2317179 – (CVE-2024-9622) CVE-2024-9622 resteasy-netty4-cdi: resteasy-netty4: resteasy-reactor-netty: HTTP Request Smuggling Leading to Client Timeouts in resteasy-netty4

Bug 2317179 (CVE-2024-9622) - CVE-2024-9622 resteasy-netty4-cdi: resteasy-netty4: resteasy-reactor-netty: HTTP Request Smuggling Leading to Client Timeouts in resteasy-netty4

Summary: CVE-2024-9622 resteasy-netty4-cdi: resteasy-netty4: resteasy-reactor-netty: H...

Keywords:
Status:	NEW
Alias:	CVE-2024-9622
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2024-10-08 08:47 UTC by OSIDB Bzimport
Modified:	2024-10-09 08:35 UTC (History)
CC List:	41 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2024-10-08 08:47:14 UTC

The issue stems from the re-use of a connection that remains in a bad state after handling a smuggled request. While a 400 Bad Request is returned (expected), the Connection: keep-alive header allows the bad connection to persist, causing subsequent legitimate requests to fail. Possible fixes include closing the connection or resetting the decoder state.

Note You need to log in before you can comment on or make changes to this bug.

anstephe
asoldano
avibelli
bbaranow
bgeorges
bmaxwell
brian.stansberry
cdewolf
chazlett
clement.escoffier
dandread
darran.lofthouse
dkreling
dosoudil
fjuma
gsmet
istudens
ivassile
iweiss
jmartisk
lgao
lthon
manderse
mosmerov
msochure
msvehla
nwallace
olubyans
pgallagh
pjindal
pmackay
probinso
rruss
rstancel
rsvoboda
sausingh
sbiarozk
sdouglas
smaestri
tom.jenkinson
tqvarnst