漏洞信息
尽管我们使用了先进的大模型技术,但其输出仍可能包含不准确或过时的信息。神龙努力确保数据的准确性,但请您根据实际情况进行核实和判断。
Vulnerability Title
nghttp2 nghttpx - HTTP Request/Response Smuggling via Upgrade Request with Content-Length
Vulnerability Description
nghttp2's nghttpx proxy through 1.69.0 forwards an HTTP/1.1 Upgrade request that also carries a Content-Length header and body onto reusable keep-alive backend connections, re-adding the Upgrade and Connection headers while passing Content-Length verbatim. A backend that resolves the resulting ambiguous message in the attacker's favor enables HTTP request/response smuggling and cross-client response-queue poisoning.
CVSS Information
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N
Vulnerability Type
HTTP请求的解释不一致性(HTTP请求私运)
Vulnerability Title
nghttp2 输入验证错误漏洞
Vulnerability Description
nghttp2是nghttp2团队开源的一个 C 库。 nghttp2 1.69.0及之前版本存在输入验证错误漏洞,该漏洞源于HTTP请求处理逻辑问题,导致后端服务器解决歧义消息时,可能遭受HTTP请求/响应夹带攻击和跨客户端响应队列投毒。
CVSS Information
N/A
Vulnerability Type
N/A