CVE-2024-9622
MEDIUMresteasy-netty4-cdi - Denial of Service via HTTP Request Smuggling
Title source: llmDescription
A vulnerability was found in the resteasy-netty4 library arising from improper handling of HTTP requests using smuggling techniques. When an HTTP smuggling request with an ASCII control character is sent, it causes the Netty HttpObjectDecoder to transition into a BAD_MESSAGE state. As a result, any subsequent legitimate requests on the same connection are ignored, leading to client timeouts, which may impact systems using load balancers and expose them to risk.
References (4)
Core 4
Core References
Various Sources
https://github.com/orgs/resteasy/discussions/4351
Various Sources
https://github.com/resteasy/resteasy
Vendor Advisory vdb-entry
x_refsource_redhat
https://access.redhat.com/security/cve/CVE-2024-9622
Issue Tracking issue-tracking
x_refsource_redhat
https://bugzilla.redhat.com/show_bug.cgi?id=2317179
Scores
CVSS v3
5.3
EPSS
0.0065
EPSS Percentile
46.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-444
Status
published
Products (5)
org.jboss.resteasy/resteasy-netty4-cdi
0Maven
Red Hat/Red Hat JBoss Data Grid 7
Red Hat/Red Hat JBoss Enterprise Application Platform 7
Red Hat/Red Hat JBoss Enterprise Application Platform 8
Red Hat/Red Hat JBoss Enterprise Application Platform Expansion Pack
Published
Oct 08, 2024
Tracked Since
Feb 18, 2026