CVE-2021-22132

Elasticsearch versions 7.7.0 to 7.10.1 contain an information disclosure flaw in the async search API. Users who execute an async search will improperly store the HTTP headers. An Elasticsearch user with the ability to read the .tasks index could obtain sensitive request headers of other users in...

Information disclosure

Elasticsearch versions 7.7.0 to 7.10.1 contain an information disclosure flaw in the async search API. Users who execute an async search will improperly store the HTTP headers. An Elasticsearch user with the ability to read the .tasks index could obtain sensitive request headers of other users in...

CVE-2021-22132

Elasticsearch 7.7.0–7.10.1 exposes an information-disclosure flaw in the async search API: executed async searches cause HTTP headers to be stored, potentially allowing a user who can read the .tasks index to obtain other users’ sensitive request headers. The issue is fixed in Elasticsearch 7.10....

SAP Commerce Cloud Input Validation Error Vulnerability

SAP Commerce Cloud is an e-commerce cloud platform from SAP Germany. The platform provides enterprise-level e-commerce business support. SAP Commerce Cloud versions 1808, 1811, 1905, 2005, and 2011 suffer from an Input Validation Error vulnerability, which is caused by an authenticated attacker...

The vulnerability of the Node.js software platform is related to an error in handling HTTP headers. This error allows attackers to gain access to protected information or enhance their privileges.

The vulnerability of the Node.js software platform is related to an error in handling HTTP header names. Exploiting this vulnerability can allow a remote attacker to gain access to protected information or enhance their privileges...

CRLF Injection

wget is vulnerable to CRLF injection. The urlparse function in url.c allows remote attackers to inject arbitrary HTTP headers via CRLF sequences in the host subcomponent of a URL...

Logitech: CSRF in changing users donation_settings [https://streamlabs.com/api/v6/viewer-portal/viewer-settings/donation_settings]

Hey there, I have found that the api/v6/viewer-portal/viewer-settings/donationsettings endpoint is vulnerable to csrf attack, which allows an attacker to update victim's donationsettings like username,amount...

Debian DLA-2459-1 : golang-1.7 security update

Two issues have been found in golang-1.7, a Go programming language compiler version 1.7 CVE-2020-15586 Using the 100-continue in HTTP headers received by a net/http/Server can lead to a data race involving the connection's buffered writer. CVE-2020-16845 Certain invalid inputs to ReadUvarint or...

Debian DLA-2460-1 : golang-1.8 security update

Three issues have been found in golang-1.8, a Go programming language compiler version 1.8 CVE-2020-15586 Using the 100-continue in HTTP headers received by a net/http/Server can lead to a data race involving the connection's buffered writer. CVE-2020-16845 Certain invalid inputs to ReadUvarint o...

Debian: Security Advisory (DLA-2459-1)

The remote host is missing an update for the Debian SPDX-FileCopyrightText: 2020 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

[SECURITY] [DLA 2460-1] golang-1.8 security update

------------------------------------------------------------------------- Debian LTS Advisory DLA-2460-1 [email protected] https://www.debian.org/lts/security/ Thorsten Alteholz November 21, 2020 https://wiki.debian.org/LTS -...

[SECURITY] [DLA 2459-1] golang-1.7 security update

------------------------------------------------------------------------- Debian LTS Advisory DLA-2459-1 [email protected] https://www.debian.org/lts/security/ Thorsten Alteholz November 21, 2020 https://wiki.debian.org/LTS -...

CVE-2020-12145

Silver Peak Unity Orchestrator versions prior to 8.9.11+, 8.10.11+, or 9.0.1+ uses HTTP headers to authenticate REST API calls from localhost. This makes it possible to log in to Orchestrator by introducing an HTTP HOST header set to 127.0.0.1 or localhost. Orchestrator instances that are hosted ...

Design/Logic Flaw

Silver Peak Unity Orchestrator versions prior to 8.9.11+, 8.10.11+, or 9.0.1+ uses HTTP headers to authenticate REST API calls from localhost. This makes it possible to log in to Orchestrator by introducing an HTTP HOST header set to 127.0.0.1 or localhost. Orchestrator instances that are hosted ...

CVE-2020-12145

Silver Peak Unity Orchestrator versions prior to 8.9.11+, 8.10.11+, or 9.0.1+ are affected by CVE-2020-12145, which allows login via HTTP Host header spoofing to localhost. The vulnerability stems from authenticating REST API calls from localhost using the host header, enabling an attacker to byp...

CVE-2020-12145 Silver Peak Unity OrchestratorTM authentication can be subverted through manipulation of HTTP headers.

Silver Peak Unity Orchestrator versions prior to 8.9.11+, 8.10.11+, or 9.0.1+ uses HTTP headers to authenticate REST API calls from localhost. This makes it possible to log in to Orchestrator by introducing an HTTP HOST header set to 127.0.0.1 or localhost. Orchestrator instances that are hosted ...

Updated tomcat packages fix a security vulnerability

If an HTTP/2 client exceeded the agreed maximum number of concurrent streams for a connection in violation of the HTTP/2 protocol, it was possible that a subsequent request made on that connection could contain HTTP headers - including HTTP/2 pseudo headers - from a previous request rather than t...

Apache Tomcat 9.0.0.M1 < 9.0.38 Information Disclosure

The version of Apache Tomcat installed on the remote host is 10.0.0-M1 to 10.0.0-M7, 9.0.0.M1 to 9.0.37 or 8.5.0 to 8.5.57. It is, therefore, affected by a vulnerability. If an HTTP/2 client exceeds the agreed maximum number of concurrent streams for a connection in violation of the HTTP/2...

CVE-2020-3561

A vulnerability in the Clientless SSL VPN WebVPN of Cisco Adaptive Security Appliance ASA Software and Cisco Firepower Threat Defense FTD Software could allow an unauthenticated, remote attacker to inject arbitrary HTTP headers in the responses of the affected system. The vulnerability is due to...

Crlf injection

A vulnerability in the Clientless SSL VPN WebVPN of Cisco Adaptive Security Appliance ASA Software and Cisco Firepower Threat Defense FTD Software could allow an unauthenticated, remote attacker to inject arbitrary HTTP headers in the responses of the affected system. The vulnerability is due to...