CVE-2024-9622

MEDIUM

Org.jboss.resteasy Resteasy-netty4-cdi - HTTP Request Smuggling

Title source: rule

Description

A vulnerability was found in the resteasy-netty4 library arising from improper handling of HTTP requests using smuggling techniques. When an HTTP smuggling request with an ASCII control character is sent, it causes the Netty HttpObjectDecoder to transition into a BAD_MESSAGE state. As a result, any subsequent legitimate requests on the same connection are ignored, leading to client timeouts, which may impact systems using load balancers and expose them to risk.

References (4)

[Various Sources] https://github.com/orgs/resteasy/discussions/4351

[Various Sources] https://github.com/resteasy/resteasy

[Vendor Advisory] https://access.redhat.com/security/cve/CVE-2024-9622

[Issue Tracking] https://bugzilla.redhat.com/show_bug.cgi?id=2317179

Scores

CVSS v3 5.3

EPSS 0.0003

EPSS Percentile 7.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-444

Status published

Products (5)

org.jboss.resteasy/resteasy-netty4-cdi 0Maven

Red Hat/Red Hat JBoss Data Grid 7

Red Hat/Red Hat JBoss Enterprise Application Platform 7

Red Hat/Red Hat JBoss Enterprise Application Platform 8

Red Hat/Red Hat JBoss Enterprise Application Platform Expansion Pack

Published Oct 08, 2024

Tracked Since Feb 18, 2026