117 matches found
CURL-CVE-2022-32206 HTTP compression denial of service
curl supports "chained" HTTP compression algorithms, meaning that a server response can be compressed multiple times and potentially with different algorithms. The number of acceptable "links" in this "decompression chain" was unbounded, allowing a malicious server to insert a virtually unlimited...
Internet Bug Bounty: CVE-2022-32206: HTTP compression denial of service
curl supports "chained" HTTP compression algorithms, meaning that a server response can be compressed multiple times and potentially with different algorithms. The number of acceptable "links" in this "decompression chain" was unbounded, allowing a malicious server to insert a virtually unlimited...
CVE-2022-32206
curl 7.84.0 supports "chained" HTTP compression algorithms, meaning that a serverresponse can be compressed multiple times and potentially with different algorithms. The number of acceptable "links" in this "decompression chain" was unbounded, allowing a malicious server to insert a virtually...
curl 资源管理错误漏洞
curl is a tool for transferring data from or to a server. A resource management error vulnerability exists in curl versions 7.57.0 through 7.83.1, which stems from the lack of a limit on the number of links in the chained HTTP compression algorithm supported by curl. An attacker exploiting this...
Tornado XSRF cookie allows side-channel attack against TLS (BREACH attack)
Tornado before 3.2.2 sends arbitrary responses that contain a fixed CSRF token and may be sent with HTTP compression, which makes it easier for remote attackers to conduct a BREACH attack and determine this token via a series of crafted requests...
curl: CVE-2022-32206: HTTP compression denial of service
Summary: Curl does not prevent resource consumption when processing certain header types, but keeps on allocating more and more resources until the application terminates or the system crashes, see below. The attack vectors include at least: - Sending many Transfer-Encodingwith repeated encodings...
SSL/TLS: BREACH attack against HTTP compression
SSL/TLS connections are vulnerable to the SPDX-FileCopyrightText: 2021 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription scriptoid"1.3.6.1.4.1.25623.1.0.117414"...
CVE-2020-5933
On versions 15.1.0-15.1.0.5, 14.1.0-14.1.2.3, 13.1.0-13.1.3.4, 12.1.0-12.1.5.1, and 11.6.1-11.6.5.1, when a BIG-IP system that has a virtual server configured with an HTTP compression profile processes compressed HTTP message payloads that require deflation, a Slowloris-style attack can trigger a...
CVE-2020-5933
On versions 15.1.0-15.1.0.5, 14.1.0-14.1.2.3, 13.1.0-13.1.3.4, 12.1.0-12.1.5.1, and 11.6.1-11.6.5.1, when a BIG-IP system that has a virtual server configured with an HTTP compression profile processes compressed HTTP message payloads that require deflation, a Slowloris-style attack can trigger a...
Design/Logic Flaw
On versions 15.1.0-15.1.0.5, 14.1.0-14.1.2.3, 13.1.0-13.1.3.4, 12.1.0-12.1.5.1, and 11.6.1-11.6.5.1, when a BIG-IP system that has a virtual server configured with an HTTP compression profile processes compressed HTTP message payloads that require deflation, a Slowloris-style attack can trigger a...
F5 Networks BIG-IP : BIG-IP HTTP compression profile vulnerability (K26244025)
The version of F5 Networks BIG-IP installed on the remote host is prior to 11.6.5.2 / 12.1.5.2 / 13.1.3.5 / 14.1.2.5 / 15.1.1 / 16.0.0. It is, therefore, affected by a vulnerability as referenced in the K26244025 advisory. - On versions 15.1.0-15.1.0.5, 14.1.0-14.1.2.3, 13.1.0-13.1.3.4,...
CVE-2014-9720
Tornado before 3.2.2 sends arbitrary responses that contain a fixed CSRF token and may be sent with HTTP compression, which makes it easier for remote attackers to conduct a BREACH attack and determine this token via a series of crafted requests...
CVE-2014-9720
Tornado before 3.2.2 sends arbitrary responses that contain a fixed CSRF token and may be sent with HTTP compression, which makes it easier for remote attackers to conduct a BREACH attack and determine this token via a series of crafted requests...
DEBIAN-CVE-2014-9720
Tornado before 3.2.2 sends arbitrary responses that contain a fixed CSRF token and may be sent with HTTP compression, which makes it easier for remote attackers to conduct a BREACH attack and determine this token via a series of crafted requests...
PYSEC-2020-213
Tornado before 3.2.2 sends arbitrary responses that contain a fixed CSRF token and may be sent with HTTP compression, which makes it easier for remote attackers to conduct a BREACH attack and determine this token via a series of crafted requests...
CVE-2014-9720
Tornado before 3.2.2 sends arbitrary responses that contain a fixed CSRF token and may be sent with HTTP compression, which makes it easier for remote attackers to conduct a BREACH attack and determine this token via a series of crafted requests...
CVE-2014-9720
Tornado before 3.2.2 sends arbitrary responses that contain a fixed CSRF token and may be sent with HTTP compression, which makes it easier for remote attackers to conduct a BREACH attack and determine this token via a series of crafted requests...
CVE-2014-9720
Tornado before 3.2.2 sends arbitrary responses that contain a fixed CSRF token and may be sent with HTTP compression, which makes it easier for remote attackers to conduct a BREACH attack and determine this token via a series of crafted requests...
CVE-2014-9720
CVE-2014-9720 affects Tornado before 3.2.2. The issue allows remote attackers to exploit BREACH by receiving arbitrary HTTP responses that include a fixed CSRF token, potentially combined with HTTP compression. Root cause: responses may leak the CSRF token under compression. Impact described in s...
Legal Robot: SSL BREACH attack (CVE-2013-3587)
Hello security team, The site legalrobot.com is potentially vulnerable to the BREACH attack. Allowing an attacker the ability to: - Inject partial chosen plaintext into a victim's requests - Measure the size of encrypted traffic - can leverage information leaked by compression to recover targeted...