0006490: reject multiple Content-Length header fields for CVE-2005-2090

Viewing Issue Advanced Details [ Jump to Notes ]

[ View Simple ] [ Issue History ] [ Print ]

Category

Severity

Reproducibility

Date Submitted

Last Update

0006490

[Resin]

major

always

10-04-23 14:05

10-30-23 08:18

Reporter

nam

View Status

public

Assigned To

Priority

high

Resolution

open

Platform

Status

new

Projection

none

OS Version

ETA

none

Fixed in Version

Product Version

4.0.66

Product Build

Summary

0006490: reject multiple Content-Length header fields for CVE-2005-2090

Description

(rep by Mitsuo S.)

Resin is not rejecting requests that have:

1. multiple Content-Length headers
2. multiple Transfer-Encoding headers
3. Content-Length with Transfer-Encoding headers

As a result, an attacker can smuggle data through to the webapp or a downstream server. Tomcat fixed this issue by rejecting invalid requests outright. The newest HTTP spec tries to be more clear about which requests should be rejected.

Tomcat fixes: https://tomcat.apache.org/security-6.html [^]
CVE-2005-2090: https://nvd.nist.gov/vuln/detail/CVE-2005-2090 [^]

newest HTTP spec: https://www.rfc-editor.org/rfc/rfc9112#name-message-body-length [^]
older HTTP spec: https://www.rfc-editor.org/rfc/rfc7230#section-3.3.3 [^]

Steps To Reproduce

Additional Information

Relationships