CVE-2024-23452

Name of the Vulnerable Software and Affected Versions Apache bRPC versions 0.9.5 through 1.7.0

Description The issue arises from the http parser not complying with the RFC-7230 HTTP 1.1 specification, specifically when handling messages with both Transfer-Encoding and Content-Length header fields. This can lead to request smuggling or response splitting attacks. In a scenario where a bRPC-made HTTP server on the backend receives requests in a persistent connection from a frontend server that uses Transfer-Encoding to parse requests, an attacker can smuggle a request into the connection to the backend server.

Recommendations For Apache bRPC versions 0.9.5 through 1.7.0, upgrade to version 1.8.0, which fixes this issue. As a temporary workaround, consider applying the patch available at https://github.com/apache/brpc/pull/2518 to mitigate the risk of exploitation.