CVE-2023-43669

The Tungstenite crate before 0.20.1 for Rust allows remote attackers to cause a denial of service minutes of CPU consumption via an excessive length of an HTTP header in a client handshake. The length affects both how many times a parse is attempted e.g., thousands of times and the average amount...

CVE-2023-43669

The Tungstenite crate before 0.20.1 for Rust allows remote attackers to cause a denial of service minutes of CPU consumption via an excessive length of an HTTP header in a client handshake. The length affects both how many times a parse is attempted e.g., thousands of times and the average amount...

CVE-2023-43669

The CVE-2023-43669 issue affects the Tungstenite crate for Rust up to version 0.20.0, where an excessively long HTTP header in a client handshake can cause high CPU usage and denial of service. Affected projects using tungstenite (and dependent crates like tokio-tungstenite) are exposed to potent...

Apache Flink Code Injection Vulnerability

Apache Flink is an open source distributed streaming data processing engine of the Apache Foundation . The product is mainly written in Java and Scala languages . Func is Knative open source a client library and CLI , support for the development and deployment of features . Apache Flink Stateful...

SUSE-SU-2023:3692-1 Security update for curl

This update for curl fixes the following issues: - CVE-2023-38039: Fixed possible DoS when receiving too large HTTP header. bsc1215026...

CVE-2023-41834 Apache Flink Stateful Functions allowed HTTP header injection due to Improper Neutralization of CRLF Sequences

Improper Neutralization of CRLF Sequences in HTTP Headers in Apache Flink Stateful Functions 3.1.0, 3.1.1 and 3.2.0 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via crafted HTTP requests. Attackers could potentially inject malicious content...

CVE-2023-41834 Apache Flink Stateful Functions allowed HTTP header injection due to Improper Neutralization of CRLF Sequences

Improper Neutralization of CRLF Sequences in HTTP Headers in Apache Flink Stateful Functions 3.1.0, 3.1.1 and 3.2.0 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via crafted HTTP requests. Attackers could potentially inject malicious content...

Eclipse Jetty HTTP Header Vulnerability (GHSA-hmr7-m48g-48f6) - Windows

Eclipse Jetty is prone to an HTTP header vulnerability. SPDX-FileCopyrightText: 2023 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE = "cpe:/a:eclipse:jetty";...

Eclipse Jetty HTTP Header Vulnerability (GHSA-hmr7-m48g-48f6) - Linux

Eclipse Jetty is prone to an HTTP header vulnerability. SPDX-FileCopyrightText: 2023 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE = "cpe:/a:eclipse:jetty";...

Ubuntu 16.04 ESM / 18.04 ESM / 20.04 LTS : Node.js vulnerabilities (USN-6380-1)

The remote Ubuntu 16.04 ESM / 18.04 ESM / 20.04 LTS host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-6380-1 advisory. Rogier Schouten discovered that Node.js incorrectly handled certain inputs. If a user or an automated system were tricked into...

UBUNTU-CVE-2023-40167

Jetty is a Java based web server and servlet engine. Prior to versions 9.4.52, 10.0.16, 11.0.16, and 12.0.1, Jetty accepts the + character proceeding the content-length value in a HTTP/1 header field. This is more permissive than allowed by the RFC and other servers routinely reject such requests...

Security Bulletin: Platform Navigator and Automation Assets in IBM Cloud Pak for Integration are vulnerable to HTTP header injection due to Go CVE-2023-29406

Summary Platform Navigator and Automation Assets in IBM Cloud Pak for Integration are vulnerable to HTTP header injection due to Go CVE-2023-29406 with details below. The vulnerability has been addressed. Vulnerability Details CVEID:CVE-2023-29406 DESCRIPTION: Golang Go is vulnerable to HTTP head...

Internet Bug Bounty: [curl] CVE-2023-38039: HTTP header allocation DOS

CVE-2023-38039 is a security vulnerability in the curl library that allowed a malicious server to send an unlimited number of headers in an HTTP response, causing curl to exhaust heap memory and potentially leading to a denial-of-service condition...

USN-6355-1 grub2-signed, grub2-unsigned, shim, and shim-signed vulnerability

Daniel Axtens discovered that specially crafted images could cause a heap-based out-of-bonds write. A local attacker could possibly use this to circumvent secure boot protections. CVE-2021-3695 Daniel Axtens discovered that specially crafted images could cause out-of-bonds read and write. A local...

Oracle Linux 8 : python27:2.7 (ELSA-2020-1605)

The remote Oracle Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2020-1605 advisory. - The Requests package before 2.20.0 for Python sends an HTTP Authorization header to an http URI upon receiving a same-hostname https-to-http redirect...

Security Bulletin: Due to use of IBM WebSphere Application Server Liberty, IBM Cloud Pak for Multicloud Management Monitoring is vulnerable to multiple vulnerabilities.

Summary IBM WebSphere Application Server Liberty is used by IBM Cloud Pak for Multicloud Management Monitoring as part of a middleware server. Vulnerability Details CVEID:CVE-2022-34165 DESCRIPTION: IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 and IBM WebSphere Application Server Liber...

How to remove HTTP Header with rewrite policy in NetScaler

This article describes how to deletespecific HTTP Request Header with rewrite policy in NetScaler...

Tor: 'Request English versions of web pages for enhanced privacy' keeps previous (grayed out) settings

The vulnerability allowed an attacker to identify users who had changed their language settings in the Tor Browser. By exploiting JavaScript and HTTP fingerprinting techniques, the attacker could determine the user's language preferences, even if the user had enabled the "Request English versions...

CVE-2023-40518

LiteSpeed OpenLiteSpeed before 1.7.18 does not strictly validate HTTP request headers...

CVE-2023-40225

HAProxy through 2.0.32, 2.1.x and 2.2.x through 2.2.30, 2.3.x and 2.4.x through 2.4.23, 2.5.x and 2.6.x before 2.6.15, 2.7.x before 2.7.10, and 2.8.x before 2.8.2 forwards empty Content-Length headers, violating RFC 9110 section 8.6. In uncommon cases, an HTTP/1 server behind HAProxy may interpre...