Total
204 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2015-5741 | 2 Golang, Redhat | 3 Go, Enterprise Linux, Openstack | 2021-08-04 | 7.5 HIGH | 9.8 CRITICAL |
| The net/http library in net/http/transfer.go in Go before 1.4.3 does not properly parse HTTP headers, which allows remote attackers to conduct HTTP request smuggling attacks via a request that contains Content-Length and Transfer-Encoding header fields. | |||||
| CVE-2021-32715 | 1 Hyper | 1 Hyper | 2021-07-22 | 4.3 MEDIUM | 5.3 MEDIUM |
| hyper is an HTTP library for rust. hyper's HTTP/1 server code had a flaw that incorrectly parses and accepts requests with a `Content-Length` header with a prefixed plus sign, when it should have been rejected as illegal. This combined with an upstream HTTP proxy that doesn't parse such `Content-Length` headers, but forwards them, can result in "request smuggling" or "desync attacks". The flaw exists in all prior versions of hyper prior to 0.14.10, if built with `rustc` v1.5.0 or newer. The vulnerability is patched in hyper version 0.14.10. Two workarounds exist: One may reject requests manually that contain a plus sign prefix in the `Content-Length` header or ensure any upstream proxy handles `Content-Length` headers with a plus sign prefix. | |||||
| CVE-2020-35863 | 1 Hyper | 1 Hyper | 2021-07-21 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in the hyper crate before 0.12.34 for Rust. HTTP request smuggling can occur. Remote code execution can occur in certain situations with an HTTP server on the loopback interface. | |||||
| CVE-2020-11505 | 1 Gitlab | 1 Gitlab | 2021-07-21 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in GitLab Community Edition (CE) and Enterprise Edition (EE) before 12.7.9, 12.8.x before 12.8.9, and 12.9.x before 12.9.3. A Workhorse bypass could lead to NuGet package and file disclosure (Exposure of Sensitive Information) via request smuggling. | |||||
| CVE-2020-11506 | 1 Gitlab | 1 Gitlab | 2021-07-21 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in GitLab 10.7.0 and later through 12.9.2. A Workhorse bypass could lead to job artifact uploads and file disclosure (Exposure of Sensitive Information) via request smuggling. | |||||
| CVE-2021-30180 | 1 Apache | 1 Dubbo | 2021-06-10 | 6.8 MEDIUM | 9.8 CRITICAL |
| Apache Dubbo prior to 2.7.9 support Tag routing which will enable a customer to route the request to the right server. These rules are used by the customers when making a request in order to find the right endpoint. When parsing these YAML rules, Dubbo customers may enable calling arbitrary constructors. | |||||
| CVE-2020-28483 | 1 Gin-gonic | 1 Gin | 2021-05-11 | 5.8 MEDIUM | 7.1 HIGH |
| This affects all versions of package github.com/gin-gonic/gin. When gin is exposed directly to the internet, a client's IP can be spoofed by setting the X-Forwarded-For header. | |||||
| CVE-2021-23339 | 1 Lightbend | 1 Akka-http | 2021-03-11 | 6.4 MEDIUM | 6.5 MEDIUM |
| This affects all versions before 10.1.14 and from 10.2.0 to 10.2.4 of package com.typesafe.akka:akka-http-core. It allows multiple Transfer-Encoding headers. | |||||
| CVE-2021-21445 | 1 Sap | 1 Commerce Cloud | 2021-03-04 | 3.5 LOW | 5.4 MEDIUM |
| SAP Commerce Cloud, versions - 1808, 1811, 1905, 2005, 2011, allows an authenticated attacker to include invalidated data in the HTTP response Content Type header, due to improper input validation, and sent to a Web user. A successful exploitation of this vulnerability may lead to advanced attacks, including cross-site scripting and page hijacking. | |||||
| CVE-2021-21299 | 1 Hyper | 1 Hyper | 2021-02-19 | 6.8 MEDIUM | 8.1 HIGH |
| hyper is an open-source HTTP library for Rust (crates.io). In hyper from version 0.12.0 and before versions 0.13.10 and 0.14.3 there is a vulnerability that can enable a request smuggling attack. The HTTP server code had a flaw that incorrectly understands some requests with multiple transfer-encoding headers to have a chunked payload, when it should have been rejected as illegal. This combined with an upstream HTTP proxy that understands the request payload boundary differently can result in "request smuggling" or "desync attacks". To determine if vulnerable, all these things must be true: 1) Using hyper as an HTTP server (the client is not affected), 2) Using HTTP/1.1 (HTTP/2 does not use transfer-encoding), 3) Using a vulnerable HTTP proxy upstream to hyper. If an upstream proxy correctly rejects the illegal transfer-encoding headers, the desync attack cannot succeed. If there is no proxy upstream of hyper, hyper cannot start the desync attack, as the client will repair the headers before forwarding. This is fixed in versions 0.14.3 and 0.13.10. As a workaround one can take the following options: 1) Reject requests that contain a `transfer-encoding` header, 2) Ensure any upstream proxy handles `transfer-encoding` correctly. | |||||
| CVE-2020-26281 | 1 Rust-lang | 1 Async-h1 | 2021-02-16 | 5.8 MEDIUM | 7.5 HIGH |
| async-h1 is an asynchronous HTTP/1.1 parser for Rust (crates.io). There is a request smuggling vulnerability in async-h1 before version 2.3.0. This vulnerability affects any webserver that uses async-h1 behind a reverse proxy, including all such Tide applications. If the server does not read the body of a request which is longer than some buffer length, async-h1 will attempt to read a subsequent request from the body content starting at that offset into the body. One way to exploit this vulnerability would be for an adversary to craft a request such that the body contains a request that would not be noticed by a reverse proxy, allowing it to forge forwarded/x-forwarded headers. If an application trusted the authenticity of these headers, it could be misled by the smuggled request. Another potential concern with this vulnerability is that if a reverse proxy is sending multiple http clients' requests along the same keep-alive connection, it would be possible for the smuggled request to specify a long content and capture another user's request in its body. This content could be captured in a post request to an endpoint that allows the content to be subsequently retrieved by the adversary. This has been addressed in async-h1 2.3.0 and previous versions have been yanked. | |||||
| CVE-2021-22293 | 1 Huawei | 4 Campusinsight, Manageone, Taurus-al00a and 1 more | 2021-02-10 | 5.0 MEDIUM | 7.5 HIGH |
| Some Huawei products have an inconsistent interpretation of HTTP requests vulnerability. Attackers can exploit this vulnerability to cause information leak. Affected product versions include: CampusInsight versions V100R019C10; ManageOne versions 6.5.1.1, 6.5.1.SPC100, 6.5.1.SPC200, 6.5.1RC1, 6.5.1RC2, 8.0.RC2. Affected product versions include: Taurus-AL00A versions 10.0.0.1(C00E1R1P1). | |||||
| CVE-2021-25762 | 1 Jetbrains | 1 Ktor | 2021-02-08 | 5.0 MEDIUM | 5.3 MEDIUM |
| In JetBrains Ktor before 1.4.3, HTTP Request Smuggling was possible. | |||||
| CVE-2020-11724 | 2 Debian, Openresty | 2 Debian Linux, Openresty | 2021-01-29 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in OpenResty before 1.15.8.4. ngx_http_lua_subrequest.c allows HTTP request smuggling, as demonstrated by the ngx.location.capture API. | |||||
| CVE-2020-28473 | 2 Bottlepy, Debian | 2 Bottle, Debian Linux | 2021-01-28 | 5.8 MEDIUM | 6.8 MEDIUM |
| The package bottle from 0 and before 0.12.19 are vulnerable to Web Cache Poisoning by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy (running with default configuration) and the server. This can result in malicious requests being cached as completely safe ones, as the proxy would usually not see the semicolon as a separator, and therefore would not include it in a cache key of an unkeyed parameter. | |||||
| CVE-2020-17509 | 1 Apache | 1 Traffic Server | 2021-01-15 | 4.3 MEDIUM | 7.5 HIGH |
| ATS negative cache option is vulnerable to a cache poisoning attack. If you have this option enabled, please upgrade or disable this feature. Apache Traffic Server versions 7.0.0 to 7.1.11 and 8.0.0 to 8.1.0 are affected. | |||||
| CVE-2020-28361 | 1 Kamailio | 1 Kamailio | 2020-12-03 | 5.5 MEDIUM | 5.4 MEDIUM |
| Kamailio before 5.4.0, as used in Sip Express Router (SER) in Sippy Softswitch 4.5 through 5.2 and other products, allows a bypass of a header-removal protection mechanism via whitespace characters. This occurs in the remove_hf function in the Kamailio textops module. Particular use of remove_hf in Sippy Softswitch may allow skilled attacker having a valid credential in the system to disrupt internal call start/duration accounting mechanisms leading potentially to a loss of revenue. | |||||
| CVE-2020-26129 | 1 Jetbrains | 1 Ktor | 2020-12-01 | 6.4 MEDIUM | 6.5 MEDIUM |
| In JetBrains Ktor before 1.4.1, HTTP request smuggling was possible. | |||||
| CVE-2020-7670 | 1 Ohler | 1 Agoo | 2020-11-17 | 5.0 MEDIUM | 7.5 HIGH |
| agoo prior to 2.14.0 allows request smuggling attacks where agoo is used as a backend and a frontend proxy also being vulnerable. HTTP pipelining issues and request smuggling attacks might be possible due to incorrect Content-Length and Transfer encoding header parsing. It is possible to conduct HTTP request smuggling attacks where `agoo` is used as part of a chain of backend servers due to insufficient `Content-Length` and `Transfer Encoding` parsing. | |||||
| CVE-2020-7764 | 1 Find-my-way Project | 1 Find-my-way | 2020-11-16 | 5.0 MEDIUM | 7.5 HIGH |
| This affects the package find-my-way before 2.2.5, from 3.0.0 and before 3.0.5. It accepts the Accept-Version' header by default, and if versioned routes are not being used, this could lead to a denial of service. Accept-Version can be used as an unkeyed header in a cache poisoning attack. | |||||