Vulnerabilities > Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-01-13 | CVE-2022-41721 | HTTP Request Smuggling vulnerability in Golang H2C A request smuggling attack is possible when using MaxBytesHandler. | 7.5 |
| 2022-12-05 | CVE-2022-35256 | HTTP Request Smuggling vulnerability in multiple products The llhttp parser in the http module in Node v18.7.0 does not correctly handle header fields that are not terminated with CLRF. | 6.5 |
| 2022-11-23 | CVE-2022-38114 | HTTP Request Smuggling vulnerability in Solarwinds Security Event Manager This vulnerability occurs when a web server fails to correctly process the Content-Length of POST requests. | 6.1 |
| 2022-11-09 | CVE-2022-45059 | HTTP Request Smuggling vulnerability in multiple products An issue was discovered in Varnish Cache 7.x before 7.1.2 and 7.2.x before 7.2.1. | 7.5 |
| 2022-11-01 | CVE-2022-42252 | HTTP Request Smuggling vulnerability in Apache Tomcat If Apache Tomcat 8.5.0 to 8.5.82, 9.0.0-M1 to 9.0.67, 10.0.0-M1 to 10.0.26 or 10.1.0-M1 to 10.1.0 was configured to ignore invalid HTTP headers via setting rejectIllegalHeader to false (the default for 8.5.x only), Tomcat did not reject a request containing an invalid Content-Length header making a request smuggling attack possible if Tomcat was located behind a reverse proxy that also failed to reject the request with the invalid header. | 7.5 |
| 2022-10-14 | CVE-2022-2880 | HTTP Request Smuggling vulnerability in Golang GO Requests forwarded by ReverseProxy include the raw query parameters from the inbound request, including unparsable parameters rejected by net/http. | 7.5 |
| 2022-09-30 | CVE-2022-21826 | HTTP Request Smuggling vulnerability in multiple products Pulse Secure version 9.115 and below may be susceptible to client-side http request smuggling, When the application receives a POST request, it ignores the request's Content-Length header and leaves the POST body on the TCP/TLS socket. | 5.4 |
| 2022-08-31 | CVE-2022-2466 | HTTP Request Smuggling vulnerability in Quarkus It was found that Quarkus 2.10.x does not terminate HTTP requests header context which may lead to unpredictable behavior. | 9.8 |
| 2022-08-15 | CVE-2022-33988 | HTTP Request Smuggling vulnerability in Dproxy-Nexgen Project Dproxy-Nexgen dproxy-nexgen (aka dproxy nexgen) re-uses the DNS transaction id (TXID) value from client queries, which allows attackers (able to send queries to the resolver) to conduct DNS cache-poisoning attacks because the TXID value is known to the attacker. | 7.5 |
| 2022-08-10 | CVE-2022-1705 | HTTP Request Smuggling vulnerability in Golang GO Acceptance of some invalid Transfer-Encoding headers in the HTTP/1 client in net/http before Go 1.17.12 and Go 1.18.4 allows HTTP request smuggling if combined with an intermediate server that also improperly fails to reject the header as invalid. | 6.5 |