Description

This web application is using a caching system. By manipulating specific unkeyed inputs (HTTP/2 pseudo-headers that are not included when generating the cache key) it was possible to force the caching system to cache a response that contains user-controlled input. This cached response can be later served to a victim resulting in various vulnerabilities.

Remediation

Key unkeyed HTTP/2 pseudo-headers

References

Practical Web Cache Poisoning

HTTP/2: The Sequel is Always Worse

Weird proxies/2 and a bit of magic

Related Vulnerabilities

Web server default welcome page

Spring Boot Misconfiguration: All Spring Boot Actuator endpoints are web exposed

Apache Tomcat version older than 7.0.23

JBoss BSHDeployer MBean

Apache solr service exposed

Severity

High

Classification

CWE-44 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

Tags

Configuration