CVE-2021-23339 — HTTP Request Smuggling in akka-http-core

Description

A vulnerable Akka HTTP server will accept a malformed message and hand it over to the user. If the user application proxies this message to another server unchanged and that server also accepts that message but interprets it as two HTTP messages, the second message has reached the second server without having been inspected by the proxy.

How to fix CVE-2021-23339

To remediate CVE-2021-23339, upgrade the affected package to a fixed version below.

—upgrade to 10.2.4 or later

Is CVE-2021-23339 being exploited?

Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

>= 10.2.0, < 10.2.4

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM6.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

References (5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2021-23339
WEBdoc.akka.io/docs/akka-http/10.1/security/2021-02-24-incorrect-handling-of-Transfer-Encoding-header.html
WEBgithub.com/akka/akka-http/commit/e3a4935151c91cee28e65e6b894dd50839ef9d34
WEBgithub.com/akka/akka-http/pull/3754%23issuecomment-779265201