{"id":"CVE-2019-20372","details":"NGINX before 1.17.7, with certain error_page configurations, allows HTTP request smuggling, as demonstrated by the ability of an attacker to read unauthorized web pages in environments where NGINX is being fronted by a load balancer.","modified":"2026-03-20T11:29:00.960795Z","published":"2020-01-09T21:15:12.027Z","related":["MGASA-2020-0231","SUSE-SU-2020:0348-1","SUSE-SU-2020:1171-1","openSUSE-SU-2020:0204-1","openSUSE-SU-2024:11092-1"],"references":[{"type":"ADVISORY","url":"http://nginx.org/en/CHANGES"},{"type":"ADVISORY","url":"https://duo.com/docs/dng-notes#version-1.5.4-january-2020"},{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20200127-0003/"},{"type":"ADVISORY","url":"https://usn.ubuntu.com/4235-1/"},{"type":"ADVISORY","url":"http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00013.html"},{"type":"ADVISORY","url":"http://seclists.org/fulldisclosure/2021/Sep/36"},{"type":"ADVISORY","url":"https://support.apple.com/kb/HT212818"},{"type":"ADVISORY","url":"https://usn.ubuntu.com/4235-2/"},{"type":"FIX","url":"https://github.com/nginx/nginx/commit/c1be55f97211d38b69ac0c2027e6812ab8b1b94e"},{"type":"FIX","url":"https://github.com/kubernetes/ingress-nginx/pull/4859"},{"type":"EVIDENCE","url":"https://bertjwregeer.keybase.pub/2019-12-10%20-%20error_page%20request%20smuggling.pdf"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/nginx/nginx","events":[{"introduced":"0"},{"fixed":"e5595b37e3e759300c0de3d93fe6861c907ca621"},{"fixed":"c1be55f97211d38b69ac0c2027e6812ab8b1b94e"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"1.17.7"}]}}],"versions":["release-0.1.0","release-0.1.1","release-0.1.10","release-0.1.11","release-0.1.12","release-0.1.13","release-0.1.14","release-0.1.15","release-0.1.16","release-0.1.17","release-0.1.18","release-0.1.19","release-0.1.2","release-0.1.20","release-0.1.21","release-0.1.22","release-0.1.23","release-0.1.24","release-0.1.25","release-0.1.26","release-0.1.27","release-0.1.28","release-0.1.29","release-0.1.3","release-0.1.30","release-0.1.31","release-0.1.32","release-0.1.33","release-0.1.34","release-0.1.35","release-0.1.36","release-0.1.37","release-0.1.38","release-0.1.39","release-0.1.4","release-0.1.40","release-0.1.41","release-0.1.42","release-0.1.43","release-0.1.44","release-0.1.45","release-0.1.5","release-0.1.6","release-0.1.7","release-0.1.8","release-0.1.9","release-0.2.0","release-0.2.1","release-0.2.2","release-0.2.3","release-0.2.4","release-0.2.5","release-0.2.6","release-0.3.0","release-0.3.1","release-0.3.10","release-0.3.11","release-0.3.12","release-0.3.13","release-0.3.14","release-0.3.15","release-0.3.16","release-0.3.17","release-0.3.18","release-0.3.19","release-0.3.2","release-0.3.20","release-0.3.21","release-0.3.22","release-0.3.23","release-0.3.24","release-0.3.25","release-0.3.26","release-0.3.27","release-0.3.28","release-0.3.29","release-0.3.3","release-0.3.30","release-0.3.31","release-0.3.32","release-0.3.33","release-0.3.34","release-0.3.35","release-0.3.36","release-0.3.37","release-0.3.38","release-0.3.39","release-0.3.4","release-0.3.40","release-0.3.41","release-0.3.42","release-0.3.43","release-0.3.44","release-0.3.45","release-0.3.46","release-0.3.47","release-0.3.48","release-0.3.49","release-0.3.5","release-0.3.50","release-0.3.51","release-0.3.52","release-0.3.53","release-0.3.54","release-0.3.55","release-0.3.56","release-0.3.57","release-0.3.58","release-0.3.59","release-0.3.6","release-0.3.60","release-0.3.61","release-0.3.7","release-0.3.8","release-0.3.9","release-0.4.0","release-0.4.1","release-0.4.10","release-0.4.11","release-0.4.12","release-0.4.13","release-0.4.14","release-0.4.2","release-0.4.3","release-0.4.4","release-0.4.5","release-0.4.6","release-0.4.7","release-0.4.8","release-0.4.9","release-0.5.0","release-0.5.1","release-0.5.10","release-0.5.11","release-0.5.12","release-0.5.13","release-0.5.14","release-0.5.15","release-0.5.16","release-0.5.17","release-0.5.18","release-0.5.19","release-0.5.2","release-0.5.20","release-0.5.21","release-0.5.22","release-0.5.23","release-0.5.24","release-0.5.25","release-0.5.3","release-0.5.4","release-0.5.5","release-0.5.6","release-0.5.7","release-0.5.8","release-0.5.9","release-0.6.0","release-0.6.1","release-0.6.10","release-0.6.11","release-0.6.12","release-0.6.13","release-0.6.14","release-0.6.15","release-0.6.16","release-0.6.17","release-0.6.18","release-0.6.19","release-0.6.2","release-0.6.20","release-0.6.21","release-0.6.22","release-0.6.23","release-0.6.24","release-0.6.25","release-0.6.26","release-0.6.27","release-0.6.28","release-0.6.29","release-0.6.3","release-0.6.30","release-0.6.31","release-0.6.4","release-0.6.5","release-0.6.6","release-0.6.7","release-0.6.8","release-0.6.9","release-0.7.0","release-0.7.1","release-0.7.10","release-0.7.11","release-0.7.12","release-0.7.13","release-0.7.14","release-0.7.15","release-0.7.16","release-0.7.17","release-0.7.18","release-0.7.19","release-0.7.2","release-0.7.20","release-0.7.21","release-0.7.22","release-0.7.23","release-0.7.24","release-0.7.25","release-0.7.26","release-0.7.27","release-0.7.28","release-0.7.29","release-0.7.3","release-0.7.30","release-0.7.31","release-0.7.32","release-0.7.33","release-0.7.34","release-0.7.35","release-0.7.36","release-0.7.37","release-0.7.38","release-0.7.39","release-0.7.4","release-0.7.40","release-0.7.41","release-0.7.42","release-0.7.43","release-0.7.44","release-0.7.45","release-0.7.46","release-0.7.47","release-0.7.48","release-0.7.49","release-0.7.5","release-0.7.50","release-0.7.51","release-0.7.52","release-0.7.53","release-0.7.54","release-0.7.55","release-0.7.56","release-0.7.57","release-0.7.58","release-0.7.59","release-0.7.6","release-0.7.7","release-0.7.8","release-0.7.9","release-0.8.0","release-0.8.1","release-0.8.10","release-0.8.11","release-0.8.12","release-0.8.13","release-0.8.14","release-0.8.15","release-0.8.16","release-0.8.17","release-0.8.18","release-0.8.19","release-0.8.2","release-0.8.20","release-0.8.21","release-0.8.22","release-0.8.23","release-0.8.24","release-0.8.25","release-0.8.26","release-0.8.27","release-0.8.28","release-0.8.29","release-0.8.3","release-0.8.30","release-0.8.31","release-0.8.32","release-0.8.33","release-0.8.34","release-0.8.35","release-0.8.36","release-0.8.37","release-0.8.38","release-0.8.39","release-0.8.4","release-0.8.40","release-0.8.41","release-0.8.42","release-0.8.43","release-0.8.44","release-0.8.45","release-0.8.46","release-0.8.47","release-0.8.48","release-0.8.49","release-0.8.5","release-0.8.50","release-0.8.51","release-0.8.52","release-0.8.53","release-0.8.6","release-0.8.7","release-0.8.8","release-0.8.9","release-0.9.0","release-0.9.1","release-0.9.2","release-0.9.3","release-0.9.4","release-0.9.5","release-0.9.6","release-0.9.7","release-1.0.0","release-1.0.1","release-1.0.2","release-1.0.3","release-1.0.4","release-1.0.5","release-1.1.0","release-1.1.1","release-1.1.10","release-1.1.11","release-1.1.12","release-1.1.13","release-1.1.14","release-1.1.15","release-1.1.16","release-1.1.17","release-1.1.18","release-1.1.19","release-1.1.2","release-1.1.3","release-1.1.4","release-1.1.5","release-1.1.6","release-1.1.7","release-1.1.8","release-1.1.9","release-1.11.0","release-1.11.1","release-1.11.10","release-1.11.11","release-1.11.12","release-1.11.13","release-1.11.2","release-1.11.3","release-1.11.4","release-1.11.5","release-1.11.6","release-1.11.7","release-1.11.8","release-1.11.9","release-1.13.0","release-1.13.1","release-1.13.10","release-1.13.11","release-1.13.12","release-1.13.2","release-1.13.3","release-1.13.4","release-1.13.5","release-1.13.6","release-1.13.7","release-1.13.8","release-1.13.9","release-1.15.0","release-1.15.1","release-1.15.10","release-1.15.11","release-1.15.12","release-1.15.2","release-1.15.3","release-1.15.4","release-1.15.5","release-1.15.6","release-1.15.7","release-1.15.8","release-1.15.9","release-1.17.0","release-1.17.1","release-1.17.2","release-1.17.3","release-1.17.4","release-1.17.5","release-1.17.6","release-1.2.0","release-1.3.0","release-1.3.1","release-1.3.10","release-1.3.11","release-1.3.12","release-1.3.13","release-1.3.14","release-1.3.15","release-1.3.16","release-1.3.2","release-1.3.3","release-1.3.4","release-1.3.5","release-1.3.6","release-1.3.7","release-1.3.8","release-1.3.9","release-1.4.0","release-1.5.0","release-1.5.1","release-1.5.10","release-1.5.11","release-1.5.12","release-1.5.13","release-1.5.2","release-1.5.3","release-1.5.4","release-1.5.5","release-1.5.6","release-1.5.7","release-1.5.8","release-1.5.9","release-1.7.0","release-1.7.1","release-1.7.10","release-1.7.11","release-1.7.12","release-1.7.2","release-1.7.3","release-1.7.4","release-1.7.5","release-1.7.6","release-1.7.7","release-1.7.8","release-1.7.9","release-1.9.0","release-1.9.1","release-1.9.10","release-1.9.11","release-1.9.12","release-1.9.13","release-1.9.14","release-1.9.15","release-1.9.2","release-1.9.3","release-1.9.4","release-1.9.5","release-1.9.6","release-1.9.7","release-1.9.8","release-1.9.9"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2019-20372.json","vanir_signatures":[{"deprecated":false,"target":{"file":"src/http/ngx_http_special_response.c","function":"ngx_http_send_error_page"},"source":"https://github.com/nginx/nginx/commit/c1be55f97211d38b69ac0c2027e6812ab8b1b94e","digest":{"length":1457,"function_hash":"248396389108547749369241191006484398262"},"signature_type":"Function","signature_version":"v1","id":"CVE-2019-20372-62ca3ceb"},{"deprecated":false,"target":{"file":"src/http/ngx_http_special_response.c"},"source":"https://github.com/nginx/nginx/commit/c1be55f97211d38b69ac0c2027e6812ab8b1b94e","digest":{"line_hashes":["137291644867612448719368415384420215080","240257681029049262992914975940936978256","103973782483082902889366172146365580787"],"threshold":0.9},"signature_type":"Line","signature_version":"v1","id":"CVE-2019-20372-7b36d8bf"}],"unresolved_ranges":[{"events":[{"introduced":"0"},{"fixed":"13.0"}]},{"events":[{"introduced":"0"},{"last_affected":"14.04"}]},{"events":[{"introduced":"0"},{"last_affected":"15.1"}]}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"}]}