VDB
CVE-2020-11724
CVE-2020-11724
PUBLISHED
An issue was discovered in OpenResty before 1.15.8.4. ngx_http_lua_subrequest.c allows HTTP request smuggling, as demonstrated by the ngx.location.capture API.
EPSS 2.47% · 85.6th percentile
Risk Scores
EPSS Score
2.47%
85.6th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Ubuntu:Pro:14.04:LTS | nginx | 1.4.6-1ubuntu3.3, 1.4.6-1ubuntu3, 1.4.6-1ubuntu3.1 |
| Ubuntu:18.04:LTS | nginx | 1.13.6-2ubuntu1, 1.14.0-0ubuntu1.6, 1.14.0-0ubuntu1.9 |
| Ubuntu:Pro:16.04:LTS | nginx | 1.9.10-1ubuntu1, 1.9.15-0ubuntu1, 1.10.0-0ubuntu0.16.04.1 |
| Ubuntu:20.04:LTS | nginx | 1.18.0-0ubuntu1.2, 1.17.9-0ubuntu1, 1.17.7-0ubuntu1 |
Exploit Intelligence
- https://github.com/openresty/openresty/blob/4e8b4c395f842a078e429c80dd063b2323999957/patches/ngx_http_lua-0.10.15-fix_location_capture_content_length_chunked.patch (circl)
- https://github.com/openresty/lua-nginx-module/commit/9ab38e8ee35fc08a57636b1b6190dca70b0076fa (circl)
- [debian-lts-announce] 20200720 [SECURITY] [DLA 2283-1] nginx security update (circl)
- DSA-4750 (circl)
- https://security.netapp.com/advisory/ntap-20210129-0002/ (circl)
Timeline
- Apr 12, 2020 CVE Published
- Apr 14, 2021 EPSS Score
- Jun 23, 2021 EPSS Score
- Oct 26, 2021 EPSS Score
- Dec 27, 2021 EPSS Score
- Feb 4, 2022 EPSS Score
- Feb 28, 2022 EPSS Score
- May 1, 2022 EPSS Score
- Jul 3, 2022 EPSS Score
- Nov 6, 2022 EPSS Score
- Jan 8, 2023 EPSS Score
- Mar 7, 2023 EPSS Score
References
- https://ubuntu.com/security/CVE-2020-11724 third-party-advisory
- https://github.com/openresty/openresty/blob/4e8b4c395f842a078e429c80dd063b2323999957/patches/ngx_http_lua-0.10.15-fix_location_capture_content_length_chunked.patch third-party-advisory
- https://ubuntu.com/security/notices/USN-5371-1 vendor-advisory
- https://ubuntu.com/security/notices/USN-5371-3 vendor-advisory
- https://www.cve.org/CVERecord?id=CVE-2020-11724 third-party-advisory