CVE-2020-7611

All versions of io.micronaut:micronaut-http-client before 1.2.11 and all versions from 1.3.0 before 1.3.2 are vulnerable to HTTP Request Header Injection due to not validating request headers passed to the client.

CVSS v3.0 9.8 CRITICAL
CVSS v2.0 7.5 HIGH

9.8^/10

CVSS v3.0 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

7.5^/10

CVSS v2.0 : HIGH

V2 Legend

Vector : AV:N/AC:L/Au:N/C:P/I:P/A:P

Exploitability : 10.0 / Impact : 6.4

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
https://github.com/micronaut-projects/micronaut-core/security/advisories/GHSA-694p-xrhg-x3wm	Exploit Patch Third Party Advisory
https://snyk.io/vuln/SNYK-JAVA-IOMICRONAUT-561342	Exploit Third Party Advisory
https://github.com/micronaut-projects/micronaut-core/commit/9d1eff5c8df1d6cda1fe00ef046729b2a6abe7f1	Patch

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:objectcomputing:micronaut::::::::
	cpe:2.3:a:objectcomputing:micronaut::::::::

Information

Published : 2020-03-30 15:15

Updated : 2020-04-02 07:37

NVD link : CVE-2020-7611

Mitre link : CVE-2020-7611

JSON object : View

CWE

CWE-444

Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

Products Affected

objectcomputing

micronaut

{"cve": {"data_type": "CVE", "references": {"reference_data": [{"url": "https://github.com/micronaut-projects/micronaut-core/security/advisories/GHSA-694p-xrhg-x3wm", "name": "https://github.com/micronaut-projects/micronaut-core/security/advisories/GHSA-694p-xrhg-x3wm", "tags": ["Exploit", "Patch", "Third Party Advisory"], "refsource": "MISC"}, {"url": "https://snyk.io/vuln/SNYK-JAVA-IOMICRONAUT-561342", "name": "https://snyk.io/vuln/SNYK-JAVA-IOMICRONAUT-561342", "tags": ["Exploit", "Third Party Advisory"], "refsource": "MISC"}, {"url": "https://github.com/micronaut-projects/micronaut-core/commit/9d1eff5c8df1d6cda1fe00ef046729b2a6abe7f1", "name": "https://github.com/micronaut-projects/micronaut-core/commit/9d1eff5c8df1d6cda1fe00ef046729b2a6abe7f1", "tags": ["Patch"], "refsource": "MISC"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "en", "value": "All versions of io.micronaut:micronaut-http-client before 1.2.11 and all versions from 1.3.0 before 1.3.2 are vulnerable to HTTP Request Header Injection due to not validating request headers passed to the client."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "en", "value": "CWE-444"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2020-7611", "ASSIGNER": "report@snyk.io"}}, "impact": {"baseMetricV2": {"cvssV2": {"version": "2.0", "baseScore": 7.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "severity": "HIGH", "acInsufInfo": false, "impactScore": 6.4, "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "baseMetricV3": {"cvssV3": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}}, "publishedDate": "2020-03-30T22:15Z", "configurations": {"nodes": [{"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:a:objectcomputing:micronaut:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true, "versionEndExcluding": "1.2.11"}, {"cpe23Uri": "cpe:2.3:a:objectcomputing:micronaut:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true, "versionEndExcluding": "1.3.2", "versionStartIncluding": "1.3.0"}]}], "CVE_data_version": "4.0"}, "lastModifiedDate": "2020-04-02T14:37Z"}

9.8 /10