7.5
CVSSv2

CVE-2021-39214

Published: 16/09/2021 Updated: 28/09/2021
CVSS v2 Base Score: 7.5 | Impact Score: 6.4 | Exploitability Score: 10
CVSS v3 Base Score: 9.8 | Impact Score: 5.9 | Exploitability Score: 3.9
Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

Vulnerability Summary

mitmproxy is an interactive, SSL/TLS-capable intercepting proxy. In mitmproxy 7.0.2 and below, a malicious client or server is able to perform HTTP request smuggling attacks through mitmproxy. This means that a malicious client/server could smuggle a request/response through mitmproxy as part of another request/response's HTTP message body. While a smuggled request is still captured as part of another request's body, it does not appear in the request list and does not go through the usual mitmproxy event hooks, where users may have implemented custom access control checks or input sanitization. Unless one uses mitmproxy to protect an HTTP/1 service, no action is required. The vulnerability has been fixed in mitmproxy 7.0.3 and above.

Most Upvoted Vulmon Research Post

There is no Researcher post for this vulnerability
Would you like to share something about it? Sign up now to share your knowledge with the community.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

mitmproxy mitmproxy

Vendor Advisories

Debian Bug report logs - #994570 mitmproxy: CVE-2021-39214 Package: src:mitmproxy; Maintainer for src:mitmproxy is Debian Python Team <team+python@trackerdebianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Fri, 17 Sep 2021 20:03:02 UTC Severity: important Tags: security, upstream Found in versi ...
In mitmproxy 702 and below, a malicious client or server is able to perform HTTP request smuggling attacks through mitmproxy This means that a malicious client/server could smuggle a request/response through mitmproxy as part of another request/response's HTTP message body While a smuggled request is still captured as part of another request's ...

Github Repositories

CVE-2021-39214 Exploit mitmproxy is an interactive, SSL/TLS-capable intercepting proxy In mitmproxy 702 and below, a malicious client or server is able to perform HTTP request smuggling attacks through mitmproxy This means that a malicious client/server could smuggle a request/response through mitmproxy as part of another request/response's HTTP message body While a s