GHSA-3892-2r52-p65m

Source

https://github.com/advisories/GHSA-3892-2r52-p65m

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/05/GHSA-3892-2r52-p65m/GHSA-3892-2r52-p65m.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-3892-2r52-p65m

Aliases

CVE-2020-7671
SNYK-RUBY-GOLIATH-569136

Published

2021-05-24T18:20:07Z

Modified

2023-11-08T04:04:03.855869Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVSS Calculator

Summary

HTTP Request Smuggling in goliath

Details

goliath through 1.0.6 allows request smuggling attacks where goliath is used as a backend and a frontend proxy also being vulnerable. It is possible to conduct HTTP request smuggling attacks by sending the Content-Length header twice. Furthermore, invalid Transfer Encoding headers were found to be parsed as valid which could be leveraged for TE:CL smuggling attacks.

Database specific

{
    "nvd_published_at": "2020-06-10T16:15:00Z",
    "github_reviewed_at": "2021-05-13T17:20:47Z",
    "severity": "HIGH",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-444"
    ]
}

References

Affected packages

RubyGems / goliath

Package

Name: goliath
Purl: pkg:gem/goliath

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Last affected

1.0.6

Affected versions

0.*

0.9.0

0.9.1

0.9.2

0.9.4

1.*

1.0.0.beta.1

1.0.0

1.0.1

1.0.2

1.0.3

1.0.4

1.0.5

1.0.6