Lucene search

Alpine Linux Development TeamALPINE:CVE-2024-24791

HistoryJul 02, 2024 - 10:15 p.m.

CVE-2024-24791

2024-07-0222:15:04

Alpine Linux Development Team

security.alpinelinux.org

net/http client

http/1.1

server response

denial of service

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

AI Score

6.8

Confidence

High

JSON

The net/http HTTP/1.1 client mishandled the case where a server responds to a request with an “Expect: 100-continue” header with a non-informational (200 or higher) status. This mishandling could leave a client connection in an invalid state, where the next request sent on the connection will fail. An attacker sending a request to a net/http/httputil.ReverseProxy proxy can exploit this mishandling to cause a denial of service by sending “Expect: 100-continue” requests which elicit a non-informational response from the backend. Each such request leaves the proxy with an invalid connection, and causes one subsequent request using that connection to fail.

OSVersionArchitecturePackageVersionFilename
Alpineedge-communitynoarchgo< 1.22.5-r0UNKNOWN
Alpine3.20-communitynoarchgo< 1.22.5-r0UNKNOWN

OS	Version	Architecture	Package	Version	Filename
Alpine	edge-community	noarch	go	< 1.22.5-r0	UNKNOWN
Alpine	3.20-community	noarch	go	< 1.22.5-r0	UNKNOWN

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

AI Score

6.8

Confidence

High

JSON

Related for ALPINE:CVE-2024-24791