CVE-2024-8912

EPSS 0.06%
Veröffentlicht 11.10.2024 19:15:11
Zuletzt bearbeitet 30.07.2025 15:23:41
Quelle cve-coordination@google.com
Teams Watchlist Login
Unerledigt Login

An HTTP Request Smuggling vulnerability in Looker allowed an unauthorized attacker to capture HTTP responses destined for legitimate users.

There are two Looker versions that are hosted by Looker:

  *  Looker (Google Cloud core) was found to be vulnerable. This issue has already been mitigated and our investigation has found no signs of exploitation.
  *  Looker (original) was not vulnerable to this issue.


Customer-hosted Looker instances were found to be vulnerable and must be upgraded.

This vulnerability has been patched in all supported versions of customer-hosted Looker, which are available on the  Looker download page https://download.looker.com/ .

For Looker customer-hosted instances, please update to the latest supported version of Looker as soon as possible. The versions below have all been updated to protect from this vulnerability. You can download these versions at the Looker download page:

  *  23.12 -> 23.12.123+
  *  23.18 -> 23.18.117+
  *  24.0 -> 24.0.92+
  *  24.6 -> 24.6.77+
  *  24.8 -> 24.8.66+
  *  24.10 -> 24.10.78+
  *  24.12 -> 24.12.56+
  *  24.14 -> 24.14.37+

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 4

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Google ≫ Cloud Looker Version >= 23.12 < 23.12.123

Google ≫ Cloud Looker Version >= 23.18 < 23.18.117

Google ≫ Cloud Looker Version >= 24.0 < 24.0.92

Google ≫ Cloud Looker Version >= 24.6 < 24.6.77

Google ≫ Cloud Looker Version >= 24.8 < 24.8.66

Google ≫ Cloud Looker Version >= 24.10 < 24.10.78

Google ≫ Cloud Looker Version >= 24.12 < 24.12.56

Google ≫ Cloud Looker Version >= 24.14 < 24.14.37

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.06%	0.197

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cve-coordination@google.com	8.9	0	0	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')

The product acts as an intermediary HTTP agent (such as a proxy or firewall) in the data flow between two entities such as a client and server, but it does not interpret malformed HTTP requests or responses in ways that are consistent with how the messages will be processed by those entities that are at the ultimate destination.

https://cloud.google.com/looker/docs/best-practices/security-bulletin-09-16-24

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2024-8912

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-8912

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-8912

EUVD