Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-90329

Resolve Inconsistent Interpretation of HTTP Requests (CVE-2022-24801 / CWE-444)

    • Type: Icon: Bug Bug
    • Resolution: Done
    • Priority: Icon: Major - P3 Major - P3
    • 7.3.3, 8.0.0-rc5
    • Affects Version/s: None
    • Component/s: None
    • None
    • Build
    • Fully Compatible
    • ALL
    • v8.0, v7.3, v7.0, v6.0, v5.0

      mongodb/mongo are vulnerable to HTTP Request Smuggling in the twisted.web.http module which makes non-conformant parsing and can lead to desync if requests pass through multiple HTTP parsers. Note: To be vulnerable, applications need to both use Twisted Web's HTTP server/proxy, along with some other HTTP server/proxy.

            endOfLengthIndex = self._buffer.find(b";", 0, eolIndex)
              if endOfLengthIndex == -1:
                  endOfLengthIndex = eolIndex
              try:
                  length = int(self._buffer[0:endOfLengthIndex], 16)
              except ValueError:
                  raise _MalformedChunkedDataError("Chunk-size must be an integer.")        if length < 0:
                  raise _MalformedChunkedDataError("Chunk-size must not be negative.")
              elif length == 0: 
              self.assertEqual(
                  request.requestHeaders.getRawHeaders(b"spaces"),
                  [b"spaces   spaces    spaces"],
              )
              self.assertEqual(
                  request.requestHeaders.getRawHeaders(b"tab"),
                  [b"t \ta \tb"],
      

      Impact

      The specifics of the other HTTP parser matter. The original report notes that some versions of Apache Traffic Server and HAProxy have been vulnerable in the past. HTTP request smuggling may be a serious concern if you use a proxy to perform request validation or access control.

      CVE-2022-24801
      CWE-444
      CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

            Assignee:
            Unassigned Unassigned
            Reporter:
            thomas.langston@mongodb.com Thomas Langston (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: