CVE-2024-49580 – The CVE-2024-49580 vulnerability in JetBrains K... (How to Fix)

Q: What is the severity of CVE-2024-49580?

CVE-2024-49580 has a CVSS score of 5.3 (MEDIUM). The CVE-2024-49580 vulnerability in JetBrains Ktor's HttpCache Plugin involves improper caching that could allow unauthorized disclosure of cached HTTP responses. This affects applications using Ktor with the HttpCache Plugin enabled, potentially exposing sensitive response data to attackers who can access cached content.

📋 TL;DR

The CVE-2024-49580 vulnerability in JetBrains Ktor's HttpCache Plugin involves improper caching that could allow unauthorized disclosure of cached HTTP responses. This affects applications using Ktor with the HttpCache Plugin enabled, potentially exposing sensitive response data to attackers who can access cached content.

💻 Affected Systems

Products:

JetBrains Ktor

Versions: All versions before 2.3.13

Operating Systems: All operating systems running Ktor applications

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects applications using the HttpCache Plugin; applications without this plugin are not vulnerable.

📦 What is this software?

Ktor by Jetbrains

View all CVEs affecting Ktor →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Sensitive user data, authentication tokens, or private API responses could be exposed to unauthorized parties through cached HTTP responses.

🟠

Likely Case

Information disclosure of cached HTTP responses containing user-specific or application data that should not be publicly accessible.

🟢

If Mitigated

Limited exposure of non-sensitive cached content with proper cache controls and isolation.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires access to cached HTTP responses, which may be accessible depending on cache configuration and storage.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.3.13

Vendor Advisory: https://www.jetbrains.com/privacy-security/issues-fixed/

Restart Required: Yes

Instructions:

1. Update Ktor dependency to version 2.3.13 or later in your build configuration (e.g., build.gradle or pom.xml). 2. Rebuild and redeploy your application. 3. Restart the application server.

🔧 Temporary Workarounds

Disable HttpCache Plugin

all

Temporarily disable the HttpCache Plugin to eliminate the vulnerability until patching is possible.

Remove or comment out HttpCache plugin configuration in your Ktor application code.

🧯 If You Can't Patch

Disable the HttpCache Plugin entirely in your Ktor application configuration.
Implement additional access controls or encryption for cached data storage.

🔍 How to Verify

Check if Vulnerable:

Check your Ktor dependency version in build files; if using version <2.3.13 with HttpCache Plugin enabled, you are vulnerable.

Check Version:

Check build.gradle.kts, build.gradle, or pom.xml for 'ktor' dependency version.

Verify Fix Applied:

Verify that Ktor version is 2.3.13 or higher in your dependency management file and that the application runs without errors.

📡 Detection & Monitoring

Log Indicators:

Unusual access patterns to cached HTTP endpoints or errors related to cache retrieval.

Network Indicators:

Requests attempting to access cached responses with unusual parameters or headers.

SIEM Query:

Search for access logs showing repeated requests to the same endpoints with cache-related headers.

📊 Metadata

CVE ID: CVE-2024-49580

CVSS v3 Score: 5.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CWE: CWE-524

Published: October 17, 2024

Last Updated: December 6, 2024

🔗 References

https://www.jetbrains.com/privacy-security/issues-fixed/ Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-49580, you might also want to check these: