Vulnerabilities > Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2020-01-22 | CVE-2019-16792 | HTTP Request Smuggling vulnerability in multiple products Waitress through version 1.3.1 allows request smuggling by sending the Content-Length header twice. | 5.0 |
2020-01-09 | CVE-2019-20372 | HTTP Request Smuggling vulnerability in multiple products NGINX before 1.17.7, with certain error_page configurations, allows HTTP request smuggling, as demonstrated by the ability of an attacker to read unauthorized web pages in environments where NGINX is being fronted by a load balancer. | 4.3 |
2019-12-26 | CVE-2019-16789 | HTTP Request Smuggling vulnerability in multiple products In Waitress through version 1.4.0, if a proxy server is used in front of waitress, an invalid request may be sent by an attacker that bypasses the front-end and is parsed differently by waitress leading to a potential for HTTP request smuggling. | 8.2 |
2019-12-20 | CVE-2019-16786 | HTTP Request Smuggling vulnerability in multiple products Waitress through version 1.3.1 would parse the Transfer-Encoding header and only look for a single string value, if that value was not chunked it would fall through and use the Content-Length header instead. | 7.5 |
2019-12-20 | CVE-2019-16785 | HTTP Request Smuggling vulnerability in multiple products Waitress through version 1.3.1 implemented a "MAY" part of the RFC7230 which states: "Although the line terminator for the start-line and header fields is the sequence CRLF, a recipient MAY recognize a single LF as a line terminator and ignore any preceding CR." Unfortunately if a front-end server does not parse header fields with an LF the same way as it does those with a CRLF it can lead to the front-end and the back-end server parsing the same HTTP message in two different ways. | 7.5 |
2019-11-26 | CVE-2019-18678 | HTTP Request Smuggling vulnerability in multiple products An issue was discovered in Squid 3.x and 4.x through 4.8. | 5.3 |
2019-10-23 | CVE-2019-18277 | HTTP Request Smuggling vulnerability in Haproxy A flaw was found in HAProxy before 2.0.6. | 7.5 |
2019-10-02 | CVE-2019-15272 | HTTP Request Smuggling vulnerability in Cisco Unified Communications Manager A vulnerability in the web-based interface of Cisco Unified Communications Manager and Cisco Unified Communications Manager Session Management Edition (SME) could allow an unauthenticated, remote attacker to bypass security restrictions. | 6.4 |
2019-09-30 | CVE-2019-16276 | HTTP Request Smuggling vulnerability in multiple products Go before 1.12.10 and 1.13.x before 1.13.1 allow HTTP Request Smuggling. | 7.5 |
2019-09-26 | CVE-2019-16869 | HTTP Request Smuggling vulnerability in multiple products Netty before 4.1.42.Final mishandles whitespace before the colon in HTTP headers (such as a "Transfer-Encoding : chunked" line), which leads to HTTP request smuggling. | 7.5 |