Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
gentooGentoo FoundationGLSA-200606-05
HistoryJun 07, 2006 - 12:00 a.m.

Pound: HTTP request smuggling

2006-06-0700:00:00
Gentoo Foundation
security.gentoo.org
10

4.3 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

0.003 Low

EPSS

Percentile

70.2%

JSON

Background

Pound is a reverse proxy, load balancer and HTTPS front-end. It allows to distribute the load on several web servers and offers a SSL wrapper for web servers that do not support SSL directly.

Description

Pound fails to handle HTTP requests with conflicting “Content-Length” and “Transfer-Encoding” headers correctly.

Impact

An attacker could exploit this vulnerability by sending HTTP requests with specially crafted “Content-Length” and “Transfer-Encoding” headers to bypass certain security restrictions or to poison the web proxy cache.

Workaround

There is no known workaround at this time.

Resolution

All Pound users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose www-servers/pound
OSVersionArchitecturePackageVersionFilename
Gentooanyallwww-servers/pound< 2.0.5UNKNOWN

Related

debiancve 2
openvas 4
cve 2
nessus 3
prion 1
debian 2
ubuntucve 1
osv 1
securityvulns 1
debiancve
debiancve
CVE-2005-3751
2005-11-22 20:03:00
CVE-2016-10711
2018-01-29 20:29:00
openvas
openvas
Gentoo Security Advisory GLSA 200606-05 (pound)
2008-09-24 00:00:00
Gentoo Security Advisory GLSA 200606-05 (pound)
2008-09-24 00:00:00
Debian Security Advisory DSA 934-1 (pound)
2008-01-17 00:00:00
cve
cve
CVE-2005-3751
2005-11-22 20:03:00
CVE-2016-10711
2018-01-29 20:29:00
nessus
nessus
GLSA-200606-05 : Pound: HTTP request smuggling
2006-06-08 00:00:00
Debian DSA-934-1 : pound - several vulnerabilities
2006-10-14 00:00:00
Ubuntu 16.04 LTS : Pound vulnerabilities (USN-4702-1)
2021-01-25 00:00:00
prion
prion
Cross site request forgery (csrf)
2018-01-29 20:29:00
debian
debian
[SECURITY] [DSA 934-1] New pound packages fix multiple vulnerabilities
2006-01-10 03:25:14
[SECURITY] [DSA 934-1] New pound packages fix multiple vulnerabilities
2006-01-10 03:25:14
ubuntucve
ubuntucve
CVE-2016-10711
2018-01-29 00:00:00
osv
osv
pound - remote
2006-01-09 00:00:00
securityvulns
securityvulns
[SECURITY] [DSA 934-1] New pound packages fix multiple vulnerabilities
2006-01-10 00:00:00

4.3 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

0.003 Low

EPSS

Percentile

70.2%

JSON
Related for GLSA-200606-05
debiancve2openvas4cve2nessus3prion1debian2ubuntucve1osv1securityvulns1