CVE-2020-7659 – reel

Package

Manager: gem
Name: reel
Vulnerable Version: >=0 <=0.6.1

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00095 pctl0.27419

Details

HTTP Request Smuggling in reel reel through 0.6.1 allows Request Smuggling attacks due to incorrect Content-Length and Transfer encoding header parsing. It is possible to conduct HTTP request smuggling attacks by sending the Content-Length header twice. Furthermore, invalid Transfer Encoding headers were found to be parsed as valid which could be leveraged for TECL smuggling attacks. Note, This project is deprecated, and is not maintained any more.

Metadata

Created: 2021-05-24T18:13:36Z
Modified: 2023-01-23T20:29:58Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/05/GHSA-x3v4-pxvm-63j8/GHSA-x3v4-pxvm-63j8.json
CWE IDs: ["CWE-444"]
Alternative ID: GHSA-x3v4-pxvm-63j8
Finding: F110
Auto approve: 1