CVE-2020-7670
HIGHagoo < 2.14.0 - HTTP Request Smuggling via Incorrect Content-Length and Transfer Encoding Parsing
Title source: llmDescription
agoo prior to 2.14.0 allows request smuggling attacks where agoo is used as a backend and a frontend proxy also being vulnerable. HTTP pipelining issues and request smuggling attacks might be possible due to incorrect Content-Length and Transfer encoding header parsing. It is possible to conduct HTTP request smuggling attacks where `agoo` is used as part of a chain of backend servers due to insufficient `Content-Length` and `Transfer Encoding` parsing.
References (3)
Core 3
Core References
Third Party Advisory x_refsource_misc
https://snyk.io/vuln/SNYK-RUBY-AGOO-569137
Issue Tracking x_refsource_misc
https://github.com/ohler55/agoo/issues/88
Patch x_refsource_misc
https://github.com/ohler55/agoo/commit/23d03535cf7b50d679a60a953a0cae9519a4a130
Scores
CVSS v3
7.5
EPSS
0.0117
EPSS Percentile
63.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Details
CWE
CWE-444
Status
published
Products (2)
ohler/agoo
< 2.12.3
rubygems/agoo
0RubyGems
Published
Jun 10, 2020
Tracked Since
Feb 18, 2026