How severe is CVE-2022-24766?

This vulnerability has a severity rating of CRITICAL with a CVSS score of 9.8 out of 10.

What type of vulnerability is CVE-2022-24766?

This is classified as CWE-444, which is a common weakness in software security.

CVE-2022-24766 - CRITICAL Severity | CVSS 9.8

Vulnerability Description

mitmproxy is an interactive, SSL/TLS-capable intercepting proxy. In mitmproxy 7.0.4 and below, a malicious client or server is able to perform HTTP request smuggling attacks through mitmproxy. This means that a malicious client/server could smuggle a request/response through mitmproxy as part of another request/response's HTTP message body. While mitmproxy would only see one request, the target server would see multiple requests. A smuggled request is still captured as part of another request's body, but it does not appear in the request list and does not go through the usual mitmproxy event hooks, where users may have implemented custom access control checks or input sanitization. Unless mitmproxy is used to protect an HTTP/1 service, no action is required. The vulnerability has been fixed in mitmproxy 8.0.0 and above. There are currently no known workarounds.

Related Vulnerabilities

CVE-2015-5739

CRITICAL

CVSS:9.8(Critical)

The net/http library in net/textproto/reader.go in Go before 1.4.3 does not properly parse HTTP header keys, which allows remote attackers to conduct HTTP request smuggling attacks via a space instead...

CWE-4442015

CVE-2015-5740

CRITICAL

CVSS:9.8(Critical)

The net/http library in net/http/transfer.go in Go before 1.4.3 does not properly parse HTTP headers, which allows remote attackers to conduct HTTP request smuggling attacks via a request with two Con...

CWE-4442015

CVE-2015-5741

CRITICAL

CVSS:9.8(Critical)

CWE-4442015

CVE-2016-10711

CRITICAL

CVSS:9.8(Critical)

Apsis Pound before 2.8a allows request smuggling via crafted headers, a different vulnerability than CVE-2005-3751.

CWE-4442016

CVE-2017-7657

CRITICAL

CVSS:9.8(Critical)

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), transfer-encoding chunks are handled poorly. The chunk le...

CWE-4442017

CVE-2017-7658

CRITICAL

CVSS:9.8(Critical)

In Eclipse Jetty Server, versions 9.2.x and older, 9.3.x (all non HTTP/1.x configurations), and 9.4.x (all HTTP/1.x configurations), when presented with two content-lengths headers, Jetty ignored the ...

CWE-4442017