September 8, 2020—KB4577066 (Monthly Rollup)

September 8, 2020—KB4577066 Monthly Rollup IMPORTANT Windows 8.1 and Windows Server 2012 R2 have reached the end of mainstream support and are now in extended support. Starting in July 2020, there will no longer be optional, non-security releases known as "C" releases for this operating system...

Malicious Package

Overview All versions of http-proxy-middelware contain malicious code. The index.js file attempts to download a file from a remote server and execute it. The file is not run upon installation - the package needs to be required or the index.js run manually. The package contains a typo in its code...

CentOS 8 : GNOME (CESA-2019:3553)

The remote CentOS Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the CESA-2019:3553 advisory. - webkitgtk: HTTP proxy setting deanonymization information disclosure CVE-2019-11070 - evince: uninitialized memory use in function tiffdocumentrender...

CVE-2021-3116

beforeupstreamconnection in AuthPlugin in http/proxy/auth.py in proxy.py before 2.3.1 accepts incorrect Proxy-Authorization header data because of a boolean confusion and versus or...

CentOS 7 : webkitgtk4 (RHSA-2020:4035)

The remote CentOS Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:4035 advisory. - WebKitGTK and WPE WebKit prior to version 2.24.1 failed to properly apply configured HTTP proxy settings when downloading livestream video HLS, DASH,...

Updated ruby packages fix a security vulnerability

A potential HTTP request smuggling vulnerability in WEBrick was reported. WEBrick was too tolerant against an invalid Transfer-Encoding header. This may lead to inconsistent interpretation between WEBrick and some HTTP proxy servers, which may allow the attacker to “smuggle” a request...

Amazon Linux 2 : webkitgtk4 (ALAS-2020-1563)

The version of webkitgtk4 installed on the remote host is prior to 2.28.2-2. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2-2020-1563 advisory. WebKitGTK and WPE WebKit prior to version 2.24.1 failed to properly apply configured HTTP proxy settings when...

Medium: webkitgtk4

Issue Overview: WebKitGTK and WPE WebKit prior to version 2.24.1 failed to properly apply configured HTTP proxy settings when downloading livestream video HLS, DASH, or Smooth Streaming, an error resulting in deanonymization. This issue was corrected by changing the way livestreams are downloaded...

GWTMap - Tool to help map the attack surface of Google Web Toolkit

GWTMap is a tool to help map the attack surface of Google Web Toolkit GWT based applications. The purpose of this tool is to facilitate the extraction of any service method endpoints buried within a modern GWT application's obfuscated client-side code, and attempt to generate example GWT-RPC...

Debian DLA-2391-1 : ruby2.3 security update

A potential HTTP request smuggling vulnerability in WEBrick was reported. WEBrick bundled along with ruby2.3 was too tolerant against an invalid Transfer-Encoding header. This may lead to inconsistent interpretation between WEBrick and some HTTP proxy servers, which may allow the attacker to...

Debian DLA-2392-1 : jruby security update

A potential HTTP request smuggling vulnerability in WEBrick was reported. WEBrick bundled along with jruby was too tolerant against an invalid Transfer-Encoding header. This may lead to inconsistent interpretation between WEBrick and some HTTP proxy servers, which may allow the attacker to...

[SECURITY] [DLA 2392-1] jruby security update

----------------------------------------------------------------------- Debian LTS Advisory DLA-2392-1 [email protected] https://www.debian.org/lts/security/ Utkarsh Gupta October 01, 2020 https://wiki.debian.org/LTS -...

Configuration Issues

webkitgtk4 has configuration issues. The vulnerability exists as it failed to properly apply configured HTTP proxy settings when downloading livestream video of HLS, DASH, or Smooth Streaming...

webkitgtk: HTTP proxy setting deanonymization information disclosure

WebKitGTK and WPE WebKit prior to version 2.24.1 failed to properly apply configured HTTP proxy settings when downloading livestream video HLS, DASH, or Smooth Streaming, an error resulting in deanonymization. This issue was corrected by changing the way livestreams are downloaded...

Potential HTTP Request Smuggling Vulnerability in WEBrick

WEBrick was too tolerant against an invalid Transfer-Encoding header. This may lead to inconsistent interpretation between WEBrick and some HTTP proxy servers, which may allow the attacker to "smuggle" a request. See CWE-444 in detail...

Security Bulletin: IBM Event Streams is affected by a Node.js http-proxy and lodash module vulnerabilities

Summary IBM Event Streams is affected by a Node.js http-proxy and lodash module denial of service vulnerabilities Vulnerability Details Third Party Entry: 183560 DESCRIPTION: Node.js lodash module denial of service CVSS Base score: 7.5 CVSS Temporal Score: See:...

Security Bulletin: Vulnerabilities in Node.js affect IBM App Connect Enterprise V11

Summary IBM App Connect Enterprise V11 ship with Node.js for which vulnerabilities were reported and have been addressed. Vulnerability details are listed below. Vulnerability Details Third Party Entry: 183561 DESCRIPTION: Node.js http-proxy module denial of service CVSS Base score: 7.5 CVSS...

@acanto/october-scripts (=3.2.2), @acanto/workflow (=5.1.0) +1213 more potentially affected by unknown CVE via http-proxy (>=0.10.0 <=1.18.0)

http-proxy NPM version =0.10.0, =2018.7.11-0, =0.0.1, =0.156.0, =2.6.6, =4.0.0, =3.0.1, =0.0.1, =1.12.2-next.3, =1.0.0, =1.0.3 and more Source cves: unknown CVE Source advisory: OSV:GHSA-6X33-PW7P-HMPQ...

GHSA-6X33-PW7P-HMPQ Denial of Service in http-proxy

Versions of http-proxy prior to 1.18.1 are vulnerable to Denial of Service. An HTTP request with a long body triggers an ERRHTTPHEADERSSENT unhandled exception that crashes the proxy server. This is only possible when the proxy server sets headers in the proxy request using the proxyReq.setHeader...

Denial of Service in http-proxy

Versions of http-proxy prior to 1.18.1 are vulnerable to Denial of Service. An HTTP request with a long body triggers an ERRHTTPHEADERSSENT unhandled exception that crashes the proxy server. This is only possible when the proxy server sets headers in the proxy request using the proxyReq.setHeader...