netty: HTTP Request Smuggling due to Transfer-Encoding whitespace mishandling

A flaw was found in Netty, where it mishandles Transfer-Encoding whitespace. This flaw allows HTTP Request Smuggling...

netty: HttpObjectDecoder.java allows Content-Length header to accompanied by second Content-Length header

A flaw was found in Netty before version 4.1.44, where it accepted multiple Content-Length headers and also accepted both Transfer-Encoding, as well as Content-Length headers where it should reject the message under such circumstances. In circumstances where Netty is used in the context of a...

netty: HTTP Request Smuggling due to Transfer-Encoding whitespace mishandling

A flaw was found in Netty, where it mishandles Transfer-Encoding whitespace. This flaw allows HTTP Request Smuggling...

HaProxy HTTP Request Smuggling (CVE-2019-18277)

An Improper Input Validation exists in HaProxy. Messages featuring a transfer-encoding header missing the "chunked" value were not being correctly rejected. Successful exploitation could result in HTTP request smuggling vulnerability...

Improper Input Validation

Overview workerman/workerman is an asynchronous event driven PHP framework for easily building fast, scalable network applications. Affected versions of this package are vulnerable to Improper Input Validation. HTTP requests processed by workerman does not have adequate validation and as such,...

Security Bulletin: [All] Apache Tomcat (core only) (Publicly disclosed vulnerability) CVE-2020-1935, CVE-2019-17569

Summary In Apache Tomcat 9.0.0.M1 to 9.0.30, 8.5.0 to 8.5.50 and 7.0.0 to 7.0.99 the HTTP header parsing code used an approach to end-of-line parsing that allowed some invalid HTTP headers to be parsed as valid. This led to a possibility of HTTP Request Smuggling if Tomcat was located behind a...

Security update for rubygem-puma (moderate)

openSUSE Security Update: Security update for rubygem-puma Announcement ID: openSUSE-SU-2020:0990-1 Rating: moderate References: 1172175 1172176 Cross-References: CVE-2020-11076 CVE-2020-11077 Affected Products: openSUSE Leap 15.1 An update that fixes two vulnerabilities is now available...

Security update for rubygem-puma (moderate)

openSUSE Security Update: Security update for rubygem-puma Announcement ID: openSUSE-SU-2020:1001-1 Rating: moderate References: 1172175 1172176 Cross-References: CVE-2020-11076 CVE-2020-11077 Affected Products: openSUSE Leap 15.2 An update that fixes two vulnerabilities is now available...

HTTP Request Smuggling

Overview tinyhttp is a Low level HTTP server library Affected versions of this package are vulnerable to HTTP Request Smuggling. HTTP pipelining issues and request smuggling attacks might be possible due to incorrect Transfer encoding header parsing. It is possible conduct HTTP request smuggling...

HTTP Request Smuggling

Amendment This was deemed not a vulnerability. Overview tiny-http is a Low level HTTP server library Affected versions of this package are vulnerable to HTTP Request Smuggling. HTTP pipelining issues and request smuggling attacks might be possible due to incorrect Transfer encoding header parsing...

RUSTSEC-2020-0031 HTTP Request smuggling through malformed Transfer Encoding headers

HTTP pipelining issues and request smuggling attacks are possible due to incorrect Transfer encoding header parsing. It is possible conduct HTTP request smuggling attacks CL:TE/TE:TE by sending invalid Transfer Encoding headers. By manipulating the HTTP response the attacker could poison a...

HTTP Request smuggling through malformed Transfer Encoding headers

HTTP pipelining issues and request smuggling attacks are possible due to incorrect Transfer encoding header parsing. It is possible conduct HTTP request smuggling attacks CL:TE/TE:TE by sending invalid Transfer Encoding headers. By manipulating the HTTP response the attacker could poison a...

HTTP Request Smuggling

agoo is vulnerable to HTTP request smuggling. When used as a backend and frontend proxy, an attacker is able to leverage TE:CL smuggling attacks by sending a content-length header twice or an invalid Transfer Encoding headers...

Unspecified vulnerability in goliath

goliath is an asynchronous framework for writing API servers. A security vulnerability exists in goliath 1.0.6 and earlier versions. An attacker could exploit the vulnerability by sending the Content-Length header twice to conduct an HTTP request smuggling attack. Additionally, it was found that...

CVE-2020-7671

goliath through 1.0.6 allows request smuggling attacks where goliath is used as a backend and a frontend proxy also being vulnerable. It is possible to conduct HTTP request smuggling attacks by sending the Content-Length header twice. Furthermore, invalid Transfer Encoding headers were found to b...

CVE-2020-7670

agoo prior to 2.14.0 allows request smuggling attacks where agoo is used as a backend and a frontend proxy also being vulnerable. HTTP pipelining issues and request smuggling attacks might be possible due to incorrect Content-Length and Transfer encoding header parsing. It is possible to conduct...

CVE-2020-7671

goliath through 1.0.6 allows request smuggling attacks where goliath is used as a backend and a frontend proxy also being vulnerable. It is possible to conduct HTTP request smuggling attacks by sending the Content-Length header twice. Furthermore, invalid Transfer Encoding headers were found to b...

Design/Logic Flaw

goliath through 1.0.6 allows request smuggling attacks where goliath is used as a backend and a frontend proxy also being vulnerable. It is possible to conduct HTTP request smuggling attacks by sending the Content-Length header twice. Furthermore, invalid Transfer Encoding headers were found to b...

CVE-2020-7671

CVE-2020-7671 affects the goliath framework up to version 1.0.6. The issue enables HTTP request smuggling when goliath is used as a backend and frontend proxy, via sending the Content-Length header twice and due to invalid Transfer-Encoding headers being parsed as valid (TE:CL smuggling). The con...

CVE-2020-7670

Agoo prior to 2.14.0 is affected. The issue arises from incorrect parsing of Content-Length and Transfer-Encoding headers, enabling HTTP request smuggling when Agoo is used as a backend and a frontend proxy in a chain of backends. Impact is described as possible request smuggling due to TE/CL han...