CVE-2024-24791

Denial of service due to improper 100-continue handling in net/http

Description

The net/http HTTP/1.1 client mishandled the case where a server responds to a request with an "Expect: 100-continue" header with a non-informational (200 or higher) status. This mishandling could leave a client connection in an invalid state, where the next request sent on the connection will fail. An attacker sending a request to a net/http/httputil.ReverseProxy proxy can exploit this mishandling to cause a denial of service by sending "Expect: 100-continue" requests which elicit a non-informational response from the backend. Each such request leaves the proxy with an invalid connection, and causes one subsequent request using that connection to fail.

INFO

Published Date :

2024-07-02T21:28:25.677Z

Last Modified :

2024-10-04T15:02:46.565Z

Source :

Go

AFFECTED PRODUCTS

The following products are affected by CVE-2024-24791 vulnerability.

Vendors	Products
Go Standard Library	Net\/http
Redhat	Amq Streams Ceph Storage Container Native Virtualization Cost Management Cryostat Enterprise Linux Kube Descheduler Operator Logging Network Observ Optr Openshift Openshift Api Data Protection Openshift Custom Metrics Autoscaler Openshift Data Foundation Openshift Secondary Scheduler Rhdh Rhel Els Rhel Eus Rhmt Run Once Duration Override Operator

REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2024-24791.

URL	Resource
https://go.dev/cl/591255
https://go.dev/issue/67555
https://groups.google.com/g/golang-dev/c/t0rK-qHBqzY/m/6MMoAZkMAgAJ
https://nvd.nist.gov/vuln/detail/CVE-2024-24791
https://pkg.go.dev/vuln/GO-2024-2963
https://security.netapp.com/advisory/ntap-20241004-0004/
https://www.cve.org/CVERecord?id=CVE-2024-24791

CVSS Vulnerability Scoring System

V3.1

Detailed values of each vector for above chart.

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality Impact

Integrity Impact

Availability Impact