CVE-2019-20372

{"id": "CVE-2019-20372", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.3, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 3.9}]}, "published": "2020-01-09T21:15:12.027", "references": [{"url": "http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00013.html", "tags": ["Mailing List", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "http://nginx.org/en/CHANGES", "tags": ["Mitigation", "Release Notes", "Vendor Advisory"], "source": "cve@mitre.org"}, {"url": "http://seclists.org/fulldisclosure/2021/Sep/36", "tags": ["Mailing List", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://bertjwregeer.keybase.pub/2019-12-10%20-%20error_page%20request%20smuggling.pdf", "tags": ["Exploit", "Mitigation", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://duo.com/docs/dng-notes#version-1.5.4-january-2020", "tags": ["Release Notes", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://github.com/kubernetes/ingress-nginx/pull/4859", "tags": ["Patch", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://github.com/nginx/nginx/commit/c1be55f97211d38b69ac0c2027e6812ab8b1b94e", "tags": ["Patch", "Vendor Advisory"], "source": "cve@mitre.org"}, {"url": "https://security.netapp.com/advisory/ntap-20200127-0003/", "tags": ["Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://support.apple.com/kb/HT212818", "tags": ["Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://usn.ubuntu.com/4235-1/", "tags": ["Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://usn.ubuntu.com/4235-2/", "tags": ["Third Party Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-444"}]}], "descriptions": [{"lang": "en", "value": "NGINX before 1.17.7, with certain error_page configurations, allows HTTP request smuggling, as demonstrated by the ability of an attacker to read unauthorized web pages in environments where NGINX is being fronted by a load balancer."}, {"lang": "es", "value": "NGINX versiones anteriores a 1.17.7, con ciertas configuraciones de error_page, permite el trafico no autorizado de peticiones HTTP, como es demostrado por la capacidad de un atacante para leer p\u00e1ginas web no autorizadas en entornos donde NGINX est\u00e1 al frente de un equilibrador de carga."}], "lastModified": "2022-04-06T16:10:54.287", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:f5:nginx:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "4B1CA2FC-6A59-4EC9-8F86-BFA903DE28AE", "versionEndExcluding": "1.17.7"}], "operator": "OR"}]}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:apple:xcode:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "BB279F6B-EE4C-4885-9CD4-657F6BD2548F", "versionEndExcluding": "13.0"}], "operator": "OR"}]}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:esm:*:*:*", "vulnerable": true, "matchCriteriaId": "815D70A8-47D3-459C-A32C-9FEACA0659D1"}], "operator": "OR"}]}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B620311B-34A3-48A6-82DF-6F078D7A4493"}], "operator": "OR"}]}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:netapp:cloud_backup:-:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5C2089EE-5D7F-47EC-8EA5-0F69790564C4"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}