CVE-2020-11724
- Source
- https://cve.org/CVERecord?id=CVE-2020-11724
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2020-11724.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2020-11724
- Downstream
- Published
- 2020-04-12T21:15:10.317Z
- Modified
- 2026-02-09T04:15:04.175962Z
- Severity
-
- 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVSS Calculator
- Summary
- [none]
- Details
-
An issue was discovered in OpenResty before 1.15.8.4. ngxhttplua_subrequest.c allows HTTP request smuggling, as demonstrated by the ngx.location.capture API.
- References
-
- https://github.com/openresty/lua-nginx-module/commit/9ab38e8ee35fc08a57636b1b6190dca70b0076fa
- https://github.com/openresty/openresty/blob/4e8b4c395f842a078e429c80dd063b2323999957/patches/ngx_http_lua-0.10.15-fix_location_capture_content_length_chunked.patch
- https://lists.debian.org/debian-lts-announce/2020/07/msg00014.html
- https://security.netapp.com/advisory/ntap-20210129-0002/
- https://www.debian.org/security/2020/dsa-4750
- https://github.com/openresty/lua-nginx-module/commit/9ab38e8ee35fc08a57636b1b6190dca70b0076fa
- https://github.com/openresty/openresty/blob/4e8b4c395f842a078e429c80dd063b2323999957/patches/ngx_http_lua-0.10.15-fix_location_capture_content_length_chunked.patch
- https://lists.debian.org/debian-lts-announce/2020/07/msg00014.html
Affected packages
Git / github.com/openresty/lua-nginx-module
Affected ranges
- Type
- GIT
- Repo
- https://github.com/openresty/lua-nginx-module
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Affected versions
v0.*
v0.0.1
v0.0.10
v0.0.11
v0.0.12
v0.0.13
v0.0.14
v0.0.14rc1
v0.0.14rc2
v0.0.15
v0.0.16
v0.0.17
v0.0.18rc1
v0.0.18rc2
v0.0.1rc1
v0.0.1rc2
v0.0.1rc3
v0.0.1rc4
v0.0.1rc5
v0.0.1rc6
v0.0.1rc7
v0.0.1rc8
v0.0.1rc9
v0.0.2
v0.0.3
v0.0.4rc1
v0.0.5
v0.0.6
v0.0.7
v0.0.8
v0.0.9
v0.1.0
v0.1.1
v0.1.2
v0.1.2rc1
v0.1.2rc2
v0.1.2rc3
v0.1.2rc4
v0.1.2rc5
v0.1.3
v0.1.3rc1
v0.1.3rc2
v0.1.4
v0.1.4rc1
v0.1.4rc2
v0.1.5
v0.1.5rc1
v0.1.5rc2
v0.1.5rc3
v0.1.5rc4
v0.1.5rc5
v0.1.5rc6
v0.1.6rc1
v0.1.6rc10
v0.1.6rc11
v0.1.6rc12
v0.1.6rc13
v0.1.6rc14
v0.1.6rc15
v0.1.6rc16
v0.1.6rc17
v0.1.6rc18
v0.1.6rc2
v0.1.6rc3
v0.1.6rc4
v0.1.6rc5
v0.1.6rc6
v0.1.6rc7
v0.1.6rc8
v0.1.6rc9
v0.10.0
v0.10.0rc0
v0.10.1
v0.10.10
v0.10.11
v0.10.11rc1
v0.10.11rc2
v0.10.11rc3
v0.10.12
v0.10.12rc1
v0.10.12rc2
v0.10.13
v0.10.13rc1
v0.10.14
v0.10.14rc1
v0.10.14rc2
v0.10.14rc3
v0.10.14rc4
v0.10.14rc5
v0.10.14rc6
v0.10.14rc7
v0.10.15
v0.10.15rc1
v0.10.16
v0.10.16rc1
v0.10.16rc2
v0.10.16rc3
v0.10.16rc4
v0.10.16rc5
v0.10.1rc0
v0.10.1rc1
v0.10.2
v0.10.3
v0.10.4
v0.10.4rc1
v0.10.5
v0.10.6
v0.10.6rc1
v0.10.6rc2
v0.10.7
v0.10.8
v0.10.9
v0.10.9rc1
v0.10.9rc2
v0.10.9rc3
v0.10.9rc4
v0.10.9rc5
v0.10.9rc6
v0.10.9rc7
v0.10.9rc8
v0.10.9rc9
v0.2.0
v0.2.1rc1
v0.2.1rc10
v0.2.1rc11
v0.2.1rc12
v0.2.1rc13
v0.2.1rc14
v0.2.1rc15
v0.2.1rc16
v0.2.1rc17
v0.2.1rc18
v0.2.1rc19
v0.2.1rc2
v0.2.1rc20
v0.2.1rc21
v0.2.1rc22
v0.2.1rc3
v0.2.1rc4
v0.2.1rc5
v0.2.1rc6
v0.2.1rc7
v0.2.1rc8
v0.2.1rc9
v0.3.0
v0.3.1rc1
v0.3.1rc10
v0.3.1rc11
v0.3.1rc12
v0.3.1rc13
v0.3.1rc14
v0.3.1rc15
v0.3.1rc16
v0.3.1rc17
v0.3.1rc18
v0.3.1rc19
v0.3.1rc2
v0.3.1rc20
v0.3.1rc21
v0.3.1rc22
v0.3.1rc23
v0.3.1rc24
v0.3.1rc25
v0.3.1rc26
v0.3.1rc27
v0.3.1rc28
v0.3.1rc29
v0.3.1rc3
v0.3.1rc30
v0.3.1rc31
v0.3.1rc32
v0.3.1rc33
v0.3.1rc34
v0.3.1rc35
v0.3.1rc36
v0.3.1rc37
v0.3.1rc38
v0.3.1rc39
v0.3.1rc4
v0.3.1rc40
v0.3.1rc41
v0.3.1rc42
v0.3.1rc43
v0.3.1rc44
v0.3.1rc45
v0.3.1rc5
v0.3.1rc6
v0.3.1rc7
v0.3.1rc8
v0.3.1rc9
v0.4.0
v0.4.1
v0.4.1rc1
v0.4.1rc2
v0.4.1rc3
v0.4.1rc4
v0.5.0rc1
v0.5.0rc10
v0.5.0rc11
v0.5.0rc12
v0.5.0rc13
v0.5.0rc14
v0.5.0rc15
v0.5.0rc16
v0.5.0rc17
v0.5.0rc18
v0.5.0rc19
v0.5.0rc2
v0.5.0rc20
v0.5.0rc21
v0.5.0rc22
v0.5.0rc23
v0.5.0rc24
v0.5.0rc25
v0.5.0rc26
v0.5.0rc27
v0.5.0rc28
v0.5.0rc29
v0.5.0rc3
v0.5.0rc30
v0.5.0rc31
v0.5.0rc32
v0.5.0rc4
v0.5.0rc5
v0.5.0rc6
v0.5.0rc7
v0.5.0rc8
v0.5.0rc9
v0.5.1
v0.5.10
v0.5.11
v0.5.12
v0.5.12rc1
v0.5.13
v0.5.14
v0.5.2
v0.5.3
v0.5.3rc1
v0.5.4
v0.5.5
v0.5.5rc1
v0.5.6
v0.5.7
v0.5.7rc1
v0.5.8
v0.5.8rc1
v0.5.9
v0.6.0
v0.6.1
v0.6.10
v0.6.2
v0.6.2rc1
v0.6.3
v0.6.4
v0.6.5
v0.6.5rc1
v0.6.6
v0.6.6rc1
v0.6.7
v0.6.7rc1
v0.6.8
v0.6.9
v0.7.0
v0.7.1
v0.7.10
v0.7.11
v0.7.12
v0.7.12rc1
v0.7.13
v0.7.14
v0.7.14rc1
v0.7.14rc2
v0.7.15
v0.7.16
v0.7.17
v0.7.18
v0.7.18rc1
v0.7.18rc2
v0.7.19
v0.7.1rc1
v0.7.2
v0.7.20
v0.7.21
v0.7.3
v0.7.4
v0.7.5
v0.7.5rc1
v0.7.6
v0.7.6rc1
v0.7.6rc2
v0.7.7
v0.7.8
v0.7.9
v0.8.0
v0.8.1
v0.8.10
v0.8.2
v0.8.2rc1
v0.8.3
v0.8.3rc1
v0.8.4
v0.8.5
v0.8.6
v0.8.7
v0.8.8
v0.8.9
v0.9.0
v0.9.1
v0.9.10
v0.9.11
v0.9.12
v0.9.12rc1
v0.9.12rc2
v0.9.13
v0.9.13rc1
v0.9.14
v0.9.15
v0.9.16
v0.9.16rc1
v0.9.16rc2
v0.9.16rc3
v0.9.17
v0.9.17rc1
v0.9.18
v0.9.18rc1
v0.9.19
v0.9.2
v0.9.20
v0.9.20rc1
v0.9.20rc2
v0.9.20rc3
v0.9.3
v0.9.4
v0.9.4rc1
v0.9.5
v0.9.5rc1
v0.9.5rc2
v0.9.6
v0.9.7
v0.9.8
v0.9.9
Database specific
source
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2020-11724.json"
vanir_signatures
[
{
"target": {
"file": "src/ngx_http_lua_subrequest.c",
"function": "ngx_http_lua_copy_request_headers"
},
"digest": {
"length": 965.0,
"function_hash": "86927735679441240975995468392625669725"
},
"signature_type": "Function",
"id": "CVE-2020-11724-2584d210",
"source": "https://github.com/openresty/lua-nginx-module/commit/9ab38e8ee35fc08a57636b1b6190dca70b0076fa",
"deprecated": false,
"signature_version": "v1"
},
{
"target": {
"file": "src/ngx_http_lua_subrequest.c"
},
"digest": {
"line_hashes": [
"143388220417599303613636710304618160583",
"91911579302011245797391425099815418078",
"200661219260264381880582972505392014666",
"18828998145687431810666868741754314646",
"215715830609149961313070502516710707357",
"181476939826480814380618529080092595117",
"151380634378872332536002038963360798468",
"247582272062367623483649740920645132008",
"289487148293869068429783303169578304069",
"277930639320973821597090133646051554230",
"21253286291972002146197643216177685077",
"205930062700896450527415452365430790848",
"165170960723580183588964981709714106935",
"113870020055633683637363354344069290596",
"72210912451178663326780762648503732120",
"195912802370453445141038225986152705762",
"132786305588171205459677230015559759112",
"24040380626291667344571894975205798310",
"177760063218376038378324445272768418688",
"98339412584291598458931782899409427067",
"172410431971011503631767602727699743535",
"297506745381723537480839775304627383829",
"220615179427100346462524413141730912915",
"88602994399664380787555608902862984645",
"100563693443152069039387757974495235203",
"213774219063564170430393071531128309723",
"74135322096979232036740127511360744072",
"52226819049944322436748307163257162110",
"53847324254646961136477644319507366544",
"267795496737085577152188151502438970680",
"312922639008938438633598793705275717125",
"65562397068065390861601453570219018150",
"108368089474335243178985935358503056149",
"307361131415154166763585015800739852507",
"68817146467184365306085542146636565026",
"310346042789147654945389463534830853027",
"331764704572264282922102962221170677711",
"223425899267164207272633334624124109531",
"89384835672490749992422385688921034465",
"96731708687123922126115384614300680379",
"139134653700371333192500986168605777895",
"89603315633908718953269238105012880510",
"190050025755837022852047949723443878302",
"192535605347138542259627083801812301054",
"108587633537507210242609878158511307392",
"27930257622226583653653088216503280362",
"339708707432206192620777005138215212724",
"224201716826207298021165228631820237192",
"146264229417197666227508229646565873682",
"250142943116062732415380311089372424435",
"263479951153791258103625142740417108743",
"149396715948060510110675363877792973116",
"40506613743719577037594992374959610119",
"212441179444976576203452108477381267871",
"263853599645366145956131059232061615043",
"295082482477937602902378042664485081015",
"10815218387256646992248856277940969701",
"130432376389235473576152393724485675916",
"27059602803229563965188859932790307353",
"214201152945613592148003507563010428405",
"44026155896469562900172449017664310148",
"163050763879587814518315326250189865084",
"194262531055556628983606985455485984281",
"31646235681544521426191426439019689405",
"173515836952014454300813230643277345488",
"23182097496590933158163413432690455156",
"208553831826467743704191586793332852468",
"12140665811032016406034129298322882569",
"60883282736686997182956660023472760260",
"84159611624004518539488256606554010207",
"182159679567386335826608769155879183877",
"175854871993745254964192142239992972494",
"3366626159023851777037956955531567222",
"192481782610279998564422711330123274314",
"211827812899081160906738385886192384502",
"309538100672956985376432509379290828034",
"317175666295189614503829284827542795960",
"205737551848512194168408374169429580522",
"324037144246871990089387352284561291957",
"224761247387118064088951348640388840297",
"34774432735956455646689917887745663824",
"30946378524245545868281728259593137593",
"302597140349850166484090336110568824649",
"175305239917014355785660830232911240522",
"48484210654125770540559633161883565973",
"112276222702886410458844254728283685116",
"289829103584731426770542942334388391102",
"223079358598497149493832312385304834711",
"240099831622824296047118932648283998777",
"270315343108025170219391033310752637470",
"142810054990010562267312348891551413873",
"142320698396001302758690816918265276743",
"161348545859058914772418623318388877203",
"31568546441074105435105273875820722891",
"280771867360550733724571661772108583074",
"233762979102022414280511460772583562768",
"311757882355869337217748124591830648057",
"142266201105047362501098486955606903354",
"221549669186895724717107232986767098887",
"214467627316945029941456469411164101864",
"80153500950377506237570929880305796748",
"52436319953446359874760099721685213473",
"151237302259404419270956068953735415113",
"302536894418360129681251009129131833673",
"324609012448437672673367168115537901351",
"139062278912579956242398058365244586571",
"334255529813449676209599089316959218352",
"160185903678562665008961975518496655868",
"196912003243566534475951435402683505178",
"133829131180385248974154045384779915372",
"258061303963121624879702181940295237773",
"84094938606208082820981576204790925987",
"181952548532028006386563723123760839096",
"100359382960152358471172661308929482299",
"93491070745684286797929227501370824045",
"160646371125394381856339695841807798582",
"102046530213301218791114216945405901350",
"307499035415402819258510500611445017093",
"60144164925351505157933703447919498961",
"27995797427813993689209406975357771056",
"87686055952110694638245188724346561070",
"313746578883457889797005084320200594438",
"290365438456067922936400050121414809216",
"237332801770401206684681158150769620819",
"38781708185856097629036101610119167899",
"338491303297010798284467262169467097177",
"86831076102366009957835692498876868856",
"338622090546164433235814174121478300655",
"55892520678200265358239679712884297585",
"202989831529578147029140194499591494078",
"275466311936726849645355436870652878840",
"259364274827073485885539802007632742885",
"155027166533122536313935743556221082098",
"122101865620602287711052283372138044978",
"177306740336331268427873204495481002300",
"223682588254201099073606460543136057670",
"178421167281370275916088827698749038477",
"39868464450545089272960020625926959060",
"10558858410594870419334307216059154319",
"230121028768791079140502951834466721107",
"88415107833386241234776352050599454367"
],
"threshold": 0.9
},
"signature_type": "Line",
"id": "CVE-2020-11724-3f3abbac",
"source": "https://github.com/openresty/lua-nginx-module/commit/9ab38e8ee35fc08a57636b1b6190dca70b0076fa",
"deprecated": false,
"signature_version": "v1"
},
{
"target": {
"file": "src/ngx_http_lua_subrequest.c",
"function": "ngx_http_lua_set_content_length_header"
},
"digest": {
"length": 1901.0,
"function_hash": "217311079986664808779632352366482397170"
},
"signature_type": "Function",
"id": "CVE-2020-11724-72702f14",
"source": "https://github.com/openresty/lua-nginx-module/commit/9ab38e8ee35fc08a57636b1b6190dca70b0076fa",
"deprecated": false,
"signature_version": "v1"
},
{
"target": {
"file": "src/ngx_http_lua_subrequest.c",
"function": "ngx_http_lua_adjust_subrequest"
},
"digest": {
"length": 2823.0,
"function_hash": "105579464375438893419218366784013973774"
},
"signature_type": "Function",
"id": "CVE-2020-11724-82165f1f",
"source": "https://github.com/openresty/lua-nginx-module/commit/9ab38e8ee35fc08a57636b1b6190dca70b0076fa",
"deprecated": false,
"signature_version": "v1"
}
]