mongodb/mongo are vulnerable to HTTP Request Smuggling in the twisted.web.http module which makes non-conformant parsing and can lead to desync if requests pass through multiple HTTP parsers. Note: To be vulnerable, applications need to both use Twisted Web's HTTP server/proxy, along with some other HTTP server/proxy.
endOfLengthIndex = self._buffer.find(b";", 0, eolIndex) if endOfLengthIndex == -1: endOfLengthIndex = eolIndex try: length = int(self._buffer[0:endOfLengthIndex], 16) except ValueError: raise _MalformedChunkedDataError("Chunk-size must be an integer.") if length < 0: raise _MalformedChunkedDataError("Chunk-size must not be negative.") elif length == 0:
self.assertEqual( request.requestHeaders.getRawHeaders(b"spaces"), [b"spaces spaces spaces"], ) self.assertEqual( request.requestHeaders.getRawHeaders(b"tab"), [b"t \ta \tb"],
Impact
The specifics of the other HTTP parser matter. The original report notes that some versions of Apache Traffic Server and HAProxy have been vulnerable in the past. HTTP request smuggling may be a serious concern if you use a proxy to perform request validation or access control.
CVE-2022-24801
CWE-444
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H