Miggo Logo

CVE-2020-7655: HTTP Request Smuggling in netius

6.1

CVSS Score
3.1

Basic Information

EPSS Score
0.4692%
Published
6/18/2021
Updated
10/7/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
netiuspip< 1.17.581.17.58

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from improper header validation in the HTTP parser. The patch adds a RFC 7230-compliant regex (HEADER_NAME_REGEX) to validate header names and modifies the validation sequence. The original code in _parse_headers only checked key.strip() == key and value.strip(b" ") == value.strip(), which failed to prevent non-compliant header names that could be exploited for request smuggling. The function's responsibility for header parsing and the direct security-focused changes in the patch confirm its vulnerability.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

n*tius prior to *.**.** is vuln*r**l* to *TTP R*qu*st Smu**lin*. *TTP pip*linin* issu*s *n* r*qu*st smu**lin* *tt**ks mi**t ** possi*l* *u* to in*orr**t Tr*ns**r *n*o*in* *****r p*rsin* w*i** *oul* *llow *or *L:T* or T*:T* *tt**ks.

Reasoning

T** vuln*r**ility st*ms *rom improp*r *****r v*li**tion in t** *TTP p*rs*r. T** p*t** ***s * R** ****-*ompli*nt r***x (*****R_N*M*_R***X) to v*li**t* *****r n*m*s *n* mo*i*i*s t** v*li**tion s*qu*n**. T** ori*in*l *o** in _p*rs*_*****rs only ****k**