CVE-2021-23339: Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
This affects all versions before 10.1.14 and from 10.2.0 to 10.2.4 of package com.typesafe.akka:akka-http-core. It allows multiple Transfer-Encoding headers.
References
- doc.akka.io/docs/akka-http/10.1/security/2021-02-24-incorrect-handling-of-Transfer-Encoding-header.html
- github.com/advisories/GHSA-2w7w-2j92-44hx
- github.com/akka/akka-http/commit/e3a4935151c91cee28e65e6b894dd50839ef9d34
- github.com/akka/akka-http/pull/3754%23issuecomment-779265201
- nvd.nist.gov/vuln/detail/CVE-2021-23339
- snyk.io/vuln/SNYK-JAVA-COMTYPESAFEAKKA-1075043
Code Behaviors & Features
Detect and mitigate CVE-2021-23339 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →