CVE-2024-33452: 
NGINX vulnerability analysis and mitigation

An HTTP Request Smuggling vulnerability (CVE-2024-33452) was discovered in OpenResty lua-nginx-module version 0.10.26 and earlier versions. The vulnerability allows remote attackers to conduct HTTP request smuggling via crafted HEAD requests. The issue was discovered on January 24, 2024, and was patched on March 9, 2024, with CVE assignment following on April 24, 2024 (Benasin Blog).

The vulnerability exists in the src/ngxhttpluautil.c file where ngxhttpluasendchainlink incorrectly processes HEAD requests with a body. When processing HTTP/1.1 requests, lua-nginx-module incorrectly parses HEAD requests with a body and treats the body as a new separate request. The vulnerability has received a CVSS v3.1 Base Score of 7.7 (HIGH) with vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L (NVD).

The vulnerability enables attackers to bypass frontend proxy protections, serve malicious responses to all users in the same connection pool, and capture responses of other users. The issue affects not only OpenResty but also proxies implemented on top of lua-nginx-module, such as Kong Gateway and Apache APISIX (Benasin Blog).

OpenResty has provided a patch in commit e5248aa8203d3e0075822a577c1cdd19f5f1f831 on March 9, 2024. Organizations should upgrade to versions newer than v0.10.26 to mitigate this vulnerability (Benasin Blog).

The vulnerability has gained attention in the security community, with researchers like James Kettle providing insights into the implications of HTTP Request Smuggling vulnerabilities. The discovery has led to further research into real-world applications and potential bounty opportunities at FrogSec Research (Benasin Blog).