CVE-2024-40642: Absent Input Validation in BinaryHttpParser
BinaryHttpParser does not properly validate input values thus giving attackers almost complete control over the HTTP requests constructed from the parsed output. Attackers can abuse several issues individually to perform various injection attacks including HTTP request smuggling, desync attacks, HTTP header injections, request queue poisoning, caching attacks and Server Side Request Forgery (SSRF). Attacker could also combine several issues to create well-formed messages for other text-based protocols which may result in attacks beyond the HTTP protocol.
References
- github.com/advisories/GHSA-q8f2-hxq5-cp4h
- github.com/netty/netty-incubator-codec-ohttp
- github.com/netty/netty-incubator-codec-ohttp/commit/b687a0cf6ea1030232ea204d73bce82f2698e571
- github.com/netty/netty-incubator-codec-ohttp/security/advisories/GHSA-q8f2-hxq5-cp4h
- nvd.nist.gov/vuln/detail/CVE-2024-40642
Detect and mitigate CVE-2024-40642 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →