CVE-2020-7670

Name of the Vulnerable Software and Affected Versions agoo versions prior to 2.14.0

Description The issue allows request smuggling attacks when agoo is used as a backend and a frontend proxy is also vulnerable. This is due to incorrect parsing of Content-Length and Transfer Encoding headers, which can lead to HTTP pipelining issues and request smuggling attacks. It is possible to conduct HTTP request smuggling attacks where agoo is used as part of a chain of backend servers. Additionally, sending the Content-Length header twice or using invalid Transfer Encoding headers can be leveraged for TE:CL smuggling attacks.

Recommendations For agoo versions prior to 2.14.0, update to version 2.14.0 or later to resolve the issue. As a temporary workaround, consider restricting the use of Content-Length and Transfer Encoding headers in the affected API endpoints until a patch is available. Avoid using the Content-Length header twice in requests to minimize the risk of exploitation.