pysec - pysec-2022-170

pysec-2022-170

Vulnerability from pysec

Published

2022-03-21 19:15

Modified

2022-03-29 18:37

Details

mitmproxy is an interactive, SSL/TLS-capable intercepting proxy. In mitmproxy 7.0.4 and below, a malicious client or server is able to perform HTTP request smuggling attacks through mitmproxy. This means that a malicious client/server could smuggle a request/response through mitmproxy as part of another request/response's HTTP message body. While mitmproxy would only see one request, the target server would see multiple requests. A smuggled request is still captured as part of another request's body, but it does not appear in the request list and does not go through the usual mitmproxy event hooks, where users may have implemented custom access control checks or input sanitization. Unless mitmproxy is used to protect an HTTP/1 service, no action is required. The vulnerability has been fixed in mitmproxy 8.0.0 and above. There are currently no known workarounds.

Impacted products

Name	purl
mitmproxy	pkg:pypi/mitmproxy

Aliases

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "mitmproxy",
        "purl": "pkg:pypi/mitmproxy"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "b06fb6d157087d526bd02e7aadbe37c56865c71b"
            }
          ],
          "repo": "https://github.com/mitmproxy/mitmproxy",
          "type": "GIT"
        },
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "8.0.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "0.10",
        "0.10.1",
        "0.11",
        "0.11.1",
        "0.11.2",
        "0.11.3",
        "0.12.0",
        "0.12.1",
        "0.13",
        "0.14.0",
        "0.15",
        "0.16",
        "0.17",
        "0.18.1",
        "0.18.2",
        "0.18.3",
        "0.8",
        "0.8.1",
        "0.9",
        "0.9.1",
        "0.9.2",
        "1.0.0",
        "1.0.1",
        "1.0.2",
        "2.0.0",
        "2.0.1",
        "2.0.2",
        "3.0.0",
        "3.0.1",
        "3.0.2",
        "3.0.3",
        "3.0.4",
        "4.0.0",
        "4.0.1",
        "4.0.3",
        "4.0.4",
        "5.0.0",
        "5.0.1",
        "5.1.0",
        "5.1.1",
        "5.2",
        "5.3.0",
        "6.0.0",
        "6.0.1",
        "6.0.2",
        "7.0.0",
        "7.0.1",
        "7.0.2",
        "7.0.3",
        "7.0.4"
      ]
    }
  ],
  "aliases": [
    "CVE-2022-24766",
    "GHSA-gcx2-gvj7-pxv3"
  ],
  "details": "mitmproxy is an interactive, SSL/TLS-capable intercepting proxy. In mitmproxy 7.0.4 and below, a malicious client or server is able to perform HTTP request smuggling attacks through mitmproxy. This means that a malicious client/server could smuggle a request/response through mitmproxy as part of another request/response\u0027s HTTP message body. While mitmproxy would only see one request, the target server would see multiple requests. A smuggled request is still captured as part of another request\u0027s body, but it does not appear in the request list and does not go through the usual mitmproxy event hooks, where users may have implemented custom access control checks or input sanitization. Unless mitmproxy is used to protect an HTTP/1 service, no action is required. The vulnerability has been fixed in mitmproxy 8.0.0 and above. There are currently no known workarounds.",
  "id": "PYSEC-2022-170",
  "modified": "2022-03-29T18:37:43.309818Z",
  "published": "2022-03-21T19:15:00Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://mitmproxy.org/posts/releases/mitmproxy8/"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/mitmproxy/mitmproxy/security/advisories/GHSA-gcx2-gvj7-pxv3"
    },
    {
      "type": "FIX",
      "url": "https://github.com/mitmproxy/mitmproxy/commit/b06fb6d157087d526bd02e7aadbe37c56865c71b"
    }
  ]
}

ghsa-gcx2-gvj7-pxv3

Vulnerability from github

Published

2022-03-22 19:22

Modified

2024-10-01 19:30

Severity ?

9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.3 (Critical) - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Summary

Insufficient Protection against HTTP Request Smuggling in mitmproxy

Details

Impact

In mitmproxy 7.0.4 and below, a malicious client or server is able to perform HTTP request smuggling attacks through mitmproxy. This means that a malicious client/server could smuggle a request/response through mitmproxy as part of another request/response's HTTP message body. While mitmproxy would only see one request, the target server would see multiple requests. A smuggled request is still captured as part of another request's body, but it does not appear in the request list and does not go through the usual mitmproxy event hooks, where users may have implemented custom access control checks or input sanitization.

Unless you use mitmproxy to protect an HTTP/1 service, no action is required.

Patches

The vulnerability has been fixed in mitmproxy 8.0.0 and above.

Acknowledgements

We thank Zeyu Zhang (@zeyu2001) for responsibly disclosing this vulnerability to the mitmproxy team.

Timeline

2022-03-15: Received initial report.
2022-03-15: Verified report and confirmed receipt.
2022-03-16: Shared patch with researcher.
2022-03-16: Received confirmation that patch is working.
2022-03-19: Published patched release and advisory.

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "mitmproxy"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "8.0.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-24766"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-444"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-03-22T19:22:59Z",
    "nvd_published_at": "2022-03-21T19:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "### Impact\n\nIn mitmproxy 7.0.4 and below, a malicious client or server is able to perform [HTTP request smuggling](https://en.wikipedia.org/wiki/HTTP_request_smuggling) attacks through mitmproxy. This means that a malicious client/server could smuggle a request/response through mitmproxy as part of another request/response\u0027s HTTP message body. While mitmproxy would only see one request, the target server would see multiple requests. A smuggled request is still captured as part of another request\u0027s body, but it does not appear in the request list and does not go through the usual mitmproxy event hooks, where users may have implemented custom access control checks or input sanitization.\n\nUnless you use mitmproxy to protect an HTTP/1 service, no action is required.\n\n\n### Patches\n\nThe vulnerability has been fixed in mitmproxy 8.0.0 and above.\n\n\n### Acknowledgements\n\nWe thank Zeyu Zhang (@zeyu2001) for responsibly disclosing this vulnerability to the mitmproxy team.\n\n\n### Timeline\n\n- **2022-03-15**: Received initial report.\n- **2022-03-15**: Verified report and confirmed receipt.\n- **2022-03-16**: Shared patch with researcher.\n- **2022-03-16**: Received confirmation that patch is working.\n- **2022-03-19**: Published patched release and advisory.",
  "id": "GHSA-gcx2-gvj7-pxv3",
  "modified": "2024-10-01T19:30:26Z",
  "published": "2022-03-22T19:22:59Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/mitmproxy/mitmproxy/security/advisories/GHSA-gcx2-gvj7-pxv3"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24766"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mitmproxy/mitmproxy/commit/b06fb6d157087d526bd02e7aadbe37c56865c71b"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/mitmproxy/mitmproxy"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/mitmproxy/PYSEC-2022-170.yaml"
    },
    {
      "type": "WEB",
      "url": "https://mitmproxy.org/posts/releases/mitmproxy8"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Insufficient Protection against HTTP Request Smuggling in mitmproxy"
}

CVE-2022-24766 (GCVE-0-2022-24766)

Vulnerability from cvelistv5

Published

2022-03-21 18:50

Modified

2025-04-23 18:45

Severity ?

9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

Summary

References

►

URL

Tags

	https://github.com/mitmproxy/mitmproxy/security/advisories/GHSA-gcx2-gvj7-pxv3	x_refsource_CONFIRM
	https://github.com/mitmproxy/mitmproxy/commit/b06fb6d157087d526bd02e7aadbe37c56865c71b	x_refsource_MISC
	https://mitmproxy.org/posts/releases/mitmproxy8/	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	mitmproxy	mitmproxy	Version: <= 7.0.4

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T04:20:50.240Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/mitmproxy/mitmproxy/security/advisories/GHSA-gcx2-gvj7-pxv3"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/mitmproxy/mitmproxy/commit/b06fb6d157087d526bd02e7aadbe37c56865c71b"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://mitmproxy.org/posts/releases/mitmproxy8/"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2022-24766",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-04-23T15:50:10.979850Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-04-23T18:45:30.363Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "mitmproxy",
          "vendor": "mitmproxy",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c= 7.0.4"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "mitmproxy is an interactive, SSL/TLS-capable intercepting proxy. In mitmproxy 7.0.4 and below, a malicious client or server is able to perform HTTP request smuggling attacks through mitmproxy. This means that a malicious client/server could smuggle a request/response through mitmproxy as part of another request/response\u0027s HTTP message body. While mitmproxy would only see one request, the target server would see multiple requests. A smuggled request is still captured as part of another request\u0027s body, but it does not appear in the request list and does not go through the usual mitmproxy event hooks, where users may have implemented custom access control checks or input sanitization. Unless mitmproxy is used to protect an HTTP/1 service, no action is required. The vulnerability has been fixed in mitmproxy 8.0.0 and above. There are currently no known workarounds."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-444",
              "description": "CWE-444: Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request Smuggling\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-03-21T18:50:10.000Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/mitmproxy/mitmproxy/security/advisories/GHSA-gcx2-gvj7-pxv3"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/mitmproxy/mitmproxy/commit/b06fb6d157087d526bd02e7aadbe37c56865c71b"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://mitmproxy.org/posts/releases/mitmproxy8/"
        }
      ],
      "source": {
        "advisory": "GHSA-gcx2-gvj7-pxv3",
        "discovery": "UNKNOWN"
      },
      "title": "Insufficient Protection against HTTP Request Smuggling in mitmproxy",
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2022-24766",
          "STATE": "PUBLIC",
          "TITLE": "Insufficient Protection against HTTP Request Smuggling in mitmproxy"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "mitmproxy",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "\u003c= 7.0.4"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "mitmproxy"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "mitmproxy is an interactive, SSL/TLS-capable intercepting proxy. In mitmproxy 7.0.4 and below, a malicious client or server is able to perform HTTP request smuggling attacks through mitmproxy. This means that a malicious client/server could smuggle a request/response through mitmproxy as part of another request/response\u0027s HTTP message body. While mitmproxy would only see one request, the target server would see multiple requests. A smuggled request is still captured as part of another request\u0027s body, but it does not appear in the request list and does not go through the usual mitmproxy event hooks, where users may have implemented custom access control checks or input sanitization. Unless mitmproxy is used to protect an HTTP/1 service, no action is required. The vulnerability has been fixed in mitmproxy 8.0.0 and above. There are currently no known workarounds."
            }
          ]
        },
        "impact": {
          "cvss": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-444: Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request Smuggling\u0027)"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/mitmproxy/mitmproxy/security/advisories/GHSA-gcx2-gvj7-pxv3",
              "refsource": "CONFIRM",
              "url": "https://github.com/mitmproxy/mitmproxy/security/advisories/GHSA-gcx2-gvj7-pxv3"
            },
            {
              "name": "https://github.com/mitmproxy/mitmproxy/commit/b06fb6d157087d526bd02e7aadbe37c56865c71b",
              "refsource": "MISC",
              "url": "https://github.com/mitmproxy/mitmproxy/commit/b06fb6d157087d526bd02e7aadbe37c56865c71b"
            },
            {
              "name": "https://mitmproxy.org/posts/releases/mitmproxy8/",
              "refsource": "MISC",
              "url": "https://mitmproxy.org/posts/releases/mitmproxy8/"
            }
          ]
        },
        "source": {
          "advisory": "GHSA-gcx2-gvj7-pxv3",
          "discovery": "UNKNOWN"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2022-24766",
    "datePublished": "2022-03-21T18:50:10.000Z",
    "dateReserved": "2022-02-10T00:00:00.000Z",
    "dateUpdated": "2025-04-23T18:45:30.363Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

pysec-2022-170

Vulnerability from pysec

ghsa-gcx2-gvj7-pxv3

Vulnerability from github

Impact

Patches

Acknowledgements

Timeline

CVE-2022-24766 (GCVE-0-2022-24766)

Vulnerability from cvelistv5

Tags

Sightings

Nomenclature