CVE-2021-23339
MEDIUM6.5EPSS 0.21%HTTP Request Smuggling in akka-http-core
發布日:2021/5/10修改日:2026/3/13
描述
A vulnerable Akka HTTP server will accept a malformed message and hand it over to the user. If the user application proxies this message to another server unchanged and that server also accepts that message but interprets it as two HTTP messages, the second message has reached the second server without having been inspected by the proxy.
受影響套件(1)
- Maven/com.typesafe.akka:akka-http-core>= 10.2.0, < 10.2.4
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM6.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N |
參考連結(5)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2021-23339
- WEBhttps://doc.akka.io/docs/akka-http/10.1/security/2021-02-24-incorrect-handling-of-Transfer-Encoding-header.html
- WEBhttps://github.com/akka/akka-http/commit/e3a4935151c91cee28e65e6b894dd50839ef9d34
- WEBhttps://github.com/akka/akka-http/pull/3754%23issuecomment-779265201
- WEBhttps://snyk.io/vuln/SNYK-JAVA-COMTYPESAFEAKKA-1075043