CVE-2020-11724

Name of the Vulnerable Software and Affected Versions: OpenResty versions prior to 1.15.8.4

Description: The issue is related to HTTP request smuggling in the ngx http lua subrequest.c component of the OpenResty web server. This is due to inconsistent interpretation of HTTP requests. The vulnerability can be exploited by a remote attacker to impact data integrity. The ngx.location.capture API is affected.

Recommendations: For versions prior to 1.15.8.4, update to version 1.15.8.4 or later to resolve the issue. As a temporary workaround, consider restricting access to the ngx http lua subrequest.c component until a patch is available. Avoid using the ngx.location.capture API in affected versions until the issue is resolved.