CVE-2020-11724: 
NGINX vulnerability analysis and mitigation

CVE-2020-11724 is a vulnerability discovered in OpenResty before version 1.15.8.4. The issue affects the ngx_http_lua_subrequest.c component and allows HTTP request smuggling, specifically through the ngx.location.capture API. The vulnerability was disclosed on April 12, 2020, and affects various systems using OpenResty, including Debian and Ubuntu distributions (NVD, CVE).

The vulnerability exists in the ngx_http_lua_subrequest.c component of OpenResty, specifically affecting the ngx.location.capture API functionality. It has been assigned a CVSS v3.1 Base Score of 7.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N, indicating that it is network-accessible, requires low attack complexity, needs no privileges or user interaction, and can result in high impact to integrity (NetApp Advisory).

Successful exploitation of this vulnerability could lead to HTTP request smuggling, potentially allowing attackers to bypass security controls, poison web caches, or perform other malicious actions. The vulnerability primarily affects the integrity of the system, with no direct impact on confidentiality or availability (NetApp Advisory).

The vulnerability has been fixed in OpenResty version 1.15.8.4 and later. Various distributions have released patches, including Debian 9 (stretch) with version 1.10.3-1+deb9u5 and Debian 10 (buster) with version 1.14.2-2+deb10u3. Users are recommended to upgrade their OpenResty installations to the patched versions (Debian Advisory, DSA-4750).