Attacker Value
Very Low
(1 user assessed)
Exploitability
Unknown
(1 user assessed)
User Interaction
Unknown
Privileges Required
Unknown
Attack Vector
Unknown
1

CVE-2020-12440

Disclosure Date: May 14, 2020
Exploited in the Wild
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

** DISPUTED ** NGINX through 1.18.0 allows an HTTP request smuggling attack that can lead to cache poisoning, credential hijacking, or security bypass. NOTE: many third parties dispute the validity of this finding because it represents normal “Connection: keep-alive” behavior.

Add Assessment

2
Ratings
  • Attacker Value
    Very Low
Technical Analysis

At the very least I’d debate the legitimacy of this exploit given reports like https://twitter.com/albinowax/status/1263068436298633216 and https://nvd.nist.gov/vuln/detail/CVE-2020-12440 which suggest this CVE was withdrawn due to it not actually being a valid bug. I’m not sure why this was exploited in the wild as well as I see no evidence of this having been the case minus a light PoC whose validity is disputed (again probably also why this CVE was later revoked as not a security vulnerability).

General Information

Exploited in the Wild

Reported by:
Reported: April 06, 2021 4:30pm UTC (2 weeks ago)

Additional Info

Technical Analysis