Fluid Attacks Database

Description

The net/http HTTP/1.1 client mishandled the case where a server responds to a request with an "Expect: 100-continue" header with a non-informational (200 or higher) status. This mishandling could leave a client connection in an invalid state, where the next request sent on the connection will fail. An attacker sending a request to a net/http/httputil.ReverseProxy proxy can exploit this mishandling to cause a denial of service by sending "Expect: 100-continue" requests which elicit a non-informational response from the backend. Each such request leaves the proxy with an invalid connection, and causes one subsequent request using that connection to fail.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 11	golang-1.15	=1.15.15-1 \|\| =1.15.15-1~deb11u1 \|\| =1.15.15-1~deb11u2 \|\| =1.15.15-1~deb11u3 \|\| =1.15.15-1~deb11u4 \|\| =1.15.15-2 \|\| =1.15.15-3 \|\| =1.15.15-4 \|\| =1.15.15-5 \|\| =1.15.9-6	-
debian 12	golang-1.19	=1.19.10-1 \|\| =1.19.10-2 \|\| =1.19.11-1 \|\| =1.19.12-1 \|\| =1.19.12-2 \|\| =1.19.12-2~bpo11+1 \|\| =1.19.12-2~bpo12+1 \|\| =1.19.13-1 \|\| =1.19.13-1~bpo11+1 \|\| =1.19.13-1~bpo12+1 \|\| =1.19.8-2 \|\| =1.19.9-1	-
go	stdlib	>=0 <1.21.12	1.21.12
rpm rhel9	containernetworking-plugins	<1:1.5.1-2.el9	1:1.5.1-2.el9
rpm rhel8.8	go-toolset	<0:1.19.13-2.module+el8.8.0+22004+c5f8797c	0:1.19.13-2.module+el8.8.0+22004+c5f8797c
rpm rhel9	weldr-client	-	-
rpm rhel9	butane	-	-
rpm rhel8	weldr-client	-	-
rpm rhel9	ignition	-	-
rpm rhel10	podman	-	-

1-10 of 24

Aliases

1. CVE-2024-247912. NVD-2024-247913. OSV-DEBIAN-2024-247914. OSV-2024-247915. OSV-GO-2024-29636. GCVE-2024-247917. SECURITY-TRACKER-CVE-2024-24791

References

1. https://go.dev/cl/5912552. https://go.dev/issue/675553. https://groups.google.com/g/golang-dev/c/t0rK-qHBqzY/m/6MMoAZkMAgAJ

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.