CVE-2021-39214 Information

Description

mitmproxy is an interactive SSL/TLS-capable intercepting proxy. In mitmproxy 7.0.2 and below a malicious client or server is able to perform HTTP request smuggling attacks through mitmproxy. This means that a malicious client/server could smuggle a request/response through mitmproxy as part of another request/response’s HTTP message body. While a smuggled request is still captured as part of another request’s body it does not appear in the request list and does not go through the usual mitmproxy event hooks where users may have implemented custom access control checks or input sanitization. Unless one uses mitmproxy to protect an HTTP/1 service no action is required. The vulnerability has been fixed in mitmproxy 7.0.3 and above.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Reference

https://github.com/mitmproxy/mitmproxy/security/advisories/GHSA-22gh-3r9q-xf38

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

HIGH

Availability Impact

HIGH

Base Score

HIGH

Base Severity

9.8