CVE-2020-7611

All versions of io.micronaut:micronaut-http-client before 1.2.11 and all versions from 1.3.0 before 1.3.2 are vulnerable to HTTP Request Header Injection due to not validating request headers passed to the client.

CVSS v3 9.8 CRITICAL
CVSS v2.0 7.5 HIGH

9.8^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

7.5^/10

CVSS v2.0 : HIGH

Vector : AV:N/AC:L/Au:N/C:P/I:P/A:P

Exploitability : 10.0 / Impact : 6.4

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
https://github.com/micronaut-projects/micronaut-core/commit/9d1eff5c8df1d6cda1fe00ef046729b2a6abe7f1	Patch
https://github.com/micronaut-projects/micronaut-core/security/advisories/GHSA-694p-xrhg-x3wm	Exploit Patch Third Party Advisory
https://snyk.io/vuln/SNYK-JAVA-IOMICRONAUT-561342	Exploit Third Party Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:objectcomputing:micronaut::::::::
	cpe:2.3:a:objectcomputing:micronaut::::::::

History

No history.

Information

Published : 2020-03-30 22:15

Updated : 2023-12-10 13:27

NVD link : CVE-2020-7611

Mitre link : CVE-2020-7611

CVE.ORG link : CVE-2020-7611

JSON object : View

Products Affected

objectcomputing

micronaut

CWE

CWE-444

Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

{"id": "CVE-2020-7611", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 7.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "HIGH", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}]}, "published": "2020-03-30T22:15:15.603", "references": [{"url": "https://github.com/micronaut-projects/micronaut-core/commit/9d1eff5c8df1d6cda1fe00ef046729b2a6abe7f1", "tags": ["Patch"], "source": "report@snyk.io"}, {"url": "https://github.com/micronaut-projects/micronaut-core/security/advisories/GHSA-694p-xrhg-x3wm", "tags": ["Exploit", "Patch", "Third Party Advisory"], "source": "report@snyk.io"}, {"url": "https://snyk.io/vuln/SNYK-JAVA-IOMICRONAUT-561342", "tags": ["Exploit", "Third Party Advisory"], "source": "report@snyk.io"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-444"}]}], "descriptions": [{"lang": "en", "value": "All versions of io.micronaut:micronaut-http-client before 1.2.11 and all versions from 1.3.0 before 1.3.2 are vulnerable to HTTP Request Header Injection due to not validating request headers passed to the client."}, {"lang": "es", "value": "Todas las versiones de io.micronaut:micronaut-http-client versiones anteriores a 1.2.11 y todas las versiones desde 1.3.0 anteriores a 1.3.2, son vulnerables a una Inyecci\u00f3n de Encabezado de Petici\u00f3n HTTP, debido a que no comprueban los encabezados de petici\u00f3n pasados hacia el cliente."}], "lastModified": "2020-04-02T14:37:04.323", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:objectcomputing:micronaut:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "1656466B-C668-4299-A9DB-0BEECB5E411E", "versionEndExcluding": "1.2.11"}, {"criteria": "cpe:2.3:a:objectcomputing:micronaut:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "EE50BE0B-0114-430D-B00D-E5BD503BFD96", "versionEndExcluding": "1.3.2", "versionStartIncluding": "1.3.0"}], "operator": "OR"}]}], "sourceIdentifier": "report@snyk.io"}