NN-2020:1-01
NGINX allows HTTP request smuggling
Last update: 2024-05-20
| Advisory ID | NN-2020:1-01 |
|---|---|
| Topic | NGINX allows HTTP request smuggling |
| CWE Impact | |
| Issue date | 2020-02-25 |
| Affects | N/A |
| CVE Name(s) | CVE-2019-20372 |
| CVSS Details | |
| CVSS Score | 5.3 (CVSS v3.1) |
| CVE Risk Level | Medium (CVSS v3.1) |
| Risk Level for Nozomi customers | None |
Summary
Under some special configuration NGINX permits HTTP request smuggling which can lead an attacker to access unauthorized web pages.
Impact
None. Our products are not affected by this issue because the configuration used is not vulnerable.
Affected Products
N/A
Workarounds and Mitigations
Not required
Solutions
Not required
Modification History
2020-02-25: Initial revision
2023-09-04: Minor updates to format and metadata to improve the CSAF implementation
2023-11-13: Migrated to CSAF VEX format
2023-11-16: CSAF vers improvements
2024-05-20: Replaced offline reference link with an archived copy
Related Links
Acknowledgements
We thank the following parties for their efforts:
- Bert JW Regeer (bert.regeer@getcruise.com), Francisco Oca Gonzalez (francisco.oca@getcruise.com) of Cruise for their NGINX vulnerability advisory
Contact
Nozomi Networks Product Security team can be reached at prodsec@nozominetworks.com.More contact details on the PSIRT page.