Description

The reverse proxy allows arbitrary values in pseudo-headers and the web application uses the values from an HTTP request to route the request, it leads to an SSRF vulnerability. SSRF as in Server Side Request Forgery is a vulnerability that allows an attacker to force a server into sending packets to the local interface or to another server behind the firewall. Consult Web References for more information about this problem.

Remediation

Properly sanitize pseudo-headers of HTTP/2 requests

References

HTTP/2: The Sequel is Always Worse

Weird proxies/2 and a bit of magic

SSRF VS. BUSINESS-CRITICAL APPLICATIONS

Related Vulnerabilities

MobileIron Log4Shell RCE

WordPress pingback scanner

Perl code injection

WordPress Plugin jRSS Widget Server-Side Request Forgery (1.2)

Reverse proxy bypass

Severity

Medium

Classification

CWE-918 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Tags

Acumonitor SSRF