low

AWS API Gateway HTTP header smuggling

Published Wed, Nov 10th, 2021

Platforms

aws

Summary

A flaw in AWS API Gateway enabled hiding HTTP request headers. Tampering with HTTP requests visibility enabled bypassing IP restrictions, cache poisoning and request smuggling.

Affected Services

API Gateway

Remediation

None required

Tracked CVEs

No tracked CVEs

References

https://www.intruder.io/research/practical-http-header-smuggling

Contributed by https://github.com/a10ns

Entry Status

Finalized

Disclosure Date

Wed, Nov 10th, 2021

Exploitability Period

-

Known ITW Exploitation

-

Detection Methods

None

Piercing Index Rating

-

Discovered by

Daniel Thatcher, intruder

More vulnerabilities...

high

Cloud SQL vulnerabilities in Google's RDS offering

gcp

Multiple vulnerabilities were found in Google Cloud SQL, including config file injection leading to RCE, information disclosure in the Cloud SQL Auth Proxy, and a design issue in Postgres IAM authe...

Imre Rad
high

Azure NotLegit

azure

Azure App Service had an insecure default behavior that exposed the source code of customer applications written in PHP, Python, Ruby, or Node, that were deployed using “Local Git”.

Shir Tamari, Wiz
low

Dropped active Google Cloud Armor security policy

gcp

There is a known issue where updating a BackendConfig resource using the v1beta1 API removes an active Google Cloud Armor security policy from its service. If you do not configure Google Cloud Arm...

View all