CVE-2024-24791: 
cAdvisor vulnerability analysis and mitigation

CVE-2024-24791 is a vulnerability in the Go programming language's net/http package that affects versions prior to 1.21.12 and versions from 1.22.0-0 before 1.22.5. The vulnerability was discovered in May 2024 and publicly disclosed on July 2, 2024. It affects the HTTP/1.1 client implementation in the net/http package, specifically related to the handling of 'Expect: 100-continue' headers (Go Dev Blog).

The vulnerability stems from the net/http HTTP/1.1 client's mishandling of cases where a server responds to a request with an 'Expect: 100-continue' header with a non-informational (200 or higher) status. This mishandling can leave a client connection in an invalid state, causing subsequent requests on that connection to fail. The vulnerability has been assigned a CVSS v3.1 score of 5.3 (Medium) with a vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L (Red Hat CVE).

When exploited, this vulnerability can result in a denial of service condition. Specifically, when an attacker sends requests to a net/http/httputil.ReverseProxy proxy with 'Expect: 100-continue' headers that trigger non-informational responses from the backend, each request can invalidate a connection and cause subsequent requests using that connection to fail (Go Vuln DB).

The primary mitigation is to upgrade to Go versions 1.21.12 or 1.22.5 or later, which contain fixes for this vulnerability. The fix was implemented through a patch that addresses the improper handling of 100-continue responses (Go Dev Blog).