Main Vulnerability Database SB2020071517

SB2020071517 - HTTP Request Smuggling in Microsoft IIS Server

Published: July 15, 2020

Security Bulletin ID SB2020071517

Severity

Medium

Patch available

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Data manipulation

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Inconsistent interpretation of HTTP requests (CVE-ID: N/A)

The vulnerability allows a remote attacker to perform HTTP request smuggling attack.

The vulnerability exists due to the way that HTTP proxies (front-end) and web servers (back-end) that do not strictly adhere to RFC standards handle sequences of HTTP requests received from multiple sources. A remote attacker can send a specially crafted request to a targeted IIS Server, perform HTTP request smuggling attack and modify responses or retrieve information from another user's HTTP session.

Remediation

Cybersecurity Help is not aware of any official remediation provided by the vendor.

References

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV200008