tomcat: Mishandling of Transfer-Encoding header allows for HTTP request smuggling

A flaw was found in Apache Tomcat. The HTTP header parsing code used an approach to end-of-line EOL parsing that allowed some invalid HTTP headers to be parsed as valid. This led to the possibility of HTTP Request Smuggling if Tomcat was located behind a reverse proxy that incorrectly handled the...

tomcat: Mishandling of Transfer-Encoding header allows for HTTP request smuggling

A flaw was found in Apache Tomcat. The HTTP header parsing code used an approach to end-of-line EOL parsing that allowed some invalid HTTP headers to be parsed as valid. This led to the possibility of HTTP Request Smuggling if Tomcat was located behind a reverse proxy that incorrectly handled the...

netty: HTTP Request Smuggling due to Transfer-Encoding whitespace mishandling

A flaw was found in Netty, where it mishandles Transfer-Encoding whitespace. This flaw allows HTTP Request Smuggling...

An issue was discovered in Ruby through 2.5.8 2.6.x through 2.6.6 and 2.7.x through 2.7.1. WEBrick a simple HTTP server bundled with Ruby had not checked the transfer-encoding header value rigorously. An attacker may potentially exploit this issue to bypass a reverse proxy (which also has a poor header check) which may lead to an HTTP Request Smuggling attack.

...

Withdrawn: HTTP Request Smuggling in Agoo

Withdrawn reason Withdrawn on 1/13/2021 due to this comment from the maintainer. This is no longer considered a vulnerability. Original description agoo through 2.12.3 allows request smuggling attacks where agoo is used as a backend and a frontend proxy also being vulnerable. It is possible to...

HTTP Request Smuggling in Agoo

agoo through 2.12.3 allows request smuggling attacks where agoo is used as a backend and a frontend proxy also being vulnerable. It is possible to conduct HTTP request smuggling attacks by sending the Content-Length header twice. Furthermore, invalid Transfer Encoding headers were found to be...

Media Services Live Features Upgrades to Support Modern-Day Live-Streaming Needs

Media Services Live MSL is Akamai's flagship solution for preparing live streams to provide broadcast-grade streaming quality for our live-streaming customers. MSL provides purpose-built key capabilities with liveOrigin, including ingest acceleration to map encoders to optimal entry points on the...

DEBIAN-CVE-2020-25613

An issue was discovered in Ruby through 2.5.8, 2.6.x through 2.6.6, and 2.7.x through 2.7.1. WEBrick, a simple HTTP server bundled with Ruby, had not checked the transfer-encoding header value rigorously. An attacker may potentially exploit this issue to bypass a reverse proxy which also has a po...

ALPINE-CVE-2020-25613

An issue was discovered in Ruby through 2.5.8, 2.6.x through 2.6.6, and 2.7.x through 2.7.1. WEBrick, a simple HTTP server bundled with Ruby, had not checked the transfer-encoding header value rigorously. An attacker may potentially exploit this issue to bypass a reverse proxy which also has a po...

Authorization

An issue was discovered in Ruby through 2.5.8, 2.6.x through 2.6.6, and 2.7.x through 2.7.1. WEBrick, a simple HTTP server bundled with Ruby, had not checked the transfer-encoding header value rigorously. An attacker may potentially exploit this issue to bypass a reverse proxy which also has a po...

UBUNTU-CVE-2020-25613

An issue was discovered in Ruby through 2.5.8, 2.6.x through 2.6.6, and 2.7.x through 2.7.1. WEBrick, a simple HTTP server bundled with Ruby, had not checked the transfer-encoding header value rigorously. An attacker may potentially exploit this issue to bypass a reverse proxy which also has a po...

CVE-2020-25613

An issue was discovered in Ruby through 2.5.8, 2.6.x through 2.6.6, and 2.7.x through 2.7.1. WEBrick, a simple HTTP server bundled with Ruby, had not checked the transfer-encoding header value rigorously. An attacker may potentially exploit this issue to bypass a reverse proxy which also has a po...

Debian DLA-2391-1 : ruby2.3 security update

A potential HTTP request smuggling vulnerability in WEBrick was reported. WEBrick bundled along with ruby2.3 was too tolerant against an invalid Transfer-Encoding header. This may lead to inconsistent interpretation between WEBrick and some HTTP proxy servers, which may allow the attacker to...

Detecting HTTP Request Smuggling with Qualys WAS

HTTP Request Smuggling HRS is a web application vulnerability that enables an attacker to craft a single request that hides a second request within the body of the first request. HRS enables the following types of attack: Web cache poisoning Web cache deception Session hijacking Cross-site...

HTTP Request Splitting

squid is vulnerable to HTTP Request Splitting. Insecure parsing of the Transfer-Encoding header allows an attacker to split an HTTP request and perform cache poisoning...

HTTP Request Smuggling

webrick is vulnerable to HTTP request smuggling. The vulnerability exists as the request parser allows invalid Transfer-Encoding header values of close and keep-alive to be parsed and interpreted incorrectly...

HTTP Request Smuggling

Overview webrick is a HTTP server toolkit that can be configured as an HTTPS server, a proxy server, and a virtual-host server. Affected versions of this package are vulnerable to HTTP Request Smuggling. It was too tolerant against an invalid Transfer-Encoding header. This may lead to inconsisten...

USN-4532-1 netty-3.9 vulnerabilities

It was discovered that Netty incorrectly handled certain HTTP headers. By sending an HTTP header with whitespace before the colon, a remote attacker could possibly use this issue to perform an HTTP request smuggling attack. CVE-2019-16869 It was discovered that Netty incorrectly handled certain...

CVE-2020-4581

IBM DataPower Gateway 2018.4.1.0 through 2018.4.1.12 could allow a remote attacker to cause a denial of service by sending a chunked transfer-encoding HTTP/2 request. IBM X-Force ID: 184441...

CVE-2020-4581

IBM DataPower Gateway 2018.4.1.0 through 2018.4.1.12 could allow a remote attacker to cause a denial of service by sending a chunked transfer-encoding HTTP/2 request. IBM X-Force ID: 184441...