CVE-2024-9622

A vulnerability was found in the resteasy-netty4 library arising from improper handling of HTTP requests using smuggling techniques. When an HTTP smuggling request with an ASCII control character is sent, it causes the Netty HttpObjectDecoder to transition into a BAD_MESSAGE state. As a result, any subsequent legitimate requests on the same connection are ignored, leading to client timeouts, which may impact systems using load balancers and expose them to risk.
HTTP Request/Response Smuggling
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
5.3 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
redhatCNA
5.3 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
CISA-ADPADP
---
---
Awaiting analysis
This vulnerability is currently awaiting analysis.
Base Score
CVSS 3.x
EPSS Score
Percentile: 27%
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
resteasy
plucky
Fixed 3.6.2-3ubuntu0.25.04.1
released
oracular
Fixed 3.6.2-2ubuntu0.24.10.1
released
noble
Fixed 3.6.2-2ubuntu0.24.04.1~esm1
released
jammy
Fixed 3.6.2-2ubuntu0.22.04.1~esm1
released
focal
Fixed 3.6.2-2ubuntu0.20.04.1~esm1
released
xenial
Fixed 3.0.6-3ubuntu0.1~esm1
released
resteasy3.0
plucky
Fixed 3.0.26-6ubuntu0.25.04.1
released
oracular
Fixed 3.0.26-6ubuntu0.24.10.1
released
noble
Fixed 3.0.26-6ubuntu0.24.04.1
released
jammy
Fixed 3.0.26-3ubuntu0.1
released
focal
Fixed 3.0.26-1ubuntu0.1~esm1
released
bionic
Fixed 3.0.26-1~18.04.1~esm1
released
Common Weakness Enumeration
References
https://access.redhat.com/security/cve/CVE-2024-9622
https://bugzilla.redhat.com/show_bug.cgi?id=2317179
https://github.com/orgs/resteasy/discussions/4351
https://github.com/resteasy/resteasy