Source: mitmproxy Version: 6.0.2-1 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi, The following vulnerability was published for mitmproxy. CVE-2022-24766[0]: | mitmproxy is an interactive, SSL/TLS-capable intercepting proxy. In | mitmproxy 7.0.4 and below, a malicious client or server is able to | perform HTTP request smuggling attacks through mitmproxy. This means | that a malicious client/server could smuggle a request/response | through mitmproxy as part of another request/response's HTTP message | body. While mitmproxy would only see one request, the target server | would see multiple requests. A smuggled request is still captured as | part of another request's body, but it does not appear in the request | list and does not go through the usual mitmproxy event hooks, where | users may have implemented custom access control checks or input | sanitization. Unless mitmproxy is used to protect an HTTP/1 service, | no action is required. The vulnerability has been fixed in mitmproxy | 8.0.0 and above. There are currently no known workarounds. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2022-24766 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24766 [1] https://github.com/mitmproxy/mitmproxy/security/advisories/GHSA-gcx2-gvj7-pxv3 [2] https://github.com/mitmproxy/mitmproxy/commit/b06fb6d157087d526bd02e7aadbe37c56865c71b Please adjust the affected versions in the BTS as needed. Regards, Salvatore