CVE-2024-23452

Summary

CVE-2024-23452 is a request smuggling vulnerability affecting Apache bRPC 0.9.5~1.7.0 on all platforms. This issue arises due to non-compliance of the http_parser in Apache bRPC with the RFC-7230 HTTP 1.1 specification. An attacker can exploit this vulnerability by sending a message with both Transfer-Encoding and Content-Length headers, potentially leading to request smuggling or response splitting. In a specific attack scenario, a bRPC server receiving requests in a persistent connection from a frontend server using Transfer-Encoding can be vulnerable to this attack. To mitigate this vulnerability, users can upgrade to the latest version 1.8.0 of Apache bRPC or apply the patch available at <https://github.com/apache/brpc/pull/2518>.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.