9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.002 Low
EPSS
Percentile
55.9%
mitmproxy is an interactive, SSL/TLS-capable intercepting proxy. In
mitmproxy 7.0.4 and below, a malicious client or server is able to perform
HTTP request smuggling attacks through mitmproxy. This means that a
malicious client/server could smuggle a request/response through mitmproxy
as part of another request/response’s HTTP message body. While mitmproxy
would only see one request, the target server would see multiple requests.
A smuggled request is still captured as part of another request’s body, but
it does not appear in the request list and does not go through the usual
mitmproxy event hooks, where users may have implemented custom access
control checks or input sanitization. Unless mitmproxy is used to protect
an HTTP/1 service, no action is required. The vulnerability has been fixed
in mitmproxy 8.0.0 and above. There are currently no known workarounds.
github.com/mitmproxy/mitmproxy/commit/b06fb6d157087d526bd02e7aadbe37c56865c71b
github.com/mitmproxy/mitmproxy/commit/b06fb6d157087d526bd02e7aadbe37c56865c71b (v8.0.0)
github.com/mitmproxy/mitmproxy/security/advisories/GHSA-gcx2-gvj7-pxv3
launchpad.net/bugs/cve/CVE-2022-24766
mitmproxy.org/posts/releases/mitmproxy8/
nvd.nist.gov/vuln/detail/CVE-2022-24766
security-tracker.debian.org/tracker/CVE-2022-24766
www.cve.org/CVERecord?id=CVE-2022-24766
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.002 Low
EPSS
Percentile
55.9%