CVE-2019-20372 Information
Share on:Description
NGINX before 1.17.7 with certain error_page configurations allows HTTP request smuggling as demonstrated by the ability of an attacker to read unauthorized web pages in environments where NGINX is being fronted by a load balancer.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Reference
http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00013.html http://nginx.org/en/CHANGES https://bertjwregeer.keybase.pub/2019-12-1020-20error_page20request20smuggling.pdf https://duo.com/docs/dng-notesversion-1.5.4-january-2020 https://github.com/kubernetes/ingress-nginx/pull/4859 https://github.com/nginx/nginx/commit/c1be55f97211d38b69ac0c2027e6812ab8b1b94e https://security.netapp.com/advisory/ntap-20200127-0003/ https://usn.ubuntu.com/4235-1/ https://usn.ubuntu.com/4235-2/
Attack Complexity
LOW
Privileges Required
NONE
User Interaction Required
NONE
Scope
NONE
Confidentiality Impact
UNCHANGED
Integrity Impact
LOW
Availability Impact
NONE
Base Score
NONE
Base Severity
5.3