GHSA-xrr9-rh8p-433v

Опубликовано: 27 янв. 2020

Источник: github

Github: Прошло ревью

CVSS3: 5.4

Описание

Request smuggling is possible when both chunked TE and content length specified

Impact

Request smuggling is possible when running behind a proxy that doesn't handle Content-Length and Transfer-Encoding properly or doesn't handle alone \n as a headers separator.

Patches

https://github.com/ktorio/ktor/pull/1547

Workarounds

None except migrating to a better proxy.

References

https://portswigger.net/web-security/request-smuggling https://tools.ietf.org/html/rfc7230#section-9.5

Ссылки

Пакеты

Наименование

io.ktor:ktor-client-cio

maven

Затронутые версииВерсия исправления

< 1.3.0

1.3.0

Наименование

io.ktor:ktor-server-cio

maven

Затронутые версииВерсия исправления

< 1.3.0

1.3.0

EPSS

Процентиль: 0%

0.00004

Низкий

5.4 Medium

CVSS3

CVE ID

CVE-2020-5207

Дефекты

CWE-444

Связанные уязвимости

CVE-2020-5207

CVSS3: 5.4

nvd

около 6 лет назад

In Ktor before 1.3.0, request smuggling is possible when running behind a proxy that doesn't handle Content-Length and Transfer-Encoding properly or doesn't handle \n as a headers separator.

EPSS

Процентиль: 0%

0.00004

Низкий

5.4 Medium

CVSS3

CVE ID

CVE-2020-5207

Дефекты

CWE-444