git: e6fdd8b6c34b - main - security/vuxml: Add CVE-2022-24766 for www/mitmproxy

Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: Li-Wen Hsu <lwhsu_at_FreeBSD.org>
Date: Mon, 20 Jun 2022 14:10:13 UTC
The branch main has been updated by lwhsu:

URL: https://cgit.FreeBSD.org/ports/commit/?id=e6fdd8b6c34ba8a5b747cbbf35b252d934b75785

commit e6fdd8b6c34ba8a5b747cbbf35b252d934b75785
Author:     Hung-Yi Chen <gaod@hychen.org>
AuthorDate: 2022-06-20 14:07:06 +0000
Commit:     Li-Wen Hsu <lwhsu@FreeBSD.org>
CommitDate: 2022-06-20 14:09:26 +0000

    security/vuxml: Add CVE-2022-24766 for www/mitmproxy
    
    PR:             264782
---
 security/vuxml/vuln-2022.xml | 39 +++++++++++++++++++++++++++++++++++++++
 1 file changed, 39 insertions(+)

diff --git a/security/vuxml/vuln-2022.xml b/security/vuxml/vuln-2022.xml
index 7d2f678350eb..869f4468d15b 100644
--- a/security/vuxml/vuln-2022.xml
+++ b/security/vuxml/vuln-2022.xml
@@ -1,3 +1,42 @@
+  <vuln vid="ad37a349-ebb7-11ec-b9f7-21427354249d">
+    <topic>mitmproxy -- Insufficient Protection against HTTP Request Smuggling</topic>
+    <affects>
+      <package>
+	<name>mitmproxy</name>
+	<range><lt>8.0.0</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">
+	<p>Zeyu Zhang reports:</p>
+	<blockquote cite="https://github.com/mitmproxy/mitmproxy/commit/b06fb6d157087d526bd02e7aadbe37c56865c71b">
+	  <p>
+	    In mitmproxy 7.0.4 and below, a malicious client or server is able to
+	    perform HTTP request smuggling attacks through mitmproxy. This means
+	    that a malicious client/server could smuggle a request/response through
+	    mitmproxy as part of another request/response's HTTP message body. While
+	    mitmproxy would only see one request, the target server would see
+	    multiple requests. A smuggled request is still captured as part of
+	    another request's body, but it does not appear in the request list and
+	    does not go through the usual mitmproxy event hooks, where users may
+	    have implemented custom access control checks or input sanitization.
+	  </p>
+	  <p>
+	    Unless you use mitmproxy to protect an HTTP/1 service, no action is required.
+	  </p>
+	</blockquote>
+      </body>
+    </description>
+    <references>
+      <cvename>CVE-2022-24766</cvename>
+      <url>https://github.com/mitmproxy/mitmproxy/commit/b06fb6d157087d526bd02e7aadbe37c56865c71b</url>
+    </references>
+    <dates>
+      <discovery>2022-03-21</discovery>
+      <entry>2022-06-20</entry>
+    </dates>
+  </vuln>
+
   <vuln vid="5d1e4f6a-ee4f-11ec-86c2-485b3931c969">
     <topic>Tor - Unspecified high severity vulnerability</topic>
     <affects>