CVE-2005-2089

EPSS 35.63%
Published 05.07.2005 04:00:00
Last modified 03.04.2025 01:03:51
Source cve@mitre.org
Teams watchlist Login
Open Login

Microsoft IIS 5.0 and 6.0 allows remote attackers to poison the web cache, bypass web application firewall protection, and conduct XSS attacks via an HTTP request with both a "Transfer-Encoding: chunked" header and a Content-Length header, which causes IIS to incorrectly handle and forward the body of the request in a way that causes the receiving server to process it as a separate HTTP request, aka "HTTP Request Smuggling."

Affected products Warnungen 0 Metrics 2 CWE 1 References 7

Data is provided by the National Vulnerability Database (NVD)

Microsoft ≫ Internet Information Services Version5.0

Microsoft ≫ Internet Information Services Version6.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	35.63%	0.969

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	4.3	8.6	2.9	AV:N/AC:M/Au:N/C:N/I:P/A:N

CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')

The product acts as an intermediary HTTP agent (such as a proxy or firewall) in the data flow between two entities such as a client and server, but it does not interpret malformed HTTP requests or responses in ways that are consistent with how the messages will be processed by those entities that are at the ultimate destination.

http://seclists.org/lists/bugtraq/2005/Jun/0025.html

Third Party Advisory

Mailing List

http://www.securiteam.com/securityreviews/5GP0220G0U.html

Broken Link

http://www.watchfire.com/resources/HTTP-Request-Smuggling.pdf

Broken Link

https://exchange.xforce.ibmcloud.com/vulnerabilities/42899

Third Party Advisory

VDB Entry

https://nvd.nist.gov/vuln/detail/CVE-2005-2089

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2005-2089

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2005-2089

EUVD