mitmproxy is an interactive, SSL/TLS-capable intercepting proxy. In mitmproxy 7.0.2 and below, a malicious client or server is able to perform HTTP request smuggling attacks through mitmproxy. This means that a malicious client/server could smuggle a request/response through mitmproxy as part of another request/response's HTTP message body. While a smuggled request is still captured as part of another request's body, it does not appear in the request list and does not go through the usual mitmproxy event hooks, where users may have implemented custom access control checks or input sanitization. Unless one uses mitmproxy to protect an HTTP/1 service, no action is required. The vulnerability has been fixed in mitmproxy 7.0.3 and above.

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available.

  - mitmproxy is an interactive, SSL/TLS-capable intercepting proxy. In mitmproxy 7.0.2 and below, a malicious     client or server is able to perform HTTP request smuggling attacks through mitmproxy. This means that a     malicious client/server could smuggle a request/response through mitmproxy as part of another     request/response's HTTP message body. While a smuggled request is still captured as part of another     request's body, it does not appear in the request list and does not go through the usual mitmproxy event     hooks, where users may have implemented custom access control checks or input sanitization. Unless one     uses mitmproxy to protect an HTTP/1 service, no action is required. The vulnerability has been fixed in     mitmproxy 7.0.3 and above. (CVE-2021-39214)

Note that Nessus relies on the presence of the package as reported by the vendor.

The remote openSUSE 15 host has a package installed that is affected by a vulnerability as referenced in the openSUSE- SU-2023:0232-1 advisory.

  - mitmproxy is an interactive, SSL/TLS-capable intercepting proxy. In mitmproxy 7.0.2 and below, a malicious     client or server is able to perform HTTP request smuggling attacks through mitmproxy. This means that a     malicious client/server could smuggle a request/response through mitmproxy as part of another     request/response's HTTP message body. While a smuggled request is still captured as part of another     request's body, it does not appear in the request list and does not go through the usual mitmproxy event     hooks, where users may have implemented custom access control checks or input sanitization. Unless one     uses mitmproxy to protect an HTTP/1 service, no action is required. The vulnerability has been fixed in     mitmproxy 7.0.3 and above. (CVE-2021-39214)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote openSUSE 15 host has a package installed that is affected by a vulnerability as referenced in the openSUSE- SU-2023:0233-1 advisory.

  - mitmproxy is an interactive, SSL/TLS-capable intercepting proxy. In mitmproxy 7.0.2 and below, a malicious     client or server is able to perform HTTP request smuggling attacks through mitmproxy. This means that a     malicious client/server could smuggle a request/response through mitmproxy as part of another     request/response's HTTP message body. While a smuggled request is still captured as part of another     request's body, it does not appear in the request list and does not go through the usual mitmproxy event     hooks, where users may have implemented custom access control checks or input sanitization. Unless one     uses mitmproxy to protect an HTTP/1 service, no action is required. The vulnerability has been fixed in     mitmproxy 7.0.3 and above. (CVE-2021-39214)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
224048	Linux Distros Unpatched Vulnerability : CVE-2021-39214	Nessus	Misc.	critical
180002	openSUSE 15 Security Update : python-mitmproxy (openSUSE-SU-2023:0232-1)	Nessus	SuSE Local Security Checks	critical
180001	openSUSE 15 Security Update : python-mitmproxy (openSUSE-SU-2023:0233-1)	Nessus	SuSE Local Security Checks	critical

Detections

Analytics

CVE-2021-39214

critical

Tenable Plugins

critical

critical

critical