NN-2020:1-01

NGINX allows HTTP request smuggling

Last update: 2020-02-25

Advisory IDNN-2020:1-01
TopicNGINX allows HTTP request smuggling
ImpactNone
Issue date2020-02-25
AffectsNone
CVE Name(s)CVE-2019-20372
CVSS Score5.3
CVE Risk LevelMedium
Risk Level for Nozomi customersNone

Summary

Under some special configuration NGINX permits HTTP request smuggling which can lead an attacker to access unauthorized web pages.

Impact

None

Affected Products

Our products are not affected by this issue because the configuration used is not vulnerable.

Workarounds and Mitigations

Not required

Solutions

Not required

Modification History

2020-02-25: Initial revision

Related Links

https://nvd.nist.gov/vuln/detail/CVE-2019-20372

https://bertjwregeer.keybase.pub/2019-12-10%20-%20error_page%20request%20smuggling.pdf

Acknowledgements

Bert JW Regeer (bert.regeer@getcruise.com) Francisco Oca Gonzalez (francisco.oca@getcruise.com)

Contact

Nozomi Networks Product Security team can be reached at prodsec@nozominetworks.com. More contact details on the PSIRT page.