7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:N/I:P/A:N
0.002 Low
EPSS
Percentile
57.7%
I’ve written this issue up fully here: https://portswigger.net/research/http2#request
In case it’s useful, here’s the original report as sent to Apache:
> I’d like to report a vulnerability in Apache mod_proxy when used with HTTP/2 enabled.
>
> It fails to reject HTTP requests that contain spaces in the :method HTTP/2 pseudo-header. This leads to a request-line injection vulnerability when it downgrades the requests to HTTP/1.1 and routes them on to the backend.
>
> Attacker HTTP/2 request:
> > :method: GET /anything HTTP/1.1 > :path: / > :authority: psres.net > Accept-Encoding: gzip, deflate >
> Resulting request forwarded to the backend by mod_proxy:
> > GET /anything HTTP/1.1 / HTTP/1.1 > Host:: psres.net > Accept-Encoding: gzip, deflate >
> Provided the back-end server tolerates trailing junk in request lines, this enables attackers to bypass front-end security rules, poison web caches, and > change the protocol to HTTP/0.9 or 1.0, potentially enabling further attacks. I have identified some vulnerable systems in the wild.
Please let me know if you’d like any additional information
This lets attackers bypass front-end security rules like block-rules and escape subfolders. In some cases it may enable further attacks via protocol-downgrades and cache poisoning.
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:N/I:P/A:N
0.002 Low
EPSS
Percentile
57.7%