{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-38697", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2023-07-24T16:19:28.364Z", "datePublished": "2023-08-04T17:32:51.164Z", "dateUpdated": "2024-10-04T19:39:00.470Z"}, "containers": {"cna": {"title": " protocol-http1 HTTP Request/Response Smuggling vulnerability", "problemTypes": [{"descriptions": [{"cweId": "CWE-444", "lang": "en", "description": "CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/socketry/protocol-http1/security/advisories/GHSA-6jwc-qr2q-7xwj", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/socketry/protocol-http1/security/advisories/GHSA-6jwc-qr2q-7xwj"}, {"name": "https://github.com/socketry/protocol-http1/pull/20", "tags": ["x_refsource_MISC"], "url": "https://github.com/socketry/protocol-http1/pull/20"}, {"name": "https://github.com/socketry/protocol-http1/commit/e11fc164fd2b36f7b7e785e69fa8859eb06bcedd", "tags": ["x_refsource_MISC"], "url": "https://github.com/socketry/protocol-http1/commit/e11fc164fd2b36f7b7e785e69fa8859eb06bcedd"}, {"name": "https://www.rfc-editor.org/rfc/rfc9112#name-chunked-transfer-coding", "tags": ["x_refsource_MISC"], "url": "https://www.rfc-editor.org/rfc/rfc9112#name-chunked-transfer-coding"}], "affected": [{"vendor": "socketry", "product": "protocol-http1", "versions": [{"version": "< 0.15.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-08-04T17:32:51.164Z"}, "descriptions": [{"lang": "en", "value": "protocol-http1 provides a low-level implementation of the HTTP/1 protocol. RFC 9112 Section 7.1 defined the format of chunk size, chunk data and chunk extension. The value of Content-Length header should be a string of 0-9 digits, the chunk size should be a string of hex digits and should split from chunk data using CRLF, and the chunk extension shouldn't contain any invisible character. However, Falcon has following behaviors while disobey the corresponding RFCs: accepting Content-Length header values that have `+` prefix, accepting Content-Length header values that written in hexadecimal with `0x` prefix, accepting `0x` and `+` prefixed chunk size, and accepting LF in chunk extension. This behavior can lead to desync when forwarding through multiple HTTP parsers, potentially results in HTTP request smuggling and firewall bypassing. This issue is fixed in `protocol-http1` v0.15.1. There are no known workarounds."}], "source": {"advisory": "GHSA-6jwc-qr2q-7xwj", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T17:46:56.817Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/socketry/protocol-http1/security/advisories/GHSA-6jwc-qr2q-7xwj", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/socketry/protocol-http1/security/advisories/GHSA-6jwc-qr2q-7xwj"}, {"name": "https://github.com/socketry/protocol-http1/pull/20", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/socketry/protocol-http1/pull/20"}, {"name": "https://github.com/socketry/protocol-http1/commit/e11fc164fd2b36f7b7e785e69fa8859eb06bcedd", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/socketry/protocol-http1/commit/e11fc164fd2b36f7b7e785e69fa8859eb06bcedd"}, {"name": "https://www.rfc-editor.org/rfc/rfc9112#name-chunked-transfer-coding", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.rfc-editor.org/rfc/rfc9112#name-chunked-transfer-coding"}]}, {"affected": [{"vendor": "socketry", "product": "protocol-http1", "cpes": ["cpe:2.3:a:socketry:protocol-http1:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThan": "0.15.1", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-10-04T19:38:03.473705Z", "id": "CVE-2023-38697", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-04T19:39:00.470Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/socketry/protocol-http1/security/advisories/GHSA-6jwc-qr2q-7xwj", "name": "https://github.com/socketry/protocol-http1/security/advisories/GHSA-6jwc-qr2q-7xwj", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://github.com/socketry/protocol-http1/pull/20", "name": "https://github.com/socketry/protocol-http1/pull/20", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://github.com/socketry/protocol-http1/commit/e11fc164fd2b36f7b7e785e69fa8859eb06bcedd", "name": "https://github.com/socketry/protocol-http1/commit/e11fc164fd2b36f7b7e785e69fa8859eb06bcedd", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://www.rfc-editor.org/rfc/rfc9112#name-chunked-transfer-coding", "name": "https://www.rfc-editor.org/rfc/rfc9112#name-chunked-transfer-coding", "tags": ["x_refsource_MISC", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T17:46:56.817Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-38697", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-10-04T19:38:03.473705Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:socketry:protocol-http1:*:*:*:*:*:*:*:*"], "vendor": "socketry", "product": "protocol-http1", "versions": [{"status": "affected", "version": "0", "lessThan": "0.15.1", "versionType": "custom"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-04T19:38:52.322Z"}}], "cna": {"title": " protocol-http1 HTTP Request/Response Smuggling vulnerability", "source": {"advisory": "GHSA-6jwc-qr2q-7xwj", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.8, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "socketry", "product": "protocol-http1", "versions": [{"status": "affected", "version": "< 0.15.1"}]}], "references": [{"url": "https://github.com/socketry/protocol-http1/security/advisories/GHSA-6jwc-qr2q-7xwj", "name": "https://github.com/socketry/protocol-http1/security/advisories/GHSA-6jwc-qr2q-7xwj", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/socketry/protocol-http1/pull/20", "name": "https://github.com/socketry/protocol-http1/pull/20", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/socketry/protocol-http1/commit/e11fc164fd2b36f7b7e785e69fa8859eb06bcedd", "name": "https://github.com/socketry/protocol-http1/commit/e11fc164fd2b36f7b7e785e69fa8859eb06bcedd", "tags": ["x_refsource_MISC"]}, {"url": "https://www.rfc-editor.org/rfc/rfc9112#name-chunked-transfer-coding", "name": "https://www.rfc-editor.org/rfc/rfc9112#name-chunked-transfer-coding", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "protocol-http1 provides a low-level implementation of the HTTP/1 protocol. RFC 9112 Section 7.1 defined the format of chunk size, chunk data and chunk extension. The value of Content-Length header should be a string of 0-9 digits, the chunk size should be a string of hex digits and should split from chunk data using CRLF, and the chunk extension shouldn't contain any invisible character. However, Falcon has following behaviors while disobey the corresponding RFCs: accepting Content-Length header values that have `+` prefix, accepting Content-Length header values that written in hexadecimal with `0x` prefix, accepting `0x` and `+` prefixed chunk size, and accepting LF in chunk extension. This behavior can lead to desync when forwarding through multiple HTTP parsers, potentially results in HTTP request smuggling and firewall bypassing. This issue is fixed in `protocol-http1` v0.15.1. There are no known workarounds."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-444", "description": "CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-08-04T17:32:51.164Z"}}}, "cveMetadata": {"cveId": "CVE-2023-38697", "state": "PUBLISHED", "dateUpdated": "2024-10-04T19:39:00.470Z", "dateReserved": "2023-07-24T16:19:28.364Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2023-08-04T17:32:51.164Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:socketry:protocol-http1:*:*:*:*:*:*:*:*", "matchCriteriaId": "801B6245-B6B9-4B32-91DF-3426663F2536", "versionEndExcluding": "0.15.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "protocol-http1 provides a low-level implementation of the HTTP/1 protocol. RFC 9112 Section 7.1 defined the format of chunk size, chunk data and chunk extension. The value of Content-Length header should be a string of 0-9 digits, the chunk size should be a string of hex digits and should split from chunk data using CRLF, and the chunk extension shouldn't contain any invisible character. However, Falcon has following behaviors while disobey the corresponding RFCs: accepting Content-Length header values that have `+` prefix, accepting Content-Length header values that written in hexadecimal with `0x` prefix, accepting `0x` and `+` prefixed chunk size, and accepting LF in chunk extension. This behavior can lead to desync when forwarding through multiple HTTP parsers, potentially results in HTTP request smuggling and firewall bypassing. This issue is fixed in `protocol-http1` v0.15.1. There are no known workarounds."}, {"lang": "es", "value": "protocol-http1 proporciona una implementaci\u00f3n de bajo nivel del protocolo HTTP/1. La secci\u00f3n 7.1 del RFC 9112 define el formato del tama\u00f1o del fragmento, los datos del fragmento y la extensi\u00f3n del fragmento. El valor de la cabecera Content-Length debe ser una cadena de 0-9 d\u00edgitos, el tama\u00f1o del fragmento debe ser una cadena de d\u00edgitos hexadecimales y debe separarse de los datos del fragmento mediante CRLF, y la extensi\u00f3n del fragmento no debe contener ning\u00fan car\u00e1cter invisible. Sin embargo, Falcon tiene los siguientes comportamientos mientras desobedece las RFCs correspondientes: aceptar valores de cabecera Content-Length que tengan prefijo `+`, aceptar valores de cabecera Content-Length que est\u00e9n escritos en hexadecimal con prefijo `0x`, aceptar tama\u00f1o de fragmento con prefijo `0x` y `+`, y aceptar LF en la extensi\u00f3n de fragmento. Este comportamiento puede conducir a la desincronizaci\u00f3n cuando se reenv\u00eda a trav\u00e9s de m\u00faltiples analizadores HTTP, lo que puede dar lugar al contrabando de peticiones HTTP y a la evasi\u00f3n del cortafuegos. Este problema se ha solucionado en `protocol-http1` v0.15.1. No se conocen alternativas."}], "id": "CVE-2023-38697", "lastModified": "2024-11-21T08:14:04.553", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "[email protected]", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "[email protected]", "type": "Primary"}]}, "published": "2023-08-04T18:15:15.010", "references": [{"source": "[email protected]", "tags": ["Patch"], "url": "https://github.com/socketry/protocol-http1/commit/e11fc164fd2b36f7b7e785e69fa8859eb06bcedd"}, {"source": "[email protected]", "tags": ["Issue Tracking"], "url": "https://github.com/socketry/protocol-http1/pull/20"}, {"source": "[email protected]", "tags": ["Vendor Advisory"], "url": "https://github.com/socketry/protocol-http1/security/advisories/GHSA-6jwc-qr2q-7xwj"}, {"source": "[email protected]", "tags": ["Technical Description"], "url": "https://www.rfc-editor.org/rfc/rfc9112#name-chunked-transfer-coding"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://github.com/socketry/protocol-http1/commit/e11fc164fd2b36f7b7e785e69fa8859eb06bcedd"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking"], "url": "https://github.com/socketry/protocol-http1/pull/20"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://github.com/socketry/protocol-http1/security/advisories/GHSA-6jwc-qr2q-7xwj"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Technical Description"], "url": "https://www.rfc-editor.org/rfc/rfc9112#name-chunked-transfer-coding"}], "sourceIdentifier": "[email protected]", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-444"}], "source": "[email protected]", "type": "Secondary"}]}

{"bugzilla": {"description": "protocol-http1: rubygem Strict validation of content length and chunk length", "id": "2229389", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2229389"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.3", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "status": "draft"}, "cwe": "CWE-444", "details": ["protocol-http1 provides a low-level implementation of the HTTP/1 protocol. RFC 9112 Section 7.1 defined the format of chunk size, chunk data and chunk extension. The value of Content-Length header should be a string of 0-9 digits, the chunk size should be a string of hex digits and should split from chunk data using CRLF, and the chunk extension shouldn't contain any invisible character. However, Falcon has following behaviors while disobey the corresponding RFCs: accepting Content-Length header values that have `+` prefix, accepting Content-Length header values that written in hexadecimal with `0x` prefix, accepting `0x` and `+` prefixed chunk size, and accepting LF in chunk extension. This behavior can lead to desync when forwarding through multiple HTTP parsers, potentially results in HTTP request smuggling and firewall bypassing. This issue is fixed in `protocol-http1` v0.15.1. There are no known workarounds.", "A flaw was found in the protocol-http1 rubygem package. The protocol-http1 provides a low-level implementation of the HTTP/1 protocol. This behavior can lead to desync when forwarding through multiple HTTP parsers, potentially resulting in HTTP request smuggling and firewall bypassing."], "name": "CVE-2023-38697", "package_state": [{"cpe": "cpe:/a:redhat:logging:5", "fix_state": "Affected", "package_name": "openshift-logging/fluentd-rhel8", "product_name": "Logging Subsystem for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:red_hat_3scale_amp:2", "fix_state": "Will not fix", "package_name": "3scale-amp-backend-container", "product_name": "Red Hat 3scale API Management Platform 2"}], "public_date": "2023-08-04T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2023-38697\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-38697\nhttps://github.com/socketry/protocol-http1/security/advisories/GHSA-6jwc-qr2q-7xwj"], "threat_severity": "Moderate", "upstream_fix": "protocol-http1 0.15.1"}