Lucene search
K

46 matches found

CVE
CVE
added 2025/09/02 12:26 a.m.28 views

CVE-2025-57808

ESPHome’s ESP-IDF web_server authentication check in version 2025.8.0 can bypass when the client-supplied Base64 Authorization value is empty or a substring of the correct value, allowing access to web_server functionality (including OTA if enabled) without valid credentials. This authentication ...

8.1CVSS6.3AI score0.01514EPSS
Exploits1References2Affected Software1
SUSE Linux
SUSE Linux
added 2025/05/19 5:21 p.m.3 views

Security update for apache2-mod_auth_openidc

This update for apache2-modauthopenidc fixes the following issues: CVE-2025-3891: denial of service via POST requests with an empty Content-Type header and with OIDCPreservePost On bsc1242015. Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST...

8.2CVSS7.3AI score0.01214EPSS
Exploits0References4
OSV
OSV
added 2024/12/11 9:21 a.m.8 views

CLSA-2024-1733908866 Fix CVE(s): CVE-2023-25725

SECURITY UPDATE: The HTTP header parsers in HAProxy may accept empty header field names - debian/patches/CVE-2023-25725.patch: prevent empty header field names - CVE-2023-25725...

9.1CVSS7.2AI score0.05493EPSS
Exploits0References1
OSV
OSV
added 2024/12/03 5:28 a.m.14 views

USN-7135-1 haproxy vulnerability

Bahruz Jabiyev, Anthony Gavazzi, Engin Kirda, Kaan Onarlioglu, Adi Peleg, and Harvey Tuch discovered that HAProxy incorrectly handled empty header names. A remote attacker could possibly use this issue to manipulate headers and bypass certain authentication checks and restrictions...

9.1CVSS7.3AI score0.05493EPSS
Exploits0References2
CNVD
CNVD
added 2024/11/21 12:0 a.m.11 views

Unspecified vulnerability in Linux kernel (CNVD-2024-46446)

Linux kernel is the kernel used by Linux, the open source operating system of the Linux Foundation in the United States. Linux kernel has a security vulnerability that stems from an empty header address. No details of the vulnerability are provided at this time...

5.5CVSS6.6AI score0.00244EPSS
Exploits0References1
CNNVD
CNNVD
added 2024/11/19 12:0 a.m.4 views

Linux kernel 安全漏洞

Linux kernel is the kernel used by Linux, the open source operating system of the Linux Foundation in the United States. Linux kernel has a security vulnerability that stems from an empty header address. No details of the vulnerability are provided at this time...

5.5CVSS8.2AI score0.00244EPSS
Exploits0References5
Amazon
Amazon
added 2023/09/25 12:0 a.m.6 views

Important: haproxy2

Issue Overview: HAProxy before 2.7.3 may allow a bypass of access control because HTTP/1 headers are inadvertently lost in some situations, aka "request smuggling." The HTTP header parsers in HAProxy may accept empty header field names, which could be used to truncate the list of HTTP headers and...

9.1CVSS6.9AI score0.05493EPSS
Exploits0
OSV
OSV
added 2023/08/10 9:15 p.m.9 views

AZL-27912 CVE-2023-40225 affecting package haproxy for versions less than 2.4.24-1

HAProxy through 2.0.32, 2.1.x and 2.2.x through 2.2.30, 2.3.x and 2.4.x through 2.4.23, 2.5.x and 2.6.x before 2.6.15, 2.7.x before 2.7.10, and 2.8.x before 2.8.2 forwards empty Content-Length headers, violating RFC 9110 section 8.6. In uncommon cases, an HTTP/1 server behind HAProxy may interpre...

7.2CVSS7.1AI score0.01815EPSS
Exploits1References1
Microsoft CVE
Microsoft CVE
added 2023/02/20 8:0 a.m.5 views

HAProxy before 2.7.3 may allow a bypass of access control because HTTP/1 headers are inadvertently lost in some situations aka "request smuggling." The HTTP header parsers in HAProxy may accept empty header field names which could be used to truncate the list of HTTP headers and thus make some headers disappear after being parsed and processed for HTTP/1.0 and HTTP/1.1. For HTTP/2 and HTTP/3 the impact is limited because the headers disappear before being parsed and processed as if they had not been sent by the client. The fixed versions are 2.7.3 2.6.9 2.5.12 2.4.22 2.2.29 and 2.0.31.

...

9.1CVSS7.5AI score0.05493EPSS
Exploits0
SUSE CVE
SUSE CVE
added 2023/02/15 6:2 a.m.3 views

SUSE CVE-2009-3704

ZoIPer 2.22, and possibly other versions before 2.24 Library 5324, allows remote attackers to cause a denial of service crash via a SIP INVITE request with an empty Call-Info header...

5CVSS6.9AI score0.08143EPSS
Exploits1References3
SUSE CVE
SUSE CVE
added 2023/02/15 5:43 a.m.5 views

SUSE CVE-2012-5533

The httprequestsplitvalue function in request.c in lighttpd before 1.4.32 allows remote attackers to cause a denial of service infinite loop via a request with a header containing an empty token, as demonstrated using the "Connection: TE,,Keep-Alive" header...

5CVSS6.8AI score0.12038EPSS
Exploits7References3
SUSE CVE
SUSE CVE
added 2023/02/15 3:21 a.m.3 views

SUSE CVE-2023-25725

HAProxy before 2.7.3 may allow a bypass of access control because HTTP/1 headers are inadvertently lost in some situations, aka "request smuggling." The HTTP header parsers in HAProxy may accept empty header field names, which could be used to truncate the list of HTTP headers and thus make some...

9.3CVSS7.7AI score0.05493EPSS
Exploits0References10
OSV
OSV
added 2023/02/14 7:15 p.m.3 views

DEBIAN-CVE-2023-25725

HAProxy before 2.7.3 may allow a bypass of access control because HTTP/1 headers are inadvertently lost in some situations, aka "request smuggling." The HTTP header parsers in HAProxy may accept empty header field names, which could be used to truncate the list of HTTP headers and thus make some...

9.1CVSS7.7AI score0.05493EPSS
Exploits0References1
OSV
OSV
added 2023/02/14 5:9 p.m.7 views

USN-5869-1 haproxy vulnerability

Bahruz Jabiyev, Anthony Gavazzi, Engin Kirda, Kaan Onarlioglu, Adi Peleg, and Harvey Tuch discovered that HAProxy incorrectly handled empty header names. A remote attacker could possibly use this issue to manipulate headers and bypass certain authentication checks and restrictions...

9.1CVSS7.2AI score0.05493EPSS
Exploits0References2
OSV
OSV
added 2023/02/14 4:0 p.m.4 views

UBUNTU-CVE-2023-25725

HAProxy before 2.7.3 may allow a bypass of access control because HTTP/1 headers are inadvertently lost in some situations, aka "request smuggling." The HTTP header parsers in HAProxy may accept empty header field names, which could be used to truncate the list of HTTP headers and thus make some...

9.1CVSS7.1AI score0.05493EPSS
Exploits0References5
RedHat Linux
RedHat Linux
added 2022/04/19 1:35 p.m.4 views

golang: net/http/httputil: ReverseProxy forwards connection headers if first one is empty

A flaw was found in Go, acting as an unintended proxy or intermediary, where ReverseProxy forwards connection headers if the first one was empty. This flaw allows an attacker to drop arbitrary headers. The highest threat from this vulnerability is to integrity...

5.3CVSS7.2AI score0.02279EPSS
Exploits1References5
RedHat Linux
RedHat Linux
added 2022/04/12 3:9 p.m.3 views

golang: net/http/httputil: ReverseProxy forwards connection headers if first one is empty

A flaw was found in Go, acting as an unintended proxy or intermediary, where ReverseProxy forwards connection headers if the first one was empty. This flaw allows an attacker to drop arbitrary headers. The highest threat from this vulnerability is to integrity...

5.3CVSS7.2AI score0.02279EPSS
Exploits1References5
OSV
OSV
added 2022/02/09 11:6 p.m.2 views

GHSA-Q42Q-523G-3FWV Cross-Site Request Forgery

This affects the package com.softwaremill.akka-http-session:core2.13 before 0.5.11; the package com.softwaremill.akka-http-session:core2.12 before 0.5.11; the package com.softwaremill.akka-http-session:core2.11 before 0.5.11. For older versions, endpoints protected by randomTokenCsrfProtection...

8.8CVSS7.2AI score0.00645EPSS
Exploits0References7
RedHat Linux
RedHat Linux
added 2021/09/07 8:38 a.m.2 views

golang: net/http/httputil: ReverseProxy forwards connection headers if first one is empty

A flaw was found in Go, acting as an unintended proxy or intermediary, where ReverseProxy forwards connection headers if the first one was empty. This flaw allows an attacker to drop arbitrary headers. The highest threat from this vulnerability is to integrity...

5.3CVSS7.2AI score0.02279EPSS
Exploits1References5
Snyk
Snyk
added 2020/03/10 4:51 p.m.1 views

Cross-site Request Forgery (CSRF)

Overview Affected versions of this package are vulnerable to Cross-site Request Forgery CSRF. For older versions, endpoints protected by randomTokenCsrfProtection could be bypassed with an empty X-XSRF-TOKEN header and an empty XSRF-TOKEN cookie. Remediation Upgrade...

8.8CVSS6.8AI score0.00645EPSS
Exploits0References2
Rows per page
Query Builder