Show vulnerabilities with patch / with exploit

HTTP Request Smuggling in Netius library



Published: 2020-05-22
Severity Medium
Patch available YES
Number of vulnerabilities 1
CVE ID CVE-2020-7655
CWE ID CWE-444
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe
Netius
Universal components / Libraries / Libraries used by multiple products

Vendor Hive Solutions

Security Advisory

This security advisory describes one medium risk vulnerability.

1) Inconsistent interpretation of HTTP requests

Severity: Medium

CVSSv3: 5.7 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2020-7655

CWE-ID: CWE-444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform HTTP request smuggling attack.

The vulnerability exists due to incorrect Transfer encoding header parsing which could allow for CL:TE or TE:TE attacks. A remote attacker can send a specially crafted HTTP request and perform HTTP request smuggling attack.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Netius: 1.5.9, 1.5.10, 1.5.11, 1.5.12, 1.5.13, 1.5.14, 1.5.15, 1.5.16, 1.5.17, 1.5.18, 1.5.19, 1.5.20, 1.5.21, 1.5.22, 1.5.23, 1.5.24, 1.5.25, 1.5.26, 1.5.27, 1.5.28, 1.5.29, 1.5.30, 1.5.31, 1.5.32, 1.5.33, 1.5.34, 1.5.35, 1.5.36, 1.5.37, 1.5.38, 1.5.39, 1.5.40, 1.5.41, 1.5.42, 1.5.43, 1.5.44, 1.5.45, 1.5.46, 1.5.47, 1.5.48, 1.5.49, 1.5.50, 1.5.51, 1.5.52, 1.5.53, 1.5.54, 1.5.55, 1.5.56, 1.5.57, 1.5.58, 1.5.59, 1.5.60, 1.5.61, 1.5.62, 1.5.63, 1.5.64, 1.5.65, 1.5.66, 1.5.67, 1.5.68, 1.6.0, 1.6.1, 1.6.2, 1.6.3, 1.6.4, 1.6.5, 1.6.6, 1.6.7, 1.6.8, 1.6.9, 1.6.10, 1.6.11, 1.6.12, 1.6.13, 1.6.14, 1.6.15, 1.6.16, 1.6.17, 1.6.18, 1.6.19, 1.6.20, 1.6.21, 1.6.22, 1.6.23, 1.6.24, 1.6.25, 1.6.26, 1.6.27, 1.6.28, 1.6.29, 1.6.30, 1.6.31, 1.6.32, 1.6.33, 1.6.34, 1.6.35, 1.6.36, 1.6.37, 1.6.38, 1.6.39, 1.6.40, 1.6.41, 1.6.42, 1.6.43, 1.6.44, 1.6.45, 1.6.46, 1.6.47, 1.6.48, 1.6.49, 1.6.50, 1.6.51, 1.6.52, 1.6.53, 1.6.54, 1.7.0, 1.7.1, 1.7.2, 1.7.3, 1.7.4, 1.7.5, 1.7.6, 1.7.7, 1.7.8, 1.7.9, 1.7.10, 1.7.11, 1.7.12, 1.7.13, 1.7.14, 1.7.15, 1.7.16, 1.7.17, 1.7.18, 1.7.19, 1.7.20, 1.7.21, 1.7.22, 1.8.0, 1.8.1, 1.8.2, 1.8.3, 1.8.4, 1.8.5, 1.8.6, 1.8.7, 1.8.8, 1.8.9, 1.8.10, 1.8.11, 1.8.12, 1.8.13, 1.8.14, 1.8.15, 1.8.16, 1.8.17, 1.8.18, 1.8.19, 1.8.20, 1.8.21, 1.8.22, 1.8.23, 1.8.24, 1.8.25, 1.8.26, 1.8.27, 1.8.28, 1.8.29, 1.8.30, 1.8.31, 1.8.32, 1.8.33, 1.8.34, 1.8.35, 1.8.36, 1.8.37, 1.8.38, 1.8.39, 1.8.40, 1.8.41, 1.8.42, 1.9.0, 1.9.1, 1.9.2, 1.9.3, 1.9.4, 1.9.5, 1.9.6, 1.9.7, 1.9.8, 1.9.9, 1.9.10, 1.9.11, 1.9.12, 1.9.13, 1.9.14, 1.9.15, 1.9.16, 1.9.17, 1.9.18, 1.9.19, 1.9.20, 1.9.21, 1.9.22, 1.9.23, 1.9.24, 1.9.25, 1.9.26, 1.9.27, 1.9.28, 1.9.29, 1.9.30, 1.9.31, 1.9.32, 1.9.33, 1.9.34, 1.9.35, 1.9.36, 1.9.37, 1.9.38, 1.9.39, 1.9.40, 1.9.41, 1.9.42, 1.9.43, 1.9.44, 1.9.45, 1.9.46, 1.9.47, 1.9.48, 1.9.49, 1.10.0, 1.10.1, 1.10.2, 1.10.3, 1.10.4, 1.10.5, 1.10.6, 1.10.7, 1.10.8, 1.10.9, 1.10.10, 1.10.11, 1.11.0, 1.11.1, 1.11.2, 1.11.3, 1.11.4, 1.11.5, 1.11.6, 1.11.7, 1.11.8, 1.11.9, 1.11.10, 1.11.11, 1.11.12, 1.11.13, 1.11.14, 1.11.15, 1.11.16, 1.11.17, 1.11.18, 1.11.19, 1.11.20, 1.11.21, 1.11.22, 1.11.23, 1.11.24, 1.11.25, 1.12.0, 1.12.1, 1.12.2, 1.12.3, 1.12.4, 1.12.5, 1.12.6, 1.12.7, 1.12.8, 1.12.9, 1.12.10, 1.12.11, 1.12.12, 1.12.13, 1.12.14, 1.12.15, 1.12.16, 1.12.17, 1.12.18, 1.12.19, 1.12.20, 1.12.21, 1.12.22, 1.12.23, 1.12.24, 1.12.25, 1.12.26, 1.12.27, 1.12.28, 1.12.29, 1.12.30, 1.12.31, 1.12.32, 1.12.33, 1.12.34, 1.12.35, 1.12.36, 1.12.37, 1.13.0, 1.13.1, 1.13.2, 1.13.3, 1.13.4, 1.13.5, 1.13.6, 1.13.7, 1.13.8, 1.13.9, 1.13.10, 1.13.11, 1.14.0, 1.14.1, 1.14.2, 1.14.3, 1.14.4, 1.14.5, 1.14.6, 1.14.7, 1.14.8, 1.14.9, 1.15.0, 1.15.1, 1.15.2, 1.15.3, 1.15.4, 1.15.5, 1.15.6, 1.15.7, 1.15.8, 1.15.9, 1.15.10, 1.15.11, 1.15.12, 1.15.13, 1.15.14, 1.15.15, 1.15.16, 1.16.0, 1.16.1, 1.16.2, 1.16.3, 1.16.4, 1.16.5, 1.16.6, 1.16.7, 1.16.8, 1.16.9, 1.16.10, 1.16.11, 1.16.12, 1.16.13, 1.16.14, 1.16.15, 1.16.16, 1.16.17, 1.16.18, 1.16.19, 1.16.20, 1.16.21, 1.16.22, 1.16.23, 1.16.24, 1.16.25, 1.16.26, 1.16.27, 1.16.28, 1.16.29, 1.16.30, 1.16.31, 1.16.32, 1.16.33, 1.16.34, 1.16.35, 1.16.36, 1.16.37, 1.16.38, 1.16.39, 1.16.40, 1.16.41, 1.16.42, 1.16.43, 1.16.44, 1.16.45, 1.16.46, 1.16.47, 1.16.48, 1.16.49, 1.16.50, 1.16.51, 1.16.52, 1.16.53, 1.16.54, 1.16.55, 1.16.56, 1.16.57, 1.17.0, 1.17.1, 1.17.2, 1.17.3, 1.17.4, 1.17.5, 1.17.6, 1.17.7, 1.17.8, 1.17.9, 1.17.10, 1.17.11, 1.17.12, 1.17.13, 1.17.14, 1.17.15, 1.17.16, 1.17.17, 1.17.18, 1.17.19, 1.17.20, 1.17.21, 1.17.22, 1.17.23, 1.17.24, 1.17.25, 1.17.26, 1.17.27, 1.17.28, 1.17.29, 1.17.30, 1.17.31, 1.17.32, 1.17.33, 1.17.34, 1.17.35, 1.17.36, 1.17.37, 1.17.38, 1.17.39, 1.17.40, 1.17.41, 1.17.42, 1.17.43, 1.17.44, 1.17.45, 1.17.46, 1.17.47, 1.17.48, 1.17.49, 1.17.50, 1.17.51, 1.17.52, 1.17.53, 1.17.54, 1.17.55, 1.17.56, 1.17.57

CPE External links

https://snyk.io/vuln/SNYK-PYTHON-NETIUS-569141

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.