Vulnerabilities > Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2024-11-17 | CVE-2023-4639 | A flaw was found in Undertow, which incorrectly parses cookies with certain value-delimiting characters in incoming requests. | 7.4 |
| 2024-10-08 | CVE-2024-9622 | A vulnerability was found in the resteasy-netty4 library arising from improper handling of HTTP requests using smuggling techniques. | 5.3 |
| 2024-09-19 | CVE-2024-45614 | HTTP Request Smuggling vulnerability in Puma Puma is a Ruby/Rack web server built for parallelism. | 5.4 |
| 2024-09-08 | CVE-2024-42342 | HTTP Request Smuggling vulnerability in Loway Queuemetrics 22.11.6/23.09/24.05 Loway - CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') | 4.3 |
| 2024-07-26 | CVE-2023-38522 | HTTP Request Smuggling vulnerability in Apache Traffic Server Apache Traffic Server accepts characters that are not allowed for HTTP field names and forwards malformed requests to origin servers. | 7.5 |
| 2024-07-26 | CVE-2024-35161 | HTTP Request Smuggling vulnerability in Apache Traffic Server Apache Traffic Server forwards malformed HTTP chunked trailer section to origin servers. | 7.5 |
| 2024-06-10 | CVE-2024-22279 | HTTP Request Smuggling vulnerability in Cloudfoundry Cf-Deployment and Routing Release Improper handling of requests in Routing Release > v0.273.0 and <= v0.297.0 allows an unauthenticated attacker to degrade the service availability of the Cloud Foundry deployment if performed at scale. | 7.5 |
| 2024-06-04 | CVE-2024-23326 | HTTP Request Smuggling vulnerability in Envoyproxy Envoy Envoy is a cloud-native, open source edge and service proxy. | 8.2 |
| 2024-02-08 | CVE-2024-23452 | HTTP Request Smuggling vulnerability in Apache Brpc Request smuggling vulnerability in HTTP server in Apache bRPC 0.9.5~1.7.0 on all platforms allows attacker to smuggle request. Vulnerability Cause Description: The http_parser does not comply with the RFC-7230 HTTP 1.1 specification. Attack scenario: If a message is received with both a Transfer-Encoding and a Content-Length header field, such a message might indicate an attempt to perform request smuggling or response splitting. One particular attack scenario is that a bRPC made http server on the backend receiving requests in one persistent connection from frontend server that uses TE to parse request with the logic that 'chunk' is contained in the TE field. | 7.5 |
| 2024-01-29 | CVE-2024-23829 | HTTP Request Smuggling vulnerability in multiple products aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. | 6.5 |