CVE-2022-32213

The llhttp parser v14.20.1, v16.17.1 and v18.9.1 in the http module in Node.js does not correctly parse and validate Transfer-Encoding headers and can lead to HTTP Request Smuggling HRS...

PT-2022-6218 · Apache +10 · Apache Http Server +10

Name of the Vulnerable Software and Affected Versions: Apache HTTP Server versions 2.4.54 and prior versions Description: The issue is related to the inconsistent interpretation of HTTP requests, also known as 'HTTP Request Smuggling', in the mod proxy ajp module of the Apache HTTP Server. This...

CVE-2022-32215

A vulnerability was found in NodeJS due to the llhttp parser in the HTTP module incorrectly handling multi-line Transfer-Encoding headers. This issue can lead to HTTP Request Smuggling HRS. This flaw allows a remote attacker to send a specially crafted HTTP request to the server and smuggle...

HTTP Request Smuggling

llhttp is vulnerable to http request smuggling. The vulnerability exists in the http function in http.ts due to a lack of validation and parsing of Transfer-Encoding headers which allows an attacker to smuggle HTTP requests...

Internet Bug Bounty: CVE-2022-32213 - HTTP Request Smuggling Due to Flawed Parsing of Transfer-Encoding

Original Report: https://hackerone.com/reports/1524555 Impact Depending on the specific web application, HRS can lead to cache poisoning, bypassing of security layers, stealing of credentials and so on...

Internet Bug Bounty: CVE-2022-32215 - HTTP Request Smuggling Due to Incorrect Parsing of Multi-line Transfer-Encoding

Original Report: https://hackerone.com/reports/1501679 Impact Depending on the specific web application, HRS can lead to cache poisoning, bypassing of security layers, stealing of credentials and so on...

Node.js 环境问题漏洞

Node.js is an open source, cross-platform JavaScript runtime environment. An environmental issue vulnerability exists in Node.js that stems from the llhttp parser in the Node.js http module not properly parsing and validating the Transfer-Encoding header, which could result in HTTP Request...

HTTP Request Smuggling

Overview llhttp is a set of Ruby bindings for llhttp. Affected versions of this package are vulnerable to HTTP Request Smuggling when the llhttp parser in the http module does not correctly parse and validate Transfer-Encoding headers. Remediation A fix was pushed into the master branch but not y...

HTTP Request Smuggling

Overview llhttp is a set of Ruby bindings for llhttp. Affected versions of this package are vulnerable to HTTP Request Smuggling. The llhttp parser in the http module does not correctly handle multi-line Transfer-Encoding headers. Remediation There is no fixed version for llhttp. References -...

Node.js 环境问题漏洞

Node.js is an open source, cross-platform JavaScript runtime environment. An environmental issue vulnerability exists in Node.js that stems from the llhttp parser in the Node.js http module not properly parsing and validating the Transfer-Encoding header, which could result in HTTP Request...

PT-2022-21155 · Node.Js +8 · Node.Js +8

Name of the Vulnerable Software and Affected Versions: Node.js versions prior to 14.20.1 Node.js versions prior to 16.17.1 Node.js versions prior to 18.9.1 Description: The issue arises from the llhttp parser in the http module of Node.js not correctly handling multi-line Transfer-Encoding header...

tomcat: HTTP request smuggling when used with a reverse proxy

Apache Tomcat 10.0.0-M1 to 10.0.6, 9.0.0.M1 to 9.0.46 and 8.5.0 to 8.5.66 did not correctly parse the HTTP transfer-encoding request header in some circumstances leading to the possibility to request smuggling when used with a reverse proxy. Specifically: - Tomcat incorrectly ignored the transfer...

GHSA-GWFG-CQMG-CF8F WEBRick vulnerable to HTTP Request/Response Smuggling

An issue was discovered in Ruby through 2.5.8, 2.6.x through 2.6.6, and 2.7.x through 2.7.1. WEBrick, a simple HTTP server bundled with Ruby, had not checked the transfer-encoding header value rigorously. An attacker may potentially exploit this issue to bypass a reverse proxy which also has a po...

GHSA-63H2-9CC8-FC7M meinheld vulnerable to HTTP Request Smuggling

meinheld prior to 1.0.2 is vulnerable to HTTP Request Smuggling. HTTP pipelining issues and request smuggling attacks might be possible due to incorrect Content-Length and Transfer encoding header parsing...

CVE-2020-7238

A flaw was found in Netty, where it mishandles Transfer-Encoding whitespace. This flaw allows HTTP Request Smuggling. Mitigation Use HTTP/2 instead clear boundaries between requests Disable reuse of backend connections eg. http-reuse never in HAProxy or whatever equivalent LB settings...

Apache Tomcat does not properly handle an invalid Transfer-Encoding header

Apache Tomcat 5.5.0 through 5.5.29, 6.0.0 through 6.0.27, and 7.0.0 beta does not properly handle an invalid Transfer-Encoding header, which allows remote attackers to cause a denial of service application outage or obtain sensitive information via a crafted header that interferes with "recycling...

GHSA-CXG2-49RQ-8GCR Apache Tomcat does not properly handle an invalid Transfer-Encoding header

Apache Tomcat 5.5.0 through 5.5.29, 6.0.0 through 6.0.27, and 7.0.0 beta does not properly handle an invalid Transfer-Encoding header, which allows remote attackers to cause a denial of service application outage or obtain sensitive information via a crafted header that interferes with "recycling...

SAP Web Dispatcher HTTP Request Smuggling

Onapsis Security Advisory 2022-0001: HTTP Request Smuggling in SAP Web Dispatcher Impact on Business By injecting an HTTP request as a prefix into a victim's request, a malicious user is able to cause damage in different ways, such as producing a Denial of Service by setting an invalid request as...

GHSA-PQR5-9V2J-44XG Apache Tomcat DoS via Malicious Get Request

Tomcat 4.0 through 4.1.12, using modjk 1.2.1 module on Apache 1.3 through 1.3.27, allows remote attackers to cause a denial of service desynchronized communications via an HTTP GET request with a Transfer-Encoding chunked field with invalid values...

The vulnerability in the implementation of the Hypertext Transfer Protocol (HTTP/1.1) of the Eclipse Jetty server container allows a attacker to send hidden HTTP requests (HTTP Request Smuggling attack).

The vulnerability of the Hypertext Transfer Protocol HTTP/1.1 implementation in Eclipse Jetty servers is related to deficiencies in handling the Transfer-Encoding and Content-Length headers. Exploiting this vulnerability allows a malicious actor to send hidden HTTP requests remotely a type of HTT...