CVE-2019-20372

Common vulnerabilities & exposures (CVE)

CVE database CVE database blogpost Release & EoL database

Published at: - 09-01-2020 10:15

Last modified: - 06-04-2022 06:10

Total changes: - 5

Description

NGINX before 1.17.7, with certain error_page configurations, allows HTTP request smuggling, as demonstrated by the ability of an attacker to read unauthorized web pages in environments where NGINX is being fronted by a load balancer.

Common Vulnerability Scoring System (CVSS)

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Low

Attack complexity

Network

Attack vector

None

Availability

Low

Confidentiality

None

Integrity

None

Privileges required

Unchanged

Scope

None

User interaction

5.3

Base score

3.9

1.4

Exploitability score

Impact score

Verification logic

vendor=f5 AND product=NGINX AND versionEndExcluding=1.17.7

vendor=apple AND product=xcode AND versionEndExcluding=13.0

vendor=canonical AND product=ubuntu_linux AND version=14.04 AND software_edition=esm

vendor=opensuse AND product=leap AND version=15.1

vendor=netapp AND product=cloud_backup AND version=-

Reference

https://github.com/kubernetes/ingress-nginx/pull/4859
https://bertjwregeer.keybase.pub/2019-12-10%20-%20error_page%20request%20smuggling.pdf
https://duo.com/docs/dng-notes#version-1.5.4-january-2020
http://nginx.org/en/CHANGES
https://github.com/nginx/nginx/commit/c1be55f97211d38b69ac0c2027e6812ab8b1b94e
USN-4235-1-Third Party Advisory
USN-4235-2-Third Party Advisory
https://security.netapp.com/advisory/ntap-20200127-0003/
openSUSE-SU-2020:0204-Mailing List, Third Party Advisory
https://support.apple.com/kb/HT212818
20210921 APPLE-SA-2021-09-20-4 Xcode 13-Mailing List, Third Party Advisory

Keywords

CVE-2019-20372

Common vulnerabilities & exposures (CVE)

Description

Common Vulnerability Scoring System (CVSS)

Verification logic

Reference

NVD

CVE-2019-20372

CVE

Common vulnerabilities & exposures

CVSS

Common vulnerability scoring system

Security

Vulnerabilities

Exposures