Attacker Value
Very Low
(1 user assessed)
Exploitability
Unknown
(1 user assessed)
User Interaction
Unknown
Privileges Required
Unknown
Attack Vector
Unknown
1

CVE-2020-12440

Disclosure Date: May 14, 2020
CVE-2020-12440
Exploited in the Wild
Reported by vickiuu-ly
View Source Details
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

** DISPUTED ** NGINX through 1.18.0 allows an HTTP request smuggling attack that can lead to cache poisoning, credential hijacking, or security bypass. NOTE: many third parties dispute the validity of this finding because it represents normal “Connection: keep-alive” behavior.

Add Assessment

2
Ratings
  • Attacker Value
    Very Low
Technical Analysis

At the very least I’d debate the legitimacy of this exploit given reports like https://twitter.com/albinowax/status/1263068436298633216 and https://nvd.nist.gov/vuln/detail/CVE-2020-12440 which suggest this CVE was withdrawn due to it not actually being a valid bug. I’m not sure why this was exploited in the wild as well as I see no evidence of this having been the case minus a light PoC whose validity is disputed (again probably also why this CVE was later revoked as not a security vulnerability).

Log in to Add Reply

General Information

Offensive Application
Unknown
Utility Class
Unknown
Ports
Unknown
OS
Unknown
Vulnerable Versions
n/a
Prerequisites
Unknown
Discovered By
Unknown
PoC Author
Unknown
Metasploit Module
Unknown
Reporter
Unknown

Exploited in the Wild

Reported by:
Reported: April 06, 2021 4:30pm UTC (1 week ago)

Additional Info

Authenticated
Unknown
Exploitable
Unknown
Reliability
Unknown
Stability
Unknown
Available Mitigations
Unknown
Shelf Life
Unknown
Userbase/Installbase
Unknown
Patch Effectiveness
Unknown
Technical Analysis