GHSA-3892-2r52-p65m

Source

https://github.com/advisories/GHSA-3892-2r52-p65m

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/05/GHSA-3892-2r52-p65m/GHSA-3892-2r52-p65m.json

Aliases

CVE-2020-7671
SNYK-RUBY-GOLIATH-569136

Published

2021-05-24T18:20:07Z

Modified

2023-11-08T04:04:03.855869Z

Details

goliath through 1.0.6 allows request smuggling attacks where goliath is used as a backend and a frontend proxy also being vulnerable. It is possible to conduct HTTP request smuggling attacks by sending the Content-Length header twice. Furthermore, invalid Transfer Encoding headers were found to be parsed as valid which could be leveraged for TE:CL smuggling attacks.

References

Affected packages

RubyGems / goliath

Package

Name: goliath

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0The exact introduced commit is unknown

Last affected

1.0.6

Affected versions

0.*

0.9.0

0.9.1

0.9.2

0.9.4

1.*

1.0.0.beta.1

1.0.0

1.0.1

1.0.2

1.0.3

1.0.4

1.0.5

1.0.6