests

RHEL 9

2:1.37.2-1.el9

fixed

containernetworking-plugins

RHEL 9

1:1.5.1-2.el9

fixed

git-lfs

RHEL 9

0:3.6.1-1.el9

fixed

go-toolset

RHEL 9

0:1.21.13-3.el9_4

fixed

golang

RHEL 9

0:1.21.13-3.el9_4

fixed

golang-bin

RHEL 9

0:1.21.13-3.el9_4

fixed

golang-docs

RHEL 9

0:1.21.13-3.el9_4

fixed

golang-misc

RHEL 9

0:1.21.13-3.el9_4

fixed

golang-src

RHEL 9

0:1.21.13-3.el9_4

fixed

golang-tests

RHEL 9

0:1.21.13-3.el9_4

fixed

grafana

RHEL 8	0:9.2.10-18.el8_10 fixed
RHEL 9	0:10.2.6-4.el9 fixed

grafana-selinux

RHEL 8	0:9.2.10-18.el8_10 fixed
RHEL 9	0:10.2.6-4.el9 fixed

podman

RHEL 9

2:5.2.2-1.el9

fixed

podman-docker

RHEL 9

2:5.2.2-1.el9

fixed

podman-plugins

RHEL 9

2:5.2.2-1.el9

fixed

podman-remote

RHEL 9

2:5.2.2-1.el9

fixed

podman-tests

RHEL 9

2:5.2.2-1.el9

fixed

skopeo

RHEL 9

2:1.16.1-1.el9

fixed

skopeo-tests

RHEL 9

2:1.16.1-1.el9

fixed

toolbox

RHEL 9

0:0.0.99.5-5.el9

fixed

toolbox-tests

RHEL 9

0:0.0.99.5-5.el9

fixed

References

https://go.dev/cl/591255

https://go.dev/issue/67555

https://groups.google.com/g/golang-dev/c/t0rK-qHBqzY/m/6MMoAZkMAgAJ

https://pkg.go.dev/vuln/GO-2024-2963

https://go.dev/cl/591255

https://go.dev/issue/67555

https://groups.google.com/g/golang-dev/c/t0rK-qHBqzY/m/6MMoAZkMAgAJ

https://pkg.go.dev/vuln/GO-2024-2963

https://security.netapp.com/advisory/ntap-20241004-0004/