Miggo Logo

CVE-2021-23339: HTTP Request Smuggling in akka-http-core

6.5

CVSS Score
3.1

Basic Information

EPSS Score
0.43802%
Published
5/10/2021
Updated
2/21/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
com.typesafe.akka:akka-http-coremaven>= 10.2.0, < 10.2.410.2.4
com.typesafe.akka:akka-http-coremaven< 10.1.1410.1.14

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from improper validation of Transfer-Encoding headers. The commit diff shows:

  1. HttpMessageParser's header processing was modified to reject multiple T-E headers and non-chunked encodings
  2. Both request/response parsers switched from tracking Transfer-Encoding headers to a simple 'isChunked' boolean
  3. Added validation failures for CL+T-E header combinations These changes indicate the original functions:
  • Allowed multiple T-E headers via 'teh append' logic
  • Failed to properly handle CL+T-E conflicts
  • Accepted non-chunked encodings This matches the CWE-444 description of inconsistent HTTP message interpretation between proxy and backend servers.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* vuln*r**l* *kk* *TTP s*rv*r will ****pt * m*l*orm** m*ss*** *n* **n* it ov*r to t** us*r. I* t** us*r *ppli**tion proxi*s t*is m*ss*** to *not**r s*rv*r un***n*** *n* t**t s*rv*r *lso ****pts t**t m*ss*** *ut int*rpr*ts it *s two *TTP m*ss***s, t**

Reasoning

T** vuln*r**ility st*ms *rom improp*r v*li**tion o* Tr*ns**r-*n*o*in* *****rs. T** *ommit *i** s*ows: *. *ttpM*ss***P*rs*r's *****r pro**ssin* w*s mo*i*i** to r*j**t multipl* T-* *****rs *n* non-**unk** *n*o*in*s *. *ot* r*qu*st/r*spons* p*rs*rs swit