Attachment #234809 for bug #264782

View | Details | Raw Unified | Return to bug 264782
Collapse All | Expand All




  <vuln vid="ad37a349-ebb7-11ec-b9f7-21427354249d">
    <topic>mitmproxy -- Insufficient Protection against HTTP Request Smuggling</topic>
    <affects>
      <package>
        <name>mitmproxy</name>
        <range><lt>8.0.0</lt></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
        <p>Zeyu Zhang reports:</p>
        <blockquote cite="https://github.com/mitmproxy/mitmproxy/commit/b06fb6d157087d526bd02e7aadbe37c56865c71b">
          <p>
            In mitmproxy 7.0.4 and below, a malicious client or server is able to
            perform HTTP request smuggling attacks through mitmproxy. This means
            that a malicious client/server could smuggle a request/response through
            mitmproxy as part of another request/response's HTTP message body. While
            mitmproxy would only see one request, the target server would see
            multiple requests. A smuggled request is still captured as part of
            another request's body, but it does not appear in the request list and
            does not go through the usual mitmproxy event hooks, where users may
            have implemented custom access control checks or input sanitization.
          </p>
          <p>
            Unless you use mitmproxy to protect an HTTP/1 service, no action is required.
          </p>
        </blockquote>
      </body>
    </description>
    <references>
      <cvename>CVE-2022-24766</cvename>
      <url>https://github.com/mitmproxy/mitmproxy/commit/b06fb6d157087d526bd02e7aadbe37c56865c71b</url>
    </references>
    <dates>
      <discovery>2022-03-21</discovery>
      <entry>2022-06-14</entry>
    </dates>
  </vuln>

  <vuln vid="55cff5d2-e95c-11ec-ae20-001999f8d30b">
    <topic>XFCE -- Allows executing malicious .desktop files pointing to remote code</topic>
    <affects>

Return to bug 264782

Lines 1-3 Link Here

(-)b/security/vuxml/vuln-2022.xml (+39 lines)
		1	<vuln vid="ad37a349-ebb7-11ec-b9f7-21427354249d">
		2	<topic>mitmproxy -- Insufficient Protection against HTTP Request Smuggling</topic>
		3	<affects>
		4	<package>
		5	<name>mitmproxy</name>
		6	<range><lt>8.0.0</lt></range>
		7	</package>
		8	</affects>
		9	<description>
		10	<body xmlns="http://www.w3.org/1999/xhtml">
		11	<p>Zeyu Zhang reports:</p>
		12	<blockquote cite="https://github.com/mitmproxy/mitmproxy/commit/b06fb6d157087d526bd02e7aadbe37c56865c71b">
		13	<p>
		14	In mitmproxy 7.0.4 and below, a malicious client or server is able to
		15	perform HTTP request smuggling attacks through mitmproxy. This means
		16	that a malicious client/server could smuggle a request/response through
		17	mitmproxy as part of another request/response's HTTP message body. While
		18	mitmproxy would only see one request, the target server would see
		19	multiple requests. A smuggled request is still captured as part of
		20	another request's body, but it does not appear in the request list and
		21	does not go through the usual mitmproxy event hooks, where users may
		22	have implemented custom access control checks or input sanitization.
		23	</p>
		24	<p>
		25	Unless you use mitmproxy to protect an HTTP/1 service, no action is required.
		26	</p>
		27	</blockquote>
		28	</body>
		29	</description>
		30	<references>
		31	<cvename>CVE-2022-24766</cvename>
		32	<url>https://github.com/mitmproxy/mitmproxy/commit/b06fb6d157087d526bd02e7aadbe37c56865c71b</url>
		33	</references>
		34	<dates>
		35	<discovery>2022-03-21</discovery>
		36	<entry>2022-06-14</entry>
		37	</dates>
		38	</vuln>
		39
1	<vuln vid="55cff5d2-e95c-11ec-ae20-001999f8d30b">	40	<vuln vid="55cff5d2-e95c-11ec-ae20-001999f8d30b">
2	<topic>XFCE -- Allows executing malicious .desktop files pointing to remote code</topic>	41	<topic>XFCE -- Allows executing malicious .desktop files pointing to remote code</topic>
3	<affects>	42	<affects>