Upstream information
Description
mitmproxy is an interactive, SSL/TLS-capable intercepting proxy. In mitmproxy 7.0.2 and below, a malicious client or server is able to perform HTTP request smuggling attacks through mitmproxy. This means that a malicious client/server could smuggle a request/response through mitmproxy as part of another request/response's HTTP message body. While a smuggled request is still captured as part of another request's body, it does not appear in the request list and does not go through the usual mitmproxy event hooks, where users may have implemented custom access control checks or input sanitization. Unless one uses mitmproxy to protect an HTTP/1 service, no action is required. The vulnerability has been fixed in mitmproxy 7.0.3 and above.SUSE information
Overall state of this security issue: Resolved
This issue is currently rated as having important severity.
| National Vulnerability Database | |
|---|---|
| Base Score | 8.1 |
| Vector | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |
| Attack Vector | Network |
| Attack Complexity | High |
| Privileges Required | None |
| User Interaction | None |
| Scope | Unchanged |
| Confidentiality Impact | High |
| Integrity Impact | High |
| Availability Impact | High |
| CVSSv3 Version | 3.1 |
SUSE Security Advisories:
- openSUSE-SU-2023:0232-1, published Sun Aug 20 16:44:34 2023
- openSUSE-SU-2023:0233-1, published Sun Aug 20 16:44:34 2023
List of released packages
| Product(s) | Fixed package version(s) | References |
|---|---|---|
| SUSE Package Hub 15 SP4 |
| Patchnames: openSUSE-2023-232 |
| SUSE Package Hub 15 SP5 |
| Patchnames: openSUSE-2023-233 |
| openSUSE Leap 15.4 |
| Patchnames: openSUSE-2023-232 |
| openSUSE Leap 15.5 |
| Patchnames: openSUSE-2023-233 |
SUSE Timeline for this CVE
CVE page created: Thu Sep 16 22:00:45 2021CVE page last modified: Sun Aug 20 17:53:47 2023