Insufficient Protection against HTTP Request Smuggling in mitmproxy
CVE-2022-24766

9.8CRITICAL

Key Information:

Vendor

Mitmproxy

Status
Mitmproxy
Vendor
CVE Published:
21 March 2022

What is CVE-2022-24766?

mitmproxy is an interactive, SSL/TLS-capable intercepting proxy. In mitmproxy 7.0.4 and below, a malicious client or server is able to perform HTTP request smuggling attacks through mitmproxy. This means that a malicious client/server could smuggle a request/response through mitmproxy as part of another request/response's HTTP message body. While mitmproxy would only see one request, the target server would see multiple requests. A smuggled request is still captured as part of another request's body, but it does not appear in the request list and does not go through the usual mitmproxy event hooks, where users may have implemented custom access control checks or input sanitization. Unless mitmproxy is used to protect an HTTP/1 service, no action is required. The vulnerability has been fixed in mitmproxy 8.0.0 and above. There are currently no known workarounds.

Affected Version(s)

mitmproxy <= 7.0.4

References

https://github.com/mitmproxy/mitmproxy/security/advisorie...
x_refsource_CONFIRM
https://github.com/mitmproxy/mitmproxy/commit/b06fb6d1570...
x_refsource_MISC
https://mitmproxy.org/posts/releases/mitmproxy8/
x_refsource_MISC

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.