Threats Tagged 'cwe-444'

A vulnerability in python-multipart prior to version 0.0.30 allows interpretation conflicts in parsing application/x-www-form-urlencoded bodies. The QuerystringParser treated the semicolon (;) as a field separator in addition to the ampersand (&), which is inconsistent with the WHATWG URL standard and modern browsers. This discrepancy can enable an attacker to smuggle extra form fields past upstream body inspection components. The issue is fixed in version 0.0.30.

IBM WebSphere Application Server 9.0 and 8.5 and IBM WebSphere Application Server - Liberty 17.0.0.3 through 26.0.0.6 are vulnerable to HTTP request smuggling. A remote attacker could smuggle a specially crafted request to the application server thereby allowing the attacker to bypass security controls, spoof identity, escalate privilege, and expose sensitive information.

A HTTP request smuggling and desynchronization vulnerability affects Kong Gateway Enterprise 3.4, 3.10, 3.11, 3.12, 3.13, and 3.14 series. The vulnerability is caused by a parsing flaw in Kong’s HTTP request processing pipeline when handling untrusted HTTP/1.1 traffic.

Spring Framework versions 5.3.0 through 5.3.48, 6.1.0 through 6.1.27, 6.2.0 through 6.2.18, and 7.0.0 through 7.0.7 are vulnerable to HTTP request smuggling attacks via multipart requests. This vulnerability is identified as CWE-444, involving inconsistent interpretation of HTTP requests. The CVSS score is 5.3, indicating a medium severity. No official patch or remediation guidance is currently provided by the vendor. There are no known exploits in the wild at this time.

A critical security advisory has been issued for Red Hat Ansible Automation Platform 2.7 Container Release. The advisory addresses a vulnerability identified as CVE-2026-48710. Red Hat Ansible Automation Platform is an enterprise framework for IT automation, enabling teams to share and manage automation content. The advisory announces an update for version 2.7 but does not specify detailed technical information or fixes for the vulnerability. Users are advised to apply the update after ensuring all previous errata are applied.

daphne before 4.2.2 reconstructs a raw HTTP request from Twisted's parsed headers and feeds it to autobahn for WebSocket handshake processing. Twisted does not treat \x0b, \x0c, \x1c, \x1d, \x1e, or \x85 as header line separators, but autobahn decodes header values to str and calls splitlines(). An attacker can exploit this parser differential to inject additional headers into the ASGI scope passed to the application.daphne now rejects requests with these bytes in any header value with a 400 response.

In Vinyl Cache before 9.0.1 and Varnish Cache before 9.0.3, a deficiency in HTTP/2 request parsing can be exploited to launch a backend request desync attack (request smuggling), which in turn can be used for cache poisoning, authentication bypass, or possibly even information disclosure and manipulation. The attack vector only exists if HTTP/2 support is enabled by setting the feature parameter to contain +http2. HTTP/2 support is disabled by default.

Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') vulnerability in elixir-mint Mint allows attacker-controlled HTTP/1 servers to desynchronise response framing on shared connections. Mint's HTTP/1 Content-Length parser, Mint.HTTP1.Parse.content_length_header/1 in lib/mint/http1/parse.ex, parses the header value with Integer.parse/1, which accepts an optional + or - sign prefix. The length >= 0 guard rejects negatives, but inputs such as +0 or +123 are returned as valid lengths. RFC 7230 specifies Content-Length = 1*DIGIT, with no sign character permitted. A fronting proxy or load balancer that strictly enforces the grammar will reject or reframe a header like Content-Length: +0, while Mint silently treats it as zero. When Mint reuses the socket (keep-alive, pipelining, or any pooled connection shared across requesters), the parser disagreement is a response-smuggling primitive: the proxy delimits the body one way, Mint another, and bytes from one response get attributed to the next. Where the same Mint connection is shared across trust boundaries, an attacker-controlled upstream can leak bytes into a different consumer's response stream. This issue affects mint: from 0.1.0 before 1.9.0.

Multiple security issues have been fixed in the cpp-httplib-devel-0.46.1-1.1 package on the GA media of openSUSE Tumbleweed. The vulnerabilities involve CWE-93 (Improper Neutralization of CRLF Sequences) and CWE-444 (Inconsistent Interpretation of HTTP Requests). The CVSS 3.1 vector indicates network attack vector, low attack complexity, no privileges or user interaction required, with a scope change and impacts including low confidentiality, high integrity, and low availability. No known exploits are reported in the wild. The package affects SUSE on aarch64 and ppc64le architectures. Patch or remediation status is not confirmed from the available data.

Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.21, app.mount() strips the mount prefix from the incoming request path using the raw URL pathname, while route matching is performed against the percent-decoded path. This inconsistency causes the prefix to be stripped at the wrong position when the path contains percent-encoded multi-byte characters, resulting in the mounted sub-application receiving an incorrect path. This vulnerability is fixed in 4.12.21.