CVE-2022-22691: Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

January 18, 2022 (updated January 26, 2022)

The password reset component deployed within Umbraco uses the hostname supplied within the request host header when building a password reset URL.See the AppCheck advisory for further information and associated caveats.

References

appcheck-ng.com/umbraco-applicationurl-overwrite-persistent-password-reset-poison-cve-2022-22690-cve-2022-22691/
nvd.nist.gov/vuln/detail/CVE-2022-22691

Code Behaviors & Features

Detect and mitigate CVE-2022-22691 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →