#VU100445 Inconsistent interpretation of HTTP requests in libsoup - CVE-2024-52530


Vulnerability identifier: #VU100445

Vulnerability risk: Medium

CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2024-52530

CWE-ID: CWE-444

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
libsoup
Universal components / Libraries / Libraries used by multiple products

Vendor: Gnome Development Team

Description

The vulnerability allows a remote attacker to perform HTTP request smuggling attacks.

The vulnerability exists due to improper validation of HTTP requests. A remote attacker can send a specially crafted HTTP request to the server and smuggle arbitrary HTTP headers.

Successful exploitation of vulnerability may allow an attacker to poison HTTP cache and perform phishing attacks.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

libsoup: 3.0.0 - 3.5.2

External links
https://gitlab.gnome.org/Teams/Releng/security/-/wikis/home
https://gitlab.gnome.org/GNOME/libsoup/-/issues/377
https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/402

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


SUSE update for libsoup
Multiple vulnerabilities in Dell PowerStoreT OS
Multiple vulnerabilities in Dell APEX Cloud Platform for Red Hat OpenShift
Dell APEX Cloud Platform for Red Hat OpenShift update for third-party components
Dell VxRail Appliance 8.x update for third-party components
Dell VxRail Appliance 7.x update for third-party components
Anolis OS update for libsoup
Anolis OS update for libsoup
Anolis OS update for libsoup
Multiple vulnerabilities in IBM App Connect Enterprise Certified Container