PT-2020-19776 · Unknown · Find-My-Way

Trygve_Lie

Published

2020-11-08

Updated

2020-11-16

CVE-2020-7764

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Name of the Vulnerable Software and Affected Versions find-my-way versions prior to 2.2.5 find-my-way versions 3.0.0 through 3.0.5

Description The issue affects the package find-my-way, which accepts the Accept-Version header by default. If versioned routes are not being used, this could lead to a denial of service. The Accept-Version header can be used as an unkeyed header in a cache poisoning attack.

Recommendations For versions prior to 2.2.5, update to version 2.2.5 or later. For versions 3.0.0 through 3.0.5, update to version 3.0.5 or later. As a temporary workaround, consider disabling the use of the Accept-Version header until a patch is available. Restrict access to the cache to minimize the risk of cache poisoning attacks.

Fix

HTTP Request/Response Smuggling

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-444

Related Identifiers

CVE-2020-7764

GHSA-JGRH-5M3H-9C5F

SNYK-JS-FINDMYWAY-1038269

Affected Products

Find-My-Way

PT-2020-19776 · Unknown · Find-My-Way

CVE-2020-7764

Weakness Enumeration

Related Identifiers

Affected Products

References · 8