CVE-2020-7670 - OpenCVE

agoo prior to 2.14.0 allows request smuggling attacks where agoo is used as a backend and a frontend proxy also being vulnerable. HTTP pipelining issues and request smuggling attacks might be possible due to incorrect Content-Length and Transfer encoding header parsing. It is possible to conduct HTTP request smuggling attacks where `agoo` is used as part of a chain of backend servers due to insufficient `Content-Length` and `Transfer Encoding` parsing.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:L/Au:N/C:N/I:P/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Ohler	Agoo

Configuration 1 [-]

cpe:2.3:a:ohler:agoo:*:*:*:*:*:ruby:*:*

No data.

References

Link	Providers
https://github.com/ohler55/agoo/commit/23d03535cf7b50d679a60a953a0cae9519a4a130
https://github.com/ohler55/agoo/issues/88
https://snyk.io/vuln/SNYK-RUBY-AGOO-569137

History

No history.

MITRE

Status: PUBLISHED

Assigner: snyk

Published: 2020-06-10T15:36:01

Updated: 2024-08-04T09:41:00.497Z

Reserved: 2020-01-21T00:00:00

Link: CVE-2020-7670

Vulnrichment

No data.

NVD

Status : Modified

Published: 2020-06-10T16:15:10.540

Modified: 2020-11-17T00:15:15.710

Link: CVE-2020-7670

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "agoo", "vendor": "n/a", "versions": [{"status": "affected", "version": "versions prior to 2.14.0"}]}], "descriptions": [{"lang": "en", "value": "agoo prior to 2.14.0 allows request smuggling attacks where agoo is used as a backend and a frontend proxy also being vulnerable. HTTP pipelining issues and request smuggling attacks might be possible due to incorrect Content-Length and Transfer encoding header parsing. It is possible to conduct HTTP request smuggling attacks where `agoo` is used as part of a chain of backend servers due to insufficient `Content-Length` and `Transfer Encoding` parsing."}], "problemTypes": [{"descriptions": [{"description": "HTTP Request Smuggling", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2020-11-16T23:43:02", "orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "shortName": "snyk"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://snyk.io/vuln/SNYK-RUBY-AGOO-569137"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/ohler55/agoo/issues/88"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/ohler55/agoo/commit/23d03535cf7b50d679a60a953a0cae9519a4a130"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "report@snyk.io", "ID": "CVE-2020-7670", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "agoo", "version": {"version_data": [{"version_value": "versions prior to 2.14.0"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "agoo prior to 2.14.0 allows request smuggling attacks where agoo is used as a backend and a frontend proxy also being vulnerable. HTTP pipelining issues and request smuggling attacks might be possible due to incorrect Content-Length and Transfer encoding header parsing. It is possible to conduct HTTP request smuggling attacks where `agoo` is used as part of a chain of backend servers due to insufficient `Content-Length` and `Transfer Encoding` parsing."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "HTTP Request Smuggling"}]}]}, "references": {"reference_data": [{"name": "https://snyk.io/vuln/SNYK-RUBY-AGOO-569137", "refsource": "MISC", "url": "https://snyk.io/vuln/SNYK-RUBY-AGOO-569137"}, {"name": "https://github.com/ohler55/agoo/issues/88", "refsource": "MISC", "url": "https://github.com/ohler55/agoo/issues/88"}, {"name": "https://github.com/ohler55/agoo/commit/23d03535cf7b50d679a60a953a0cae9519a4a130", "refsource": "MISC", "url": "https://github.com/ohler55/agoo/commit/23d03535cf7b50d679a60a953a0cae9519a4a130"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T09:41:00.497Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://snyk.io/vuln/SNYK-RUBY-AGOO-569137"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/ohler55/agoo/issues/88"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/ohler55/agoo/commit/23d03535cf7b50d679a60a953a0cae9519a4a130"}]}]}, "cveMetadata": {"assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "assignerShortName": "snyk", "cveId": "CVE-2020-7670", "datePublished": "2020-06-10T15:36:01", "dateReserved": "2020-01-21T00:00:00", "dateUpdated": "2024-08-04T09:41:00.497Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:ohler:agoo:*:*:*:*:*:ruby:*:*", "matchCriteriaId": "6A41F130-9592-48D6-9B78-86D688B56D5A", "versionEndIncluding": "2.12.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "agoo prior to 2.14.0 allows request smuggling attacks where agoo is used as a backend and a frontend proxy also being vulnerable. HTTP pipelining issues and request smuggling attacks might be possible due to incorrect Content-Length and Transfer encoding header parsing. It is possible to conduct HTTP request smuggling attacks where `agoo` is used as part of a chain of backend servers due to insufficient `Content-Length` and `Transfer Encoding` parsing."}, {"lang": "es", "value": "agoo versiones anteriores a la 2.14.0 permite ataques de tr\u00e1fico no autorizado de peticiones donde se usa agoo como backend y un proxy frontend tambi\u00e9n es vulnerable. Los problemas de canalizaci\u00f3n de HTTP y los ataques de contrabando de peticiones pueden ser posibles debido a un an\u00e1lisis incorrecto de la cabecera de codificaci\u00f3n de contenido y transferencia. Es posible llevar a cabo ataques de contrabando de peticiones HTTP donde \"agoo\" es usado como parte de una cadena de servidores de backend debido a un an\u00e1lisis insuficiente de la \"longitud del contenido\" y de la \"codificaci\u00f3n de transferencia\"."}], "id": "CVE-2020-7670", "lastModified": "2020-11-17T00:15:15.710", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-06-10T16:15:10.540", "references": [{"source": "report@snyk.io", "url": "https://github.com/ohler55/agoo/commit/23d03535cf7b50d679a60a953a0cae9519a4a130"}, {"source": "report@snyk.io", "url": "https://github.com/ohler55/agoo/issues/88"}, {"source": "report@snyk.io", "tags": ["Third Party Advisory"], "url": "https://snyk.io/vuln/SNYK-RUBY-AGOO-569137"}], "sourceIdentifier": "report@snyk.io", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-444"}], "source": "nvd@nist.gov", "type": "Primary"}]}