-
-
Notifications
You must be signed in to change notification settings - Fork 231
Expand file tree
/
Copy pathCVE-2023-38697.yml
More file actions
58 lines (46 loc) · 1.98 KB
/
CVE-2023-38697.yml
File metadata and controls
58 lines (46 loc) · 1.98 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
---
gem: protocol-http1
cve: 2023-38697
ghsa: 6jwc-qr2q-7xwj
url: https://github.com/socketry/protocol-http1/security/advisories/GHSA-6jwc-qr2q-7xwj
title: protocol-http1 HTTP Request/Response Smuggling vulnerability
date: 2023-08-03
description: |
### Impact
[RFC 9112 Section 7.1](https://www.rfc-editor.org/rfc/rfc9112#name-chunked-transfer-coding)
defined the format of chunk size, chunk data and chunk
extension (detailed ABNF is in Appendix section).
In summary:
- The value of Content-Length header should be a string of 0-9 digits.
- The chunk size should be a string of hex digits and should split
from chunk data using CRLF.
- The chunk extension shouldn't contain any invisible character.
However, we found that Falcon has following behaviors while
disobey the corresponding RFCs.
- Falcon accepts Content-Length header values that have "+" prefix.
- Falcon accepts Content-Length header values that written in
hexadecimal with "0x" prefix.
- Falcon accepts "0x" and "+" prefixed chunk size.
- Falcon accepts LF in chunk extension.
This behavior can lead to desync when forwarding through multiple
HTTP parsers, potentially results in HTTP request smuggling and
firewall bypassing. Note that while these issues were reproduced
in Falcon (the server), the issue is with `protocol-http1` which
implements the HTTP/1 protocol parser. We have not yet been advised
of any real world exploit or practical attack.
### Patches
Fixed in `protocol-http1` v0.15.1+.
### Workarounds
No.
### References
https://github.com/socketry/protocol-http1/pull/20
cvss_v3: 5.8
patched_versions:
- ">= 0.15.1"
related:
url:
- https://github.com/socketry/protocol-http1/security/advisories/GHSA-6jwc-qr2q-7xwj
- https://github.com/socketry/protocol-http1/pull/20
- https://github.com/socketry/protocol-http1/commit/e11fc164fd2b36f7b7e785e69fa8859eb06bcedd
- https://github.com/advisories/GHSA-6jwc-qr2q-7xwj
notes: "CVE-2023-38697 not yet published"