Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
ewe has an Overly Permissive List of Allowed Inputs
Vulnerability Description
ewe is a Gleam web server. ewe is a Gleam web server. Versions 0.6.0 through 3.0.4 are vulnerable to authentication bypass or spoofed proxy-trust headers. Chunked transfer encoding trailer handling merges declared trailer fields into req.headers after body parsing, but the denylist only blocks 9 header names. A malicious client can exploit this by declaring these headers in the Trailer field and appending them after the final chunk, causing request.set_header to overwrite legitimate values (e.g., those set by a reverse proxy). This enables attackers to forge authentication credentials, hijack sessions, bypass IP-based rate limiting, or spoof proxy-trust headers in any downstream middleware that reads headers after ewe.read_body is called. This issue has been fixed in version 3.0.5.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Vulnerability Type
宽松定义的白名单
Vulnerability Title
ewe 安全漏洞
Vulnerability Description
ewe是Vladislav Shakitskiy个人开发者的一个轻量级Web服务器构建包。 ewe 3.0.4及之前版本存在安全漏洞,该漏洞源于分块传输编码尾部处理不当,可能导致身份验证绕过或伪造代理信任标头。
CVSS Information
N/A
Vulnerability Type
N/A