Vulnerabilities > Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

DATE CVE VULNERABILITY TITLE RISK
2020-02-24 CVE-2020-1935 HTTP Request Smuggling vulnerability in multiple products
In Apache Tomcat 9.0.0.M1 to 9.0.30, 8.5.0 to 8.5.50 and 7.0.0 to 7.0.99 the HTTP header parsing code used an approach to end-of-line parsing that allowed some invalid HTTP headers to be parsed as valid.
network
high complexity
apache debian canonical opensuse netapp oracle CWE-444
4.8
4.8
2020-02-24 CVE-2019-17569 HTTP Request Smuggling vulnerability in multiple products
The refactoring present in Apache Tomcat 9.0.28 to 9.0.30, 8.5.48 to 8.5.50 and 7.0.98 to 7.0.99 introduced a regression.
network
high complexity
apache opensuse netapp debian oracle CWE-444
4.8
4.8
2020-02-08 CVE-2015-5741 HTTP Request Smuggling vulnerability in multiple products
The net/http library in net/http/transfer.go in Go before 1.4.3 does not properly parse HTTP headers, which allows remote attackers to conduct HTTP request smuggling attacks via a request that contains Content-Length and Transfer-Encoding header fields.
network
low complexity
golang redhat CWE-444
critical
 9.8
9.8
2020-02-07 CVE-2019-15605 HTTP Request Smuggling vulnerability in multiple products
HTTP request smuggling in Node.js 10, 12, and 13 causes malicious payload delivery when transfer-encoding is malformed
network
low complexity
nodejs debian fedoraproject opensuse redhat oracle CWE-444
critical
 9.8
9.8
2020-01-29 CVE-2019-20445 HTTP Request Smuggling vulnerability in multiple products
HttpObjectDecoder.java in Netty before 4.1.44 allows a Content-Length header to be accompanied by a second Content-Length header, or by a Transfer-Encoding header.
network
low complexity
netty debian fedoraproject canonical redhat apache CWE-444
critical
 9.1
9.1
2020-01-29 CVE-2019-20444 HTTP Request Smuggling vulnerability in multiple products
HttpObjectDecoder.java in Netty before 4.1.44 allows an HTTP header that lacks a colon, which might be interpreted as a separate header with an incorrect syntax, or might be interpreted as an "invalid fold."
network
low complexity
netty debian fedoraproject canonical redhat CWE-444
critical
 9.1
9.1
2020-01-27 CVE-2020-5218 HTTP Request Smuggling vulnerability in Sylius
Affected versions of Sylius give attackers the ability to switch channels via the _channel_code GET parameter in production environments.
network
low complexity
sylius CWE-444
4.3
4.3
2020-01-27 CVE-2020-5207 HTTP Request Smuggling vulnerability in Jetbrains Ktor
In Ktor before 1.3.0, request smuggling is possible when running behind a proxy that doesn't handle Content-Length and Transfer-Encoding properly or doesn't handle \n as a headers separator.
network
low complexity
jetbrains CWE-444
7.5
7.5
2020-01-27 CVE-2020-7238 HTTP Request Smuggling vulnerability in multiple products
Netty 4.1.43.Final allows HTTP Request Smuggling because it mishandles Transfer-Encoding whitespace (such as a [space]Transfer-Encoding:chunked line) and a later Content-Length header.
network
low complexity
netty fedoraproject debian redhat CWE-444
7.5
7.5
2020-01-22 CVE-2019-16792 HTTP Request Smuggling vulnerability in multiple products
Waitress through version 1.3.1 allows request smuggling by sending the Content-Length header twice.
network
low complexity
agendaless oracle debian CWE-444
7.5
7.5