CVE-2020-7671

HIGH

Goliath < 1.0.6 - HTTP Request Smuggling

Title source: rule

Description

goliath through 1.0.6 allows request smuggling attacks where goliath is used as a backend and a frontend proxy also being vulnerable. It is possible to conduct HTTP request smuggling attacks by sending the Content-Length header twice. Furthermore, invalid Transfer Encoding headers were found to be parsed as valid which could be leveraged for TE:CL smuggling attacks.

References (2)

[Issue Tracking] https://github.com/postrank-labs/goliath/issues/351%2C

[Third Party Advisory] https://snyk.io/vuln/SNYK-RUBY-GOLIATH-569136

Scores

CVSS v3 7.5

EPSS 0.0024

EPSS Percentile 47.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Details

CWE

CWE-444

Status published

Products (2)

goliath_project/goliath < 1.0.6

rubygems/goliath 0RubyGems

Published Jun 10, 2020

Tracked Since Feb 18, 2026