OutSystems became aware of a vulnerability that, if exploited, may allow an attacker to compromise the confidentiality, integrity, and availability of the end user data. OutSystems doesn't have any indication or reason to believe that this vulnerability has been exploited in the wild.
Base Score: 7.6 (High)
Vector String: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L
To understand the phases involved in the process, how, and when we communicate, check this article. This vulnerability is currently on the public disclosure phase.
- Embargo phase: This vulnerability didn't require an embargo phase, as OutSystems patched all Cloud environments with no impact prior to disclosure.
- Public disclosure: Full details on this vulnerability were published on 22 December, 2020.
A security flaw was identified in the OutSystems Cloud architecture. It allows an unauthenticated user to poison the HTTP responses of requests performed by other legitimate users. This vulnerability is commonly known as HTTP Request Smuggling.
Technology stacks and affected versions
This vulnerability affects only the OutSystems Cloud environments in any version and stack, containing an Application Load Balancer.
Protecting your OutSystems installation
No action is required from customer as OutSystems patched all Cloud environments. Please check the following sections for the actions that were applied to your environments.
OutSystems applied a rule to the environment's Web Application Firewall blocking all requests containing a structure that match an HTTP request smuggling pattern.
Self managed installations
Self managed installations weren't affected by this vulnerability.
No workaround is required.
|By exploiting this vulnerability can an attacker access my data?||No, even though the vulnerability compromises the confidentiality of connections, it does not directly compromise data stored by the OutSystems platform.|
|Has this vulnerability been exploited in the wild?||OutSystems doesn't have any evidence that this vulnerability has been exploited in the wild or that any customer was affected.|
|What do I need to do?||No action is required on your side.|
|Who can I talk to about this?||If you have any questions, contact your Customer Success Manager. If you don’t have one, contact us via our support channels.|