NGINX before 1.17.7, with certain error_page configurations, allows HTTP request smuggling, as demonstrated by the ability of an attacker to read unauthorized web pages in environments where NGINX is being fronted by a load balancer.
The product acts as an intermediary HTTP agent (such as a proxy or firewall) in the data flow between two entities such as a client and server, but it does not interpret malformed HTTP requests or responses in ways that are consistent with how the messages will be processed by those entities that are at the ultimate destination.
| Link | Tags |
|---|---|
| https://bertjwregeer.keybase.pub/2019-12-10%20-%20error_page%20request%20smuggling.pdf | mitigation third party advisory exploit |
| http://nginx.org/en/CHANGES | vendor advisory mitigation release notes |
| https://duo.com/docs/dng-notes#version-1.5.4-january-2020 | third party advisory release notes |
| https://github.com/kubernetes/ingress-nginx/pull/4859 | third party advisory patch |
| https://github.com/nginx/nginx/commit/c1be55f97211d38b69ac0c2027e6812ab8b1b94e | patch vendor advisory |
| https://usn.ubuntu.com/4235-1/ | third party advisory vendor advisory |
| https://usn.ubuntu.com/4235-2/ | third party advisory vendor advisory |
| https://security.netapp.com/advisory/ntap-20200127-0003/ | third party advisory |
| http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00013.html | vendor advisory mailing list third party advisory |
| https://support.apple.com/kb/HT212818 | third party advisory |
| http://seclists.org/fulldisclosure/2021/Sep/36 | third party advisory mailing list |