Vulnerability Details CVE-2020-11724
An issue was discovered in OpenResty before 1.15.8.4. ngx_http_lua_subrequest.c allows HTTP request smuggling, as demonstrated by the ngx.location.capture API.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.01
EPSS Ranking 75.2%
CVSS Severity
CVSS v3 Score 7.5
CVSS v2 Score 5.0
References
- https://github.com/openresty/lua-nginx-module/commit/9ab38e8ee35fc08a57636b1b6190dca70b0076fa
- https://github.com/openresty/openresty/blob/4e8b4c395f842a078e429c80dd063b2323999957/patches/ngx_http_lua-0.10.15-fix_location_capture_content_length_chunked.patch
- https://lists.debian.org/debian-lts-announce/2020/07/msg00014.html
- https://security.netapp.com/advisory/ntap-20210129-0002/
- https://www.debian.org/security/2020/dsa-4750
- https://github.com/openresty/lua-nginx-module/commit/9ab38e8ee35fc08a57636b1b6190dca70b0076fa
- https://github.com/openresty/openresty/blob/4e8b4c395f842a078e429c80dd063b2323999957/patches/ngx_http_lua-0.10.15-fix_location_capture_content_length_chunked.patch
- https://lists.debian.org/debian-lts-announce/2020/07/msg00014.html
- https://security.netapp.com/advisory/ntap-20210129-0002/
- https://www.debian.org/security/2020/dsa-4750
Products affected by CVE-2020-11724
-
cpe:2.3:a:openresty:openresty:0.8.54.3
-
cpe:2.3:a:openresty:openresty:0.8.54.4
-
cpe:2.3:a:openresty:openresty:0.8.54.5
-
cpe:2.3:a:openresty:openresty:0.8.54.6
-
cpe:2.3:a:openresty:openresty:0.8.54.8
-
cpe:2.3:a:openresty:openresty:0.8.54.9
-
cpe:2.3:a:openresty:openresty:1.0.10.1
-
cpe:2.3:a:openresty:openresty:1.0.10.11
-
cpe:2.3:a:openresty:openresty:1.0.10.13
-
cpe:2.3:a:openresty:openresty:1.0.10.15
-
cpe:2.3:a:openresty:openresty:1.0.10.17
-
cpe:2.3:a:openresty:openresty:1.0.10.19
-
cpe:2.3:a:openresty:openresty:1.0.10.21
-
cpe:2.3:a:openresty:openresty:1.0.10.23
-
cpe:2.3:a:openresty:openresty:1.0.10.24
-
cpe:2.3:a:openresty:openresty:1.0.10.25
-
cpe:2.3:a:openresty:openresty:1.0.10.27
-
cpe:2.3:a:openresty:openresty:1.0.10.29
-
cpe:2.3:a:openresty:openresty:1.0.10.3
-
cpe:2.3:a:openresty:openresty:1.0.10.31
-
cpe:2.3:a:openresty:openresty:1.0.10.33
-
cpe:2.3:a:openresty:openresty:1.0.10.35
-
cpe:2.3:a:openresty:openresty:1.0.10.41
-
cpe:2.3:a:openresty:openresty:1.0.10.43
-
cpe:2.3:a:openresty:openresty:1.0.10.44
-
cpe:2.3:a:openresty:openresty:1.0.10.45
-
cpe:2.3:a:openresty:openresty:1.0.10.47
-
cpe:2.3:a:openresty:openresty:1.0.10.48
-
cpe:2.3:a:openresty:openresty:1.0.10.5
-
cpe:2.3:a:openresty:openresty:1.0.10.7
-
cpe:2.3:a:openresty:openresty:1.0.10.9
-
cpe:2.3:a:openresty:openresty:1.0.11.11
-
cpe:2.3:a:openresty:openresty:1.0.11.15
-
cpe:2.3:a:openresty:openresty:1.0.11.17
-
cpe:2.3:a:openresty:openresty:1.0.11.19
-
cpe:2.3:a:openresty:openresty:1.0.11.21
-
cpe:2.3:a:openresty:openresty:1.0.11.23
-
cpe:2.3:a:openresty:openresty:1.0.11.25
-
cpe:2.3:a:openresty:openresty:1.0.11.27
-
cpe:2.3:a:openresty:openresty:1.0.11.28
-
cpe:2.3:a:openresty:openresty:1.0.11.3
-
cpe:2.3:a:openresty:openresty:1.0.11.7
-
cpe:2.3:a:openresty:openresty:1.0.11.9
-
cpe:2.3:a:openresty:openresty:1.0.15.1
-
cpe:2.3:a:openresty:openresty:1.0.15.10
-
cpe:2.3:a:openresty:openresty:1.0.15.11
-
cpe:2.3:a:openresty:openresty:1.0.15.3
-
cpe:2.3:a:openresty:openresty:1.0.15.5
-
cpe:2.3:a:openresty:openresty:1.0.15.7
-
cpe:2.3:a:openresty:openresty:1.0.15.9
-
cpe:2.3:a:openresty:openresty:1.0.4.0
-
cpe:2.3:a:openresty:openresty:1.0.4.1
-
cpe:2.3:a:openresty:openresty:1.0.4.2
-
cpe:2.3:a:openresty:openresty:1.0.5.0
-
cpe:2.3:a:openresty:openresty:1.0.5.1
-
cpe:2.3:a:openresty:openresty:1.0.6.22
-
cpe:2.3:a:openresty:openresty:1.0.6.3
-
cpe:2.3:a:openresty:openresty:1.0.6.5
-
cpe:2.3:a:openresty:openresty:1.0.8.1
-
cpe:2.3:a:openresty:openresty:1.0.8.11
-
cpe:2.3:a:openresty:openresty:1.0.8.13
-
cpe:2.3:a:openresty:openresty:1.0.8.15
-
cpe:2.3:a:openresty:openresty:1.0.8.17
-
cpe:2.3:a:openresty:openresty:1.0.8.19
-
cpe:2.3:a:openresty:openresty:1.0.8.21
-
cpe:2.3:a:openresty:openresty:1.0.8.26
-
cpe:2.3:a:openresty:openresty:1.0.8.3
-
cpe:2.3:a:openresty:openresty:1.0.8.5
-
cpe:2.3:a:openresty:openresty:1.0.8.7
-
cpe:2.3:a:openresty:openresty:1.0.8.9
-
cpe:2.3:a:openresty:openresty:1.0.9.1
-
cpe:2.3:a:openresty:openresty:1.0.9.10
-
cpe:2.3:a:openresty:openresty:1.0.9.3
-
cpe:2.3:a:openresty:openresty:1.0.9.5
-
cpe:2.3:a:openresty:openresty:1.0.9.7
-
cpe:2.3:a:openresty:openresty:1.0.9.9
-
cpe:2.3:a:openresty:openresty:1.1.12.3
-
cpe:2.3:a:openresty:openresty:1.1.12.4
-
cpe:2.3:a:openresty:openresty:1.1.12.5
-
cpe:2.3:a:openresty:openresty:1.1.13.1
-
cpe:2.3:a:openresty:openresty:1.11.2.1
-
cpe:2.3:a:openresty:openresty:1.11.2.2
-
cpe:2.3:a:openresty:openresty:1.11.2.3
-
cpe:2.3:a:openresty:openresty:1.11.2.4
-
cpe:2.3:a:openresty:openresty:1.11.2.5
-
cpe:2.3:a:openresty:openresty:1.13.6.1
-
cpe:2.3:a:openresty:openresty:1.13.6.2
-
cpe:2.3:a:openresty:openresty:1.15.8.1
-
cpe:2.3:a:openresty:openresty:1.15.8.2
-
cpe:2.3:a:openresty:openresty:1.15.8.3
-
cpe:2.3:a:openresty:openresty:1.2.1.1
-
cpe:2.3:a:openresty:openresty:1.2.1.11
-
cpe:2.3:a:openresty:openresty:1.2.1.13
-
cpe:2.3:a:openresty:openresty:1.2.1.14
-
cpe:2.3:a:openresty:openresty:1.2.1.3
-
cpe:2.3:a:openresty:openresty:1.2.1.5
-
cpe:2.3:a:openresty:openresty:1.2.1.7
-
cpe:2.3:a:openresty:openresty:1.2.1.9
-
cpe:2.3:a:openresty:openresty:1.2.3.1
-
cpe:2.3:a:openresty:openresty:1.2.3.3
-
cpe:2.3:a:openresty:openresty:1.2.3.5
-
cpe:2.3:a:openresty:openresty:1.2.3.7
-
cpe:2.3:a:openresty:openresty:1.2.3.8
-
cpe:2.3:a:openresty:openresty:1.2.4.1
-
cpe:2.3:a:openresty:openresty:1.2.4.11
-
cpe:2.3:a:openresty:openresty:1.2.4.13
-
cpe:2.3:a:openresty:openresty:1.2.4.14
-
cpe:2.3:a:openresty:openresty:1.2.4.3
-
cpe:2.3:a:openresty:openresty:1.2.4.5
-
cpe:2.3:a:openresty:openresty:1.2.4.7
-
cpe:2.3:a:openresty:openresty:1.2.4.9
-
cpe:2.3:a:openresty:openresty:1.2.6.1
-
cpe:2.3:a:openresty:openresty:1.2.6.3
-
cpe:2.3:a:openresty:openresty:1.2.6.5
-
cpe:2.3:a:openresty:openresty:1.2.6.6
-
cpe:2.3:a:openresty:openresty:1.2.7.1
-
cpe:2.3:a:openresty:openresty:1.2.7.3
-
cpe:2.3:a:openresty:openresty:1.2.7.5
-
cpe:2.3:a:openresty:openresty:1.2.7.6
-
cpe:2.3:a:openresty:openresty:1.2.7.8
-
cpe:2.3:a:openresty:openresty:1.2.8.1
-
cpe:2.3:a:openresty:openresty:1.2.8.3
-
cpe:2.3:a:openresty:openresty:1.2.8.5
-
cpe:2.3:a:openresty:openresty:1.2.8.6
-
cpe:2.3:a:openresty:openresty:1.4.1.1
-
cpe:2.3:a:openresty:openresty:1.4.1.3
-
cpe:2.3:a:openresty:openresty:1.4.2.1
-
cpe:2.3:a:openresty:openresty:1.4.2.3
-
cpe:2.3:a:openresty:openresty:1.4.2.5
-
cpe:2.3:a:openresty:openresty:1.4.2.7
-
cpe:2.3:a:openresty:openresty:1.4.2.8
-
cpe:2.3:a:openresty:openresty:1.4.2.9
-
cpe:2.3:a:openresty:openresty:1.4.3.1
-
cpe:2.3:a:openresty:openresty:1.4.3.3
-
cpe:2.3:a:openresty:openresty:1.4.3.4
-
cpe:2.3:a:openresty:openresty:1.4.3.6
-
cpe:2.3:a:openresty:openresty:1.4.3.7
-
cpe:2.3:a:openresty:openresty:1.4.3.9
-
cpe:2.3:a:openresty:openresty:1.5.11.1
-
cpe:2.3:a:openresty:openresty:1.5.12.1
-
cpe:2.3:a:openresty:openresty:1.5.8.1
-
cpe:2.3:a:openresty:openresty:1.7.0.1
-
cpe:2.3:a:openresty:openresty:1.7.10.1
-
cpe:2.3:a:openresty:openresty:1.7.10.2
-
cpe:2.3:a:openresty:openresty:1.7.2.1
-
cpe:2.3:a:openresty:openresty:1.7.4.1
-
cpe:2.3:a:openresty:openresty:1.7.7.1
-
cpe:2.3:a:openresty:openresty:1.7.7.2
-
cpe:2.3:a:openresty:openresty:1.9.15.1
-
cpe:2.3:a:openresty:openresty:1.9.3.1
-
cpe:2.3:a:openresty:openresty:1.9.3.2
-
cpe:2.3:a:openresty:openresty:1.9.7.1
-
cpe:2.3:a:openresty:openresty:1.9.7.2
-
cpe:2.3:a:openresty:openresty:1.9.7.3
-
cpe:2.3:a:openresty:openresty:1.9.7.4
-
cpe:2.3:a:openresty:openresty:1.9.7.5
-
cpe:2.3:o:debian:debian_linux:10.0
-
cpe:2.3:o:debian:debian_linux:9.0