359 matches found
MiracleLinux 8 : httpd:2.4 (AXSA:2020-846:01)
The remote MiracleLinux 8 host has packages installed that are affected by a vulnerability as referenced in the AXSA:2020-846:01 advisory. httpd: Push diary crash on specifically crafted HTTP/2 header CVE-2020-9490 Modularity name: httpd Stream name: 2.4 CVE-2020-9490 Apache HTTP Server versions...
MiracleLinux 8 : haproxy-1.8.15-6.el8.1 (AXSA:2020-172:01)
The remote MiracleLinux 8 host has a package installed that is affected by a vulnerability as referenced in the AXSA:2020-172:01 advisory. haproxy: malformed HTTP/2 requests can lead to out-of-bounds writes CVE-2020-11100 Tenable has extracted the preceding description block directly from the...
MiracleLinux 9 : skopeo-1.11.2-0.1.el9 (AXSA:2023-5634:02)
The remote MiracleLinux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the AXSA:2023-5634:02 advisory. golang: net/http: excessive memory growth in a Go server accepting HTTP/2 requests CVE-2022-41717 golang: crypto/tls: session tickets lack random...
Security Bulletin: IBM Storage Ceph is vulnerable to Exposure of Sensitive Information Through Data Queries in Golang Go (CVE-2023-45288)
Summary Golang Go is used by IBM Storage Ceph as part of RGW and in assorted other locations. CVE-2023-45288 Vulnerability Details CVEID:CVE-2023-45288 DESCRIPTION: An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION...
Security update for libsoup
This update for libsoup fixes the following issues: CVE-2025-12105: Fixed heap use-after-free in message queue handling during HTTP/2 read completion bsc1252555 Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST onlineupdate or "zypper patch"...
RHEL 10 : libsoup3 (RHSA-2025:23437)
The remote Redhat Enterprise Linux 10 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2025:23437 advisory. Libsoup is an HTTP library implementation in C. It was originally part of a SOAP Simple Object Access Protocol implementation called Soup, but the...
📄 HTTP/2 Rapid Reset DoS Tester
This is an HTTP/2 Rapid Reset denial of service testing tool. It provides a comprehensive method for testing CVE-2023-44487 with cross-system compatibility, improved user interface, and detailed reporting capabilities...
USN-7932-1: libsoup vulnerability
It was discovered libsoup incorrectly handled memory when handling specific HTTP/2 read and cancel sequences. An attacker could possibly use this issue to cause a denial of service...
RLSA-2025:23139 Moderate: libsoup3 security update
Libsoup is an HTTP library implementation in C. It was originally part of a SOAP Simple Object Access Protocol implementation called Soup, but the SOAP and non-SOAP parts have now been split into separate packages. libsoup uses the Glib main loop and is designed to work well with GTK applications...
AlmaLinux 10 : libsoup3 (ALSA-2025:23139)
The remote AlmaLinux 10 host has packages installed that are affected by a vulnerability as referenced in the ALSA-2025:23139 advisory. libsoup: Heap Use-After-Free in libsoup message queue handling during HTTP/2 read completion CVE-2025-12105 Tenable has extracted the preceding description block...
ALSA-2025:23139 Moderate: libsoup3 security update
Libsoup is an HTTP library implementation in C. It was originally part of a SOAP Simple Object Access Protocol implementation called Soup, but the SOAP and non-SOAP parts have now been split into separate packages. libsoup uses the Glib main loop and is designed to work well with GTK applications...
RLSA-2023:5849 Important: nodejs:18 security update
Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Security Fixes: HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack Rapid Reset Attack CVE-2023-44487 nodejs: integrity checks according t...
BIT-NGINX-GATEWAY-2023-44487
The HTTP/2 protocol allows a denial of service server resource consumption because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023...
RLSA-2023:6939 Moderate: container-tools:rhel8 security and bug fix update
The container-tools module contains tools for working with containers, notably podman, buildah, skopeo, and runc. Security Fixes: go-yaml: Improve heuristics preventing CPU/memory abuse by parsing malicious or large YAML documents CVE-2022-3064 golang: html/template: improper handling of JavaScri...
AZL-72841 CVE-2025-12105 affecting package libsoup for versions less than 3.4.4-11
A flaw was found in the asynchronous message queue handling of the libsoup library, widely used by GNOME and WebKit-based applications to manage HTTP/2 communications. When network operations are aborted at specific timing intervals, an internal message queue item may be freed twice due to missin...
EUVD-2025-35663
A flaw was found in the asynchronous message queue handling of the libsoup library, widely used by GNOME and WebKit-based applications to manage HTTP/2 communications. When network operations are aborted at specific timing intervals, an internal message queue item may be freed twice due to missin...
OESA-2025-2464 lighttpd security update
Secure, fast, compliant and very flexible web-server which has been optimized for high-performance environments. It has a very low memory footprint compared to other webservers and takes care of cpu-load. Its advanced feature-set FastCGI, CGI, Auth, Output-Compression, URL-Rewriting and many more...
MGASA-2025-0239 Updated varnish & lighttpd packages fix security vulnerability
It was discovered that a denial of service attack can be performed on cache servers that have the HTTP/2 protocol turned on. An attacker can create a large number of streams and immediately reset them without ever reaching the maximum number of concurrent streams allowed for the session, causing...
F5 BIG-IP Next SPK 代码问题漏洞
F5 BIG-IP Next SPK is a cloud-native application traffic management solution from F5 USA. A code issue vulnerability exists in F5 BIG-IP Next SPK, which stems from the possibility that undisclosed traffic in an HTTP/2 Ingress configuration could lead to the termination of the Traffic Management...
jetty: HTTP/2 (including DNS over HTTPS) contains a design flaw and is vulnerable to "MadeYouReset" DoS attack through HTTP/2 control frames
A flaw was found in Jetty where malformed client requests can trigger server-side stream resets without triggering abuse counters. This issue, referred to as the "MadeYouReset" attack, allows malicious clients to induce excessive server workload by repeatedly causing server-side stream aborts...