CVE-2024-52530

Nov. 12, 2024, 7:35 p.m.

7.5
High

Description

GNOME libsoup before 3.6.0 allows HTTP request smuggling in some configurations because '\0' characters at the end of header names are ignored, i.e., a "Transfer-Encoding\0: chunked" header is treated the same as a "Transfer-Encoding: chunked" header.

Product(s) Impacted

Product Versions
GNOME libsoup
  • before 3.6.0

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-444
Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
The product acts as an intermediary HTTP agent (such as a proxy or firewall) in the data flow between two entities such as a client and server, but it does not interpret malformed HTTP requests or responses in ways that are consistent with how the messages will be processed by those entities that are at the ultimate destination.

References

https://gitlab.gnome.org/GNOME/libsoup/-/issues/377
https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/402
https://gitlab.gnome.org/Teams/Releng/security/-/wikis/home

Tags

cve@mitre.org
CWE-444
2024-11-11
CVE-2024-52530

CVSS Score

7.5 / 10

CVSS Data - 3.1

  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Privileges Required: NONE
  • Scope: UNCHANGED
  • Confidentiality Impact: NONE
  • Integrity Impact: HIGH
  • Availability Impact: NONE

    • CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

    View Vector String

Timeline

Published: Nov. 11, 2024, 8:15 p.m.
Last Modified: Nov. 12, 2024, 7:35 p.m.

Status : Awaiting Analysis

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

cve@mitre.org

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.