CVE-2020-5207

Опубликовано: 27 янв. 2020

Источник: nvd

CVSS3: 5.4

CVSS3: 7.5

CVSS2: 5

EPSS Низкий

Описание

In Ktor before 1.3.0, request smuggling is possible when running behind a proxy that doesn't handle Content-Length and Transfer-Encoding properly or doesn't handle \n as a headers separator.

Ссылки

https://github.com/ktorio/ktor/pull/1547
Patch
Third Party Advisory
https://github.com/ktorio/ktor/security/advisories/GHSA-xrr9-rh8p-433v
Third Party Advisory
https://github.com/ktorio/ktor/pull/1547
Patch
Third Party Advisory
https://github.com/ktorio/ktor/security/advisories/GHSA-xrr9-rh8p-433v
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:jetbrains:ktor:*:*:*:*:*:*:*:*

Версия до 1.3.0 (исключая)

EPSS

Процентиль: 0%

0.00004

Низкий

5.4 Medium

CVSS3

7.5 High

CVSS3

5 Medium

CVSS2

Дефекты

CWE-444

Связанные уязвимости

GHSA-xrr9-rh8p-433v

CVSS3: 5.4

github

около 6 лет назад

Request smuggling is possible when both chunked TE and content length specified

EPSS

Процентиль: 0%

0.00004

Низкий

5.4 Medium

CVSS3

7.5 High

CVSS3

5 Medium

CVSS2

Дефекты

CWE-444