A vulnerable Akka HTTP server will accept a malformed message and hand it over to the user. If the user application proxies this message to another server unchanged and that server also accepts that message but interprets it as two HTTP messages, the second message has reached the second server without having been inspected by the proxy.
CPE | Name | Operator | Version |
---|---|---|---|
com.typesafe.akka:akka-http-core | eq | 3.0.0-RC1 |
doc.akka.io/docs/akka-http/10.1/security/2021-02-24-incorrect-handling-of-Transfer-Encoding-header.html
github.com/akka/akka-http/commit/e3a4935151c91cee28e65e6b894dd50839ef9d34
github.com/akka/akka-http/pull/3754%23issuecomment-779265201
nvd.nist.gov/vuln/detail/CVE-2021-23339
snyk.io/vuln/SNYK-JAVA-COMTYPESAFEAKKA-1075043