[GHSA-qppj-fm5r-hxr3] HTTP/2 Stream Cancellation Attack

[ebickle]

Updates

• Affected products

Comments
Akka HTTP prior to 10.5.3 is also vulnerable to CVE-2023-44487: https://akka.io/security/akka-http-cve-2023-44487.html

PR https://github.com/akka/akka-http/pull/4324/files shows the fix being made to the akka-http-core library.
Backport PR akka/akka-http#4325 was merged into the release branch for 10.5.X.

Certain versions of com.typesafe.akka:akka-http-core are published under alternate names that include the version number. The stable versions of these (com.typesafe.akka:akka-http-core_2.11, com.typesafe.akka:akka-http-core_2.12, com.typesafe.akka:akka-http-core_2.13) that are published in Maven Central have been included. However, Akka publishes many different package names for each version - experimental, milestone, and every version branch. Due to the vast number of these they have been omitted (at this time) to avoid cluttering the affected products list.

com.typesafe.akka:akka-http-core_2.11 only goes to 10.1.15 in Maven Central, so no patched version is listed in the affected products list to avoid confusing dependency analysis/fix tools. A fix would require switching to a different package name.

[github]

Hi there @Lukasa! A community member has suggested an improvement to your security advisory. If approved, this change will affect the global advisory listed at github.com/advisories. It will not affect the version listed in your project repository.

This change will be reviewed by our Security Curation Team. If you have thoughts or feedback, please share them in a comment here! If this PR has already been closed, you can start a new community contribution for this advisory

[advisory-database]

Hi @ebickle! Thank you so much for contributing to the GitHub Advisory Database. This database is free, open, and accessible to all, and it's people like you who make it great. Thanks for choosing to help others. We hope you send in more contributions in the future!