Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
rubygemsRubySecRUBY:PROTOCOL-HTTP1-2023-38697
HistoryAug 02, 2023 - 9:00 p.m.

protocol-http1 HTTP Request/Response Smuggling vulnerability

2023-08-0221:00:00
RubySec
github.com
7
rfc 9112
content-length header
chunk size
chunk extension
falcon
desync
http request smuggling
firewall bypassing
protocol-http1
v0.15.1+.

CVSS3

5.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N

EPSS

0.001

Percentile

45.0%

JSON

Impact

RFC 9112 Section 7.1
defined the format of chunk size, chunk data and chunk
extension (detailed ABNF is in Appendix section).

In summary:

  • The value of Content-Length header should be a string of 0-9 digits.
  • The chunk size should be a string of hex digits and should split
    from chunk data using CRLF.
  • The chunk extension shouldn’t contain any invisible character.

However, we found that Falcon has following behaviors while
disobey the corresponding RFCs.

  • Falcon accepts Content-Length header values that have “+” prefix.
  • Falcon accepts Content-Length header values that written in
    hexadecimal with “0x” prefix.
  • Falcon accepts “0x” and “+” prefixed chunk size.
  • Falcon accepts LF in chunk extension.

This behavior can lead to desync when forwarding through multiple
HTTP parsers, potentially results in HTTP request smuggling and
firewall bypassing. Note that while these issues were reproduced
in Falcon (the server), the issue is with protocol-http1 which
implements the HTTP/1 protocol parser. We have not yet been advised
of any real world exploit or practical attack.

Patches

Fixed in protocol-http1 v0.15.1+.

Workarounds

No.

References

https://github.com/socketry/protocol-http1/pull/20

Affected configurations

Vulners
Node
rubyprotocol-http1Range0.15.1
VendorProductVersionCPE
rubyprotocol-http1*cpe:2.3:a:ruby:protocol-http1:*:*:*:*:*:*:*:*

Related

nessus 1
ubuntucve 1
redhatcve 1
osv 2
veracode 1
github 1
cve 1
cvelist 1
cbl_mariner 1
nvd 1
prion 1
debiancve 1
ibm 1
nessus
nessus
CBL Mariner 2.0 Security Update: rubygem-protocol-http1 (CVE-2023-38697)
2023-08-31 00:00:00
ubuntucve
ubuntucve
CVE-2023-38697
2023-08-04 00:00:00
redhatcve
redhatcve
CVE-2023-38697
2023-08-05 15:48:44
osv
osv
protocol-http1 HTTP Request/Response Smuggling vulnerability
2023-08-03 16:36:34
CVE-2023-38697
2023-08-04 18:15:15
veracode
veracode
HTTP Request Smuggling
2023-08-07 10:02:17
github
github
protocol-http1 HTTP Request/Response Smuggling vulnerability
2023-08-03 16:36:34
cve
cve
CVE-2023-38697
2023-08-04 18:15:15
cvelist
cvelist
CVE-2023-38697 protocol-http1 HTTP Request/Response Smuggling vulnerability
2023-08-04 17:32:51
cbl_mariner
cbl_mariner
CVE-2023-38697 affecting package rubygem-protocol-http1 for versions less than 0.15.1-1
2023-08-30 14:44:06
nvd
nvd
CVE-2023-38697
2023-08-04 18:15:15
prion
prion
Design/Logic Flaw
2023-08-04 18:15:00
debiancve
debiancve
CVE-2023-38697
2023-08-04 18:15:15
ibm
ibm
Security Bulletin: IBM Cloud Pak for Network Automation 2.6.4 fixes multiple security vulnerabilities
2023-12-15 14:31:02

CVSS3

5.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N

EPSS

0.001

Percentile

45.0%

JSON
Related for RUBY:PROTOCOL-HTTP1-2023-38697
nessus1ubuntucve1redhatcve1osv2veracode1github1cve1cvelist1cbl_mariner1nvd1prion1debiancve1ibm1