205 matches found
Datalust Seq 安全漏洞
Datalust Seq is a logging server from Datalust Australia. It is used to speed up diagnostics in complex, asynchronous and distributed applications. A security vulnerability exists in Datalust Seq versions prior to 2021.2.6259, which stems from software that allows a user who applies a view filter...
Design/Logic Flaw
Ratpack is a toolkit for creating web applications. In versions prior to 1.9.0, a user supplied X-Forwarded-Host header can be used to perform cache poisoning of a cache fronting a Ratpack server if the cache key does not include the X-Forwarded-Host header as a cache key. Users are only vulnerab...
Huawei EulerOS: Security Advisory for python (EulerOS-SA-2021-1911)
The remote host is missing an update for the Huawei EulerOS SPDX-FileCopyrightText: 2021 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...
bottle HTTP Request smuggling
The package bottle before 0.12.19 are vulnerable to Web Cache Poisoning by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon ;, they can cause a difference in the interpretation of the request between the proxy running with default...
Web Cache Poisoning
python-django is vulnerable to web cache poisoning. An attacker may separate query parameters using a semicolon ;, causing a difference in the interpretation of the request between the proxy running with default configuration and the server resulting in malicious requests being cached as complete...
CVE-2021-23336
The package python/cpython is vulnerable to Web Cache Poisoning via urllib.parse.parseqsl and urllib.parse.parseqs by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon ;, they can cause a difference in the interpretation of the request...
CVE-2021-23336
The package python/cpython from 0 and before 3.6.13, from 3.7.0 and before 3.7.10, from 3.8.0 and before 3.8.8, from 3.9.0 and before 3.9.2 are vulnerable to Web Cache Poisoning via urllib.parse.parseqsl and urllib.parse.parseqs by using a vector called parameter cloaking. When the attacker can...
CVE-2021-23336
The package python/cpython from 0 and before 3.6.13, from 3.7.0 and before 3.7.10, from 3.8.0 and before 3.8.8, from 3.9.0 and before 3.9.2 are vulnerable to Web Cache Poisoning via urllib.parse.parseqsl and urllib.parse.parseqs by using a vector called parameter cloaking. When the attacker can...
CVE-2020-28473
The package bottle from 0 and before 0.12.19 are vulnerable to Web Cache Poisoning by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon ;, they can cause a difference in the interpretation of the request between the proxy running with...
Debian DLA-2531-1 : python-bottle security update
The package src:python-bottle before 0.12.19 are vulnerable to Web Cache Poisoning by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon ;, they can cause a difference in the interpretation of the request between the proxy running with...
CVE-2020-28473
The package bottle from 0 and before 0.12.19 are vulnerable to Web Cache Poisoning by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon ;, they can cause a difference in the interpretation of the request between the proxy running with...
CVE-2020-28473
The package bottle from 0 and before 0.12.19 are vulnerable to Web Cache Poisoning by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon ;, they can cause a difference in the interpretation of the request between the proxy running with...
CVE-2020-28473
The package bottle from 0 and before 0.12.19 are vulnerable to Web Cache Poisoning by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon ;, they can cause a difference in the interpretation of the request between the proxy running with...
Black Hat Presentation - Web Cache Entanglement
Overview Akamai is aware of the 'Web Cache Entanglement: Novel Pathways to Poisoning' presentation at BlackHat on August 5, 2020. Two security vulnerabilities related to our content delivery networks' caching functionality were presented as part of this research. Akamai would like to thank James...
GHSA-WPJR-J57X-WXFW Data leakage via cache key collision in Django
An issue was discovered in Django version 2.2 before 2.2.13 and 3.0 before 3.0.7. In cases where a memcached backend does not perform key validation, passing malformed cache keys could result in a key collision, and potential data leakage...
Data leakage via cache key collision in Django
An issue was discovered in Django version 2.2 before 2.2.13 and 3.0 before 3.0.7. In cases where a memcached backend does not perform key validation, passing malformed cache keys could result in a key collision, and potential data leakage...
Information Disclosure
django is vulnerable to information disclosure. The vulnerability exists as the add, get, set, delete, getmany, incr, decr operations in django/core/cache/backends/memcached.py does not properly validate the cache key...
Fedora 30 : glpi (2019-a1636592a3)
GLPI version 9.4.4 This is a security release, upgrading is highly recommended Non exhaustive list of changes : - security Prevent account takeover vulnerability , - security Prevent execution of XSS on rich text, - fix cache key lenght issues, - fix user picture removal at login, - several fixes...
Authorization Bypass
firefox/thunderbird is vulnerable to authorization bypass. A remote attacker is able to bypass the CORS preflight protection mechanisms via duplicate cache-key generation or retrieval of a value from an incorrect HTTP Access-Control- response header...
Authentication Bypass
cipher.googlepam is vulnerable to authentication bypass because it uses the same cache key for all users. When one user logs in successfully, others could not log in using their own passwords. But the first user could now use his password to log in as anyone else...