CVE-2021-23339 – com.typesafe.akka:akka-http-core

Package

Manager: maven
Name: com.typesafe.akka:akka-http-core
Vulnerable Version: >=10.2.0 <10.2.4 || >=0 <10.1.14

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00211 pctl0.43637

Details

HTTP Request Smuggling in akka-http-core A vulnerable Akka HTTP server will accept a malformed message and hand it over to the user. If the user application proxies this message to another server unchanged and that server also accepts that message but interprets it as two HTTP messages, the second message has reached the second server without having been inspected by the proxy.

Metadata

Created: 2021-05-10T15:17:09Z
Modified: 2021-03-19T22:36:01Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/05/GHSA-2w7w-2j92-44hx/GHSA-2w7w-2j92-44hx.json
CWE IDs: ["CWE-444"]
Alternative ID: GHSA-2w7w-2j92-44hx
Finding: F110
Auto approve: 1