Description

This web application is using a caching system. By sending a GET request with a request body (a "fat" GET request) it was possible to force the caching system to cache a response that contains user-controlled input. This cached response can be later served to a victim resulting in various vulnerabilities.

Remediation

Reject GET requests with a request body ("fat" GET requests).

References

Web Cache Entanglement: Novel Pathways to Poisoning

Related Vulnerabilities

Apache REST RCE CVE-2018-11770

Web Cache Poisoning

IBM WebSphere administration console weak password

Laravel debug mode enabled

Node.js Inspector Unauthorized Access Vulnerability

Severity

High

Classification

CWE-44 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

Tags

Configuration