CVE-2021-20220: Inconsistent Interpretation of HTTP Requests (HTTP Request Smuggling)

February 23, 2021 (updated February 22, 2022)

A regression in the fix for CVE-2020-10687 was found. HTTP request smuggling related to CVE-2017-2666 is possible against HTTP/1.x and HTTP/2 due to permitting invalid characters in an HTTP request.

References

bugzilla.redhat.com/show_bug.cgi?id=1923133
nvd.nist.gov/vuln/detail/CVE-2021-20220

Detect and mitigate CVE-2021-20220 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →