CVE-2022-31081: 
Linux Debian vulnerability analysis and mitigation

HTTP::Daemon, a simple HTTP server class written in Perl, was found to be vulnerable to HTTP Request Smuggling attacks in versions prior to 6.15. The vulnerability (CVE-2022-31081) was discovered in June 2022 and could potentially be exploited to gain privileged access to APIs or poison intermediate caches (GitHub Advisory).

The vulnerability stems from insufficient Content-Length header handling in HTTP requests. The issue occurs when processing multiple Content-Length headers or their variants, which could lead to inconsistent interpretation of HTTP requests. The vulnerability is classified as CWE-444: Inconsistent Interpretation of HTTP Requests (CWE). The severity of this issue is rated as Low, though the actual impact may vary depending on the implementation context (GitHub Advisory).

While the direct impact is considered low since most Perl-based applications are served on top of Nginx or Apache rather than directly using HTTP::Daemon, the vulnerability could potentially be exploited to gain privileged access to APIs or poison intermediate caches. The library is commonly used for local development and tests, which somewhat limits the exposure in production environments (GitHub Advisory).

Users are advised to upgrade to version 6.15 or later to resolve this issue. For those unable to upgrade, a workaround is available by adding additional request handling logic. After calling my $rqst = $conn->get_request(), inspect the returned HTTP::Request object and check the 'Content-Length' header (my $cl = $rqst->header('Content-Length')). Any abnormalities should be dealt with by returning a 400 response (GitHub Advisory).

Multiple Linux distributions responded to this vulnerability by releasing security updates. Fedora released updates for versions 36, 37, and 38 (Fedora Update), and Debian also issued security updates for affected versions (Debian Update).