Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
cveGoCVE-2024-24791
HistoryJul 02, 2024 - 10:15 p.m.

CVE-2024-24791

2024-07-0222:15:04
Go
web.nvd.nist.gov
49
21
net/http
100-continue
denial of service

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

AI Score

6.5

Confidence

High

EPSS

0

Percentile

15.8%

JSON

The net/http HTTP/1.1 client mishandled the case where a server responds to a request with an “Expect: 100-continue” header with a non-informational (200 or higher) status. This mishandling could leave a client connection in an invalid state, where the next request sent on the connection will fail. An attacker sending a request to a net/http/httputil.ReverseProxy proxy can exploit this mishandling to cause a denial of service by sending “Expect: 100-continue” requests which elicit a non-informational response from the backend. Each such request leaves the proxy with an invalid connection, and causes one subsequent request using that connection to fail.

CNA Affected

[
  {
    "vendor": "Go standard library",
    "product": "net/http",
    "collectionURL": "https://pkg.go.dev",
    "packageName": "net/http",
    "versions": [
      {
        "version": "0",
        "lessThan": "1.21.12",
        "status": "affected",
        "versionType": "semver"
      },
      {
        "version": "1.22.0-0",
        "lessThan": "1.22.5",
        "status": "affected",
        "versionType": "semver"
      }
    ],
    "programRoutines": [
      {
        "name": "persistConn.readResponse"
      },
      {
        "name": "Client.CloseIdleConnections"
      },
      {
        "name": "Client.Do"
      },
      {
        "name": "Client.Get"
      },
      {
        "name": "Client.Head"
      },
      {
        "name": "Client.Post"
      },
      {
        "name": "Client.PostForm"
      },
      {
        "name": "Get"
      },
      {
        "name": "Head"
      },
      {
        "name": "Post"
      },
      {
        "name": "PostForm"
      },
      {
        "name": "Transport.CancelRequest"
      },
      {
        "name": "Transport.CloseIdleConnections"
      },
      {
        "name": "Transport.RoundTrip"
      }
    ],
    "defaultStatus": "unaffected"
  }
]

Social References

More

Related

osv 199
fedora 1
osv
osv
CGA-fv99-g282-72fq
2024-07-15 21:57:40
CGA-8qf5-4vwr-jmgr
2024-07-15 21:54:52
CGA-fp6j-q7hc-8xvc
2024-07-15 21:57:29
fedora
fedora
[SECURITY] Fedora 39 Update: golang-1.21.12-1.fc39
2024-07-17 01:18:52

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

AI Score

6.5

Confidence

High

EPSS

0

Percentile

15.8%

JSON
Related for CVE-2024-24791
osv199fedora1