PT-2021-23660 · Lightbend · Akka Http

Simone Quatrini

Published

2021-11-02

Updated

2022-06-13

CVE-2021-42697

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Name of the Vulnerable Software and Affected Versions Akka HTTP versions 10.1.x through 10.1.14 Akka HTTP versions 10.2.x through 10.2.6

Description The issue allows a remote attacker to conduct a Denial of Service attack by sending a User-Agent header with deeply nested comments, causing stack exhaustion while parsing HTTP headers.

Recommendations For Akka HTTP versions 10.1.x through 10.1.14, update to version 10.1.15 or later. For Akka HTTP versions 10.2.x through 10.2.6, update to version 10.2.7 or later.

Exploit

Fix

Uncontrolled Recursion

Memory Corruption

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-674CWE-787

Related Identifiers

CVE-2021-42697

GHSA-3HW2-H67C-WQ66

Affected Products

Akka Http

PT-2021-23660 · Lightbend · Akka Http

CVE-2021-42697

Weakness Enumeration

Related Identifiers

Affected Products

References · 14