REDHAT-BUG-2295310
First published: Tue Jul 02 2024(Updated: )
The net/http HTTP/1.1 client mishandled the case where a server responds to a request with an "Expect: 100-continue" header with a non-informational (200 or higher) status. This mishandling could leave a client connection in an invalid state, where the next request sent on the connection will fail. An attacker sending a request to a net/http/httputil.ReverseProxy proxy can exploit this mishandling to cause a denial of service by sending "Expect: 100-continue" requests which elicit a non-informational response from the backend. Each such request leaves the proxy with an invalid connection, and causes one subsequent request using that connection to fail.
| Affected Software | Affected Version | How to fix |
|---|---|---|
| google net/http | ||
| google httputil.ReverseProxy |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2297318
- https://issues.redhat.com/browse/RHEL-47194
- https://issues.redhat.com/browse/RHEL-47199
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2295310#c12
- https://issues.redhat.com/browse/RHEL-47200
- https://issues.redhat.com/browse/RHEL-47161
- https://access.redhat.com/errata/RHSA-2024:5537
- https://access.redhat.com/errata/RHSA-2024:6462
- https://access.redhat.com/errata/RHSA-2024:6914
- https://access.redhat.com/errata/RHSA-2024:6908
- https://access.redhat.com/errata/RHSA-2024:6913
- https://access.redhat.com/errata/RHSA-2024:6912
- https://access.redhat.com/errata/RHSA-2024:6969
- https://access.redhat.com/errata/RHSA-2024:7074
- https://access.redhat.com/errata/RHSA-2024:7348
- https://access.redhat.com/errata/RHSA-2024:7349
- https://access.redhat.com/errata/RHSA-2024:7922
- https://access.redhat.com/errata/RHSA-2024:6341
- https://access.redhat.com/errata/RHSA-2024:8260
- https://access.redhat.com/errata/RHSA-2024:8425
- https://access.redhat.com/errata/RHSA-2024:8688
- https://access.redhat.com/errata/RHSA-2024:8692
- https://access.redhat.com/errata/RHSA-2024:8697
- https://access.redhat.com/errata/RHSA-2024:9089
- https://access.redhat.com/errata/RHSA-2024:9097
- https://access.redhat.com/errata/RHSA-2024:9098
- https://access.redhat.com/errata/RHSA-2024:9102
- https://access.redhat.com/errata/RHSA-2024:9115
- https://access.redhat.com/errata/RHSA-2024:9135
- https://access.redhat.com/errata/RHSA-2024:8219
- https://access.redhat.com/errata/RHSA-2024:9960
- https://access.redhat.com/errata/RHSA-2024:10133
- https://access.redhat.com/errata/RHSA-2024:10389
- https://access.redhat.com/errata/RHSA-2024:10758
- https://access.redhat.com/errata/RHSA-2024:10906
- https://access.redhat.com/errata/RHSA-2025:0082
- https://bugzilla.redhat.com/show_bug.cgi?id=2295310
Frequently Asked Questions
What is the severity of REDHAT-BUG-2295310?
The severity of REDHAT-BUG-2295310 is categorized as medium due to the impact it has on client connection stability.
How do I fix REDHAT-BUG-2295310?
To fix REDHAT-BUG-2295310, update the net/http client to the latest version where the issue has been addressed.
What are the potential impacts of REDHAT-BUG-2295310?
The potential impacts of REDHAT-BUG-2295310 include failed requests and connections remaining in an invalid state.
Which software is affected by REDHAT-BUG-2295310?
REDHAT-BUG-2295310 affects Google net/http and Google httputil.ReverseProxy.
Is REDHAT-BUG-2295310 a client-side or server-side issue?
REDHAT-BUG-2295310 is primarily a client-side issue affecting how the HTTP/1.1 client handles server responses.
- agent/severity
- agent/type
- agent/description
- agent/first-publish-date
- agent/event
- agent/trending
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2024-24791
- agent/last-modified-date
- agent/references
- agent/source
- agent/softwarecombine
- agent/tags
- agent/guess-ai
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- vendor/google
- canonical/google net/http
- canonical/google httputil.reverseproxy