CVE-2024-24791

Denial of service due to improper 100-continue handling in net/http

Severity Score

7.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Attend

*SSVC

Descriptions

The net/http HTTP/1.1 client mishandled the case where a server responds to a request with an "Expect: 100-continue" header with a non-informational (200 or higher) status. This mishandling could leave a client connection in an invalid state, where the next request sent on the connection will fail. An attacker sending a request to a net/http/httputil.ReverseProxy proxy can exploit this mishandling to cause a denial of service by sending "Expect: 100-continue" requests which elicit a non-informational response from the backend. Each such request leaves the proxy with an invalid connection, and causes one subsequent request using that connection to fail.

El cliente net/http HTTP/1.1 manejó mal el caso en el que un servidor responde a una solicitud con un encabezado "Expect: 100-continue" con un estado no informativo (200 o superior). Este mal manejo podría dejar una conexión de cliente en un estado no válido, donde la siguiente solicitud enviada a la conexión fallará. Un atacante que envía una solicitud a un proxy net/http/httputil.ReverseProxy puede aprovechar este mal manejo para provocar una denegación de servicio enviando solicitudes "Esperar: 100-continuar" que provocan una respuesta no informativa del backend. Cada una de estas solicitudes deja al proxy con una conexión no válida y provoca que falle una solicitud posterior que utiliza esa conexión.

A flaw was found in Go. The net/http module mishandles specific server responses from HTTP/1.1 client requests. This issue may render a connection invalid and cause a denial of service.

*Credits: Geoff Franks

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

* Common Vulnerability Scoring System

SSVC

Decision:Attend

Exploitation

None

Automatable

Yes

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-01-30 CVE Reserved
2024-07-02 CVE Published
2024-07-03 EPSS Updated
2024-08-01 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-20: Improper Input Validation

CAPEC

References (6)

URL	Tag	Source
https://go.dev/cl/591255
https://go.dev/issue/67555
https://groups.google.com/g/golang-dev/c/t0rK-qHBqzY/m/6MMoAZkMAgAJ
https://pkg.go.dev/vuln/GO-2024-2963

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
https://access.redhat.com/security/cve/CVE-2024-24791	2024-09-09
https://bugzilla.redhat.com/show_bug.cgi?id=2295310	2024-09-09

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Go Standard Library Search vendor "Go Standard Library"		Net/http Search vendor "Go Standard Library" for product "Net/http"				< 1.21.12 Search vendor "Go Standard Library" for product "Net/http" and version " < 1.21.12"		en		Affected
Go Standard Library Search vendor "Go Standard Library"		Net/http Search vendor "Go Standard Library" for product "Net/http"				>= 1.22.0-0 < 1.22.5 Search vendor "Go Standard Library" for product "Net/http" and version " >= 1.22.0-0 < 1.22.5"		en		Affected