Your submission was sent successfully! Close

CVE-2020-11724

Published: 12 April 2020

An issue was discovered in OpenResty before 1.15.8.4. ngx_http_lua_subrequest.c allows HTTP request smuggling, as demonstrated by the ngx.location.capture API.

Notes

AuthorNote
mdeslaur
The lua module is included in the debian directory as it is not
part of the upstream nginx release.
It is included in the nginx-extras binary package in universe.
Priority

Medium

CVSS 3 base score: 7.5

Status

Package Release Status
nginx
Launchpad, Ubuntu, Debian
bionic
Released (1.14.0-0ubuntu1.10)
eoan Ignored
(reached end-of-life)
focal
Released (1.18.0-0ubuntu1.3)
groovy Not vulnerable
(1.18.0-6ubuntu2)
hirsute Not vulnerable
(1.18.0-6ubuntu2)
impish Not vulnerable
(1.18.0-6ubuntu2)
jammy Not vulnerable
(1.18.0-6ubuntu2)
kinetic Not vulnerable
(1.18.0-6ubuntu2)
precise Does not exist

trusty Needs triage

upstream
Released (1.18.0-5)
xenial
Released (1.10.3-0ubuntu0.16.04.5+esm4)
Binaries built from this source package are in Universe and so are supported by the community.