CVE-2023-38697

{"id": "CVE-2023-38697", "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.8, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 3.9}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 3.9}]}, "published": "2023-08-04T18:15:15.010", "references": [{"url": "https://github.com/socketry/protocol-http1/commit/e11fc164fd2b36f7b7e785e69fa8859eb06bcedd", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/socketry/protocol-http1/pull/20", "tags": ["Issue Tracking"], "source": "security-advisories@github.com"}, {"url": "https://github.com/socketry/protocol-http1/security/advisories/GHSA-6jwc-qr2q-7xwj", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}, {"url": "https://www.rfc-editor.org/rfc/rfc9112#name-chunked-transfer-coding", "tags": ["Technical Description"], "source": "security-advisories@github.com"}, {"url": "https://github.com/socketry/protocol-http1/commit/e11fc164fd2b36f7b7e785e69fa8859eb06bcedd", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/socketry/protocol-http1/pull/20", "tags": ["Issue Tracking"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/socketry/protocol-http1/security/advisories/GHSA-6jwc-qr2q-7xwj", "tags": ["Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://www.rfc-editor.org/rfc/rfc9112#name-chunked-transfer-coding", "tags": ["Technical Description"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-444"}]}], "descriptions": [{"lang": "en", "value": "protocol-http1 provides a low-level implementation of the HTTP/1 protocol. RFC 9112 Section 7.1 defined the format of chunk size, chunk data and chunk extension. The value of Content-Length header should be a string of 0-9 digits, the chunk size should be a string of hex digits and should split from chunk data using CRLF, and the chunk extension shouldn't contain any invisible character. However, Falcon has following behaviors while disobey the corresponding RFCs: accepting Content-Length header values that have `+` prefix, accepting Content-Length header values that written in hexadecimal with `0x` prefix, accepting `0x` and `+` prefixed chunk size, and accepting LF in chunk extension. This behavior can lead to desync when forwarding through multiple HTTP parsers, potentially results in HTTP request smuggling and firewall bypassing. This issue is fixed in `protocol-http1` v0.15.1. There are no known workarounds."}, {"lang": "es", "value": "protocol-http1 proporciona una implementaci\u00f3n de bajo nivel del protocolo HTTP/1. La secci\u00f3n 7.1 del RFC 9112 define el formato del tama\u00f1o del fragmento, los datos del fragmento y la extensi\u00f3n del fragmento. El valor de la cabecera Content-Length debe ser una cadena de 0-9 d\u00edgitos, el tama\u00f1o del fragmento debe ser una cadena de d\u00edgitos hexadecimales y debe separarse de los datos del fragmento mediante CRLF, y la extensi\u00f3n del fragmento no debe contener ning\u00fan car\u00e1cter invisible. Sin embargo, Falcon tiene los siguientes comportamientos mientras desobedece las RFCs correspondientes: aceptar valores de cabecera Content-Length que tengan prefijo `+`, aceptar valores de cabecera Content-Length que est\u00e9n escritos en hexadecimal con prefijo `0x`, aceptar tama\u00f1o de fragmento con prefijo `0x` y `+`, y aceptar LF en la extensi\u00f3n de fragmento. Este comportamiento puede conducir a la desincronizaci\u00f3n cuando se reenv\u00eda a trav\u00e9s de m\u00faltiples analizadores HTTP, lo que puede dar lugar al contrabando de peticiones HTTP y a la evasi\u00f3n del cortafuegos. Este problema se ha solucionado en `protocol-http1` v0.15.1. No se conocen alternativas."}], "lastModified": "2024-11-21T08:14:04.553", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:socketry:protocol-http1:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "801B6245-B6B9-4B32-91DF-3426663F2536", "versionEndExcluding": "0.15.1"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}