SUSE-SU-2025:1008-1 Security update for python-gunicorn

This update for python-gunicorn fixes the following issues: - CVE-2024-6827: Fixed improper validation of the 'Transfer-Encoding' header value can allow for HTTP request smuggling attacks bsc1239830...

CVE-2025-2731

A vulnerability was found in H3C Magic NX15, Magic NX30 Pro, Magic NX400, Magic R3010 and Magic BE18000 up to V100R014. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /api/wizard/getDualbandSync of the component HTTP POST Request Handler...

CVE-2025-2731 H3C Magic BE18000 HTTP POST Request getDualbandSync command injection

A vulnerability was found in H3C Magic NX15, Magic NX30 Pro, Magic NX400, Magic R3010 and Magic BE18000 up to V100R014. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /api/wizard/getDualbandSync of the component HTTP POST Request Handler...

Unspecified Vulnerability in JetBrains Ktor

JetBrains Ktor is a web framework for building asynchronous servers and clients in Kotlin from the Czech company JetBrains. Used to create microservices, Web applications , etc., build RESTful API. JetBrains Ktor suffers from a security vulnerability that stems from the occurrence of an HTTP...

CVE-2024-10047

parisneo/lollms-webui versions v9.9 to the latest are vulnerable to a directory listing vulnerability. An attacker can list arbitrary directories on a Windows system by sending a specially crafted HTTP request to the /openfile endpoint...

CVE-2024-10264

HTTP Request Smuggling vulnerability in netease-youdao/qanything version 1.4.1 allows attackers to exploit inconsistencies in the interpretation of HTTP requests between a proxy and a server. This can lead to unauthorized access, bypassing security controls, session hijacking, data leakage, and...

CVE-2024-9229

A Denial of Service DoS vulnerability in the file upload feature of stangirard/quivr v0.0.298 allows unauthenticated attackers to cause excessive resource consumption by appending characters to the end of a multipart boundary in an HTTP request. This leads to the server continuously processing ea...

CVE-2024-9597

A Path Traversal vulnerability exists in the /wipedatabase endpoint of parisneo/lollms version v12, allowing an attacker to delete any directory on the system. The vulnerability arises from improper validation of the key parameter, which is used to construct file paths. An attacker can exploit th...

CVE-2024-9056

BentoML version v1.3.4post1 is vulnerable to a Denial of Service DoS attack. The vulnerability can be exploited by appending characters, such as dashes -, to the end of a multipart boundary in an HTTP request. This causes the server to continuously process each character, leading to excessive...

CVE-2024-8984

A Denial of Service DoS vulnerability exists in berriai/litellm version v1.44.5. This vulnerability can be exploited by appending characters, such as dashes -, to the end of a multipart boundary in an HTTP request. The server continuously processes each character, leading to excessive resource...

GHSA-HW8J-HW49-752C BentoML Denial of Service (DoS) via Multipart Boundary

BentoML version v1.3.4post1 is vulnerable to a Denial of Service DoS attack. The vulnerability can be exploited by appending characters, such as dashes -, to the end of a multipart boundary in an HTTP request. This causes the server to continuously process each character, leading to excessive...

BentoML Denial of Service (DoS) via Multipart Boundary

BentoML version v1.3.4post1 is vulnerable to a Denial of Service DoS attack. The vulnerability can be exploited by appending characters, such as dashes -, to the end of a multipart boundary in an HTTP request. This causes the server to continuously process each character, leading to excessive...

GHSA-FH2C-86XM-PM2X LiteLLM Vulnerable to Denial of Service (DoS) via Crafted HTTP Request

A Denial of Service DoS vulnerability exists in berriai/litellm version v1.44.5. This vulnerability can be exploited by appending characters, such as dashes -, to the end of a multipart boundary in an HTTP request. The server continuously processes each character, leading to excessive resource...

LiteLLM Vulnerable to Denial of Service (DoS) via Crafted HTTP Request

A Denial of Service DoS vulnerability exists in berriai/litellm version v1.44.5. This vulnerability can be exploited by appending characters, such as dashes -, to the end of a multipart boundary in an HTTP request. The server continuously processes each character, leading to excessive resource...

GHSA-HC5X-X2VX-497G Gunicorn HTTP Request/Response Smuggling vulnerability

Gunicorn version 21.2.0 does not properly validate the value of the 'Transfer-Encoding' header as specified in the RFC standards, which leads to the default fallback method of 'Content-Length,' making it vulnerable to TE.CL request smuggling. This vulnerability can lead to cache poisoning, data...

HTTP Request Smuggling

Overview gunicorn is a Python WSGI HTTP Server for UNIX Affected versions of this package are vulnerable to HTTP Request Smuggling due to improper validation of the Transfer-Encoding header. An attacker can manipulate session data, poison caches, or compromise data integrity by exploiting the...

Gunicorn HTTP Request/Response Smuggling vulnerability

Gunicorn version 21.2.0 does not properly validate the value of the 'Transfer-Encoding' header as specified in the RFC standards, which leads to the default fallback method of 'Content-Length,' making it vulnerable to TE.CL request smuggling. This vulnerability can lead to cache poisoning, data...

BentoML vulnerable to Uncontrolled Resource Consumption

In bentoml/bentoml version 1.3.9, the /login endpoint of the newly integrated Gradio app is vulnerable to a Denial of Service DoS attack. This vulnerability can be exploited by appending characters, such as dashes -, to the end of a multipart boundary in an HTTP request. The server continuously...

Gradio Vulnerable to Denial of Service (DoS) via Crafted HTTP Request

A Regular Expression Denial of Service ReDoS vulnerability exists in the gradio-app/gradio repository, affecting the gr.Datetime component. The affected version is git commit 98cbcae. The vulnerability arises from the use of a regular expression ^?:\snow\s?:-\s\d+\sdmhs??\s$ to process user input...

GHSA-RVGH-PR46-X7GG Gradio Vulnerable to Denial of Service (DoS) via Crafted HTTP Request

A Regular Expression Denial of Service ReDoS vulnerability exists in the gradio-app/gradio repository, affecting the gr.Datetime component. The affected version is git commit 98cbcae. The vulnerability arises from the use of a regular expression ^?:\snow\s?:-\s\d+\sdmhs??\s$ to process user input...