Inconsistent interpretation of HTTP requests in nginx - CVE-2019-20372
Published: January 13, 2020 / Updated: May 9, 2025
Vulnerability identifier: #VU24230
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/U:Green
CVE-ID: CVE-2019-20372
CWE-ID: CWE-444
Exploitation vector: Remote access
Exploit availability:
Public exploit is available
Vendor: F5 Networks
Affected software:
nginx
nginx
Detailed vulnerability description
The vulnerability allows a remote attacker to perform HTTP request smuggling attacks.
The vulnerability exists with certain error_page configurations. A remote attacker can read unauthorized web pages in environments where NGINX is being fronted by a load balancer.
How to mitigate CVE-2019-20372
Install updates from vendor's website.
Sources
- http://nginx.org/en/CHANGES
- https://bertjwregeer.keybase.pub/2019-12-10%20-%20error_page%20request%20smuggling.pdf
- https://duo.com/docs/dng-notes#version-1.5.4-january-2020
- https://github.com/kubernetes/ingress-nginx/pull/4859
- https://github.com/nginx/nginx/commit/c1be55f97211d38b69ac0c2027e6812ab8b1b94e