HTTP Request Smuggling
Affecting nginx package, versions <1.14.2-2+deb10u2
Report new vulnerabilities
Do your applications use this vulnerable package?
Test your applications
Overview
NGINX before 1.17.7, with certain error_page configurations, allows HTTP request smuggling, as demonstrated by the ability of an attacker to read unauthorized web pages in environments where NGINX is being fronted by a load balancer.
References
CVSS Score
5.3
medium severity
-
Attack VectorNetwork
-
Attack ComplexityLow
-
Privileges RequiredNone
-
User InteractionNone
-
ScopeUnchanged
-
ConfidentialityLow
-
IntegrityNone
-
AvailabilityNone
- CVE
- CVE-2019-20372
- CWE
- CWE-444
- Snyk ID
- SNYK-DEBIAN10-NGINX-541354
- Disclosed
- 09 Jan, 2020
- Published
- 10 Jan, 2020