N/A

The Cisco Content Services Switch (CSS) 11500 with software 8.20.4.02 and the Application Control Engine (ACE) 4710 with software A2(3.0) do not properly handle LF header terminators in situations where the GET line is terminated by CRLF, which allows remote attackers to conduct HTTP request smuggling attacks and possibly bypass intended header insertions via crafted header data, as demonstrated by an LF character between the ClientCert-Subject and ClientCert-Subject-CN headers. NOTE: this vulnerability exists because of an incomplete fix for CVE-2010-1576.

N/A

N/A

Cisco CSS HTTP请求头验证漏洞

Cisco CSS 11500内容服务交换机是用于为数据中心提供强壮可升级网络服务(4-7层)的负载均衡设备。 装有8.20.4.02之前版本软件的Cisco内容服务交换机(CSS)11500以及装有A2(3.0)之前版本软件的应用控制引擎(ACE)4710在GET行以CRLF终止情况下不能准确处理LF头终端。远程攻击者可以进行HTTP请求窃取攻击，并且可能利用伪造的头数据绕过预期的头插入，正如 ClientCert-Subject头和ClientCert-Subject-CN头之间的LF字符。

N/A

N/A