Security Bulletin: IBM Cloud Pak for Data is vulnerable to several issues due to the go compiler ( CVE-2022-27664 )

Summary Golang compiler is used by IBM Cloud Pak for Data to build various binaries. CVE-2022-27664 Vulnerability Details CVEID:CVE-2022-27664 DESCRIPTION: Golang Go is vulnerable to a denial of service, caused by a flaw in net/http. By sending a specially-crafted request, a remote attacker could...

Allocation of Resources Without Limits or Throttling

Overview std/net/http is a Go standard library package std/net/http Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling. Go Vulnerability Report: The net/http HTTP/1.1 client mishandled the case where a server responds to a request with an...

Important: Red Hat Security Advisory: go-toolset:rhel8 security update

An update for the go-toolset:rhel8 module is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each...

Security Bulletin: IBM MQ Operator and Queue manager container images are vulnerable to glibc, Golang Go , Apache HTTP, IBM GSKit-Crypto and GnuTLS packages/liberaries .

Summary IBM MQ Operator and Queue manager container images are vulnerable to glibc, Golang Go , Apache HTTP, IBM GSKit-Crypto and GnuTLS. This bulletin identifies the steps required to address these vulnerabilities. Vulnerability Details CVEID:CVE-2024-33599 DESCRIPTION: glibc is vulnerable to a...

git-lfs security update

An update is available for git-lfs. This update affects Rocky Linux 8. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability from the CVE list Git Large File Storage LFS replaces large files such as audio samples, videos...

CVE-2023-50203

D-Link G416 nodered chmod Command Injection Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of D-Link G416 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists...

RHEL 8 : Red Hat OpenStack Platform 16.2.6 (python-twisted) (RHSA-2024:1518)

The remote Redhat Enterprise Linux 8 host has a package installed that is affected by a vulnerability as referenced in the RHSA-2024:1518 advisory. Twisted is a networking engine written in Python, supporting numerous protocols. It contains a web server, numerous chat clients, chat servers, mail...

HTTP Handling Vulnerability in the Bare server

Impact This vulnerability relates to insecure handling of HTTP requests by the @tomphttp/bare-server-node package. This flaw potentially exposes the users of the package to manipulation of their web traffic. The impact may vary depending on the specific usage of the package but it can potentially...

objstor (>=0.4.6 <=0.4.20), rblog (>=0.100.0 <=0.123.0) +16 more potentially affected by CVE-2024-23644 via trillium-http (=0.2.14)

trillium-http CARGO version =0.2.14 is affected by a known vulnerability. The following packages have a transitive dependency on trillium-http and may be impacted: - objstor =0.4.6, =0.100.0, =0.2.0, =0.2.0-rc.1, =0.1.0, =0.2.0, =0.0.1, =0.2.0, =0.3.0, =0.2.0, =0.3.1, =0.4.2 and more Source cves:...

Amazon Linux 2023 : containerd, containerd-stress (ALAS2023-2024-499)

It is, therefore, affected by a vulnerability as referenced in the ALAS2023-2024-499 advisory. 2024-08-09: CVE-2023-47108 was removed from this advisory. 2024-08-09: The severity of this advisory has been changed from Important to Medium.2024-04-10: CVE-2023-39326 was added to this advisory...

Medium: containerd

Issue Overview: A malicious HTTP sender can use chunk extensions to cause a receiver reading from a request or response body to read many more bytes from the network than are in the body. A malicious HTTP client can further exploit this to cause a server to automatically read a large amount of da...

The vulnerability of the Go programming language’s net/http package, which allows attackers to exploit and disclose protected information

The vulnerability of the net/http package in the Go programming language is related to the exposure of sensitive information. Exploiting this vulnerability allows an attacker, operating remotely, to disclose protected information...

CVE-2023-50766

A cross-site request forgery CSRF vulnerability in Jenkins Nexus Platform Plugin 3.18.0-03 and earlier allows attackers to send an HTTP request to an attacker-specified URL and parse the response as XML...

CVE-2023-48782

A improper neutralization of special elements used in an os command 'os command injection' in Fortinet FortiWLM version 8.6.0 through 8.6.5 allows attacker to execute unauthorized code or commands via specifically crafted http get request parameters...

Medium: containerd

Issue Overview: In net/http in Go before 1.18.6 and 1.19.x before 1.19.1, attackers can cause a denial of service because an HTTP/2 connection can hang during closing if shutdown were preempted by a fatal error. CVE-2022-27664 Affected Packages: containerd Note: This advisory is applicable to...

golang: net/http, mime/multipart: denial of service from excessive resource consumption

A flaw was found in Go, where it is vulnerable to a denial of service caused by an excessive resource consumption flaw in the net/http and mime/multipart packages. By sending a specially-crafted request, a remote attacker can cause a denial of service...

OPENSUSE-SU-2023:0360-1 Security update for go1.21

This update introduces go1.21, including fixes for the following issues: - go1.21.3 released 2023-10-10 includes a security fix to the net/http package. Refs boo1212475 go1.21 release tracking CVE-2023-39325 CVE-2023-44487 go63427 go63417 boo1216109 security: fix CVE-2023-39325 CVE-2023-44487...

golang: net/http: handle server errors after sending GOAWAY

A flaw was found in the golang package. In net/http in Go, attackers can cause a denial of service because an HTTP/2 connection can hang during closing if a fatal error preempts the shutdown...

The vulnerability of the InvokeHTTP component in the Apache NiFi MiNiFi data processing platform, which exists due to insufficient verification of certificate authenticity, allows attackers to compromise data integrity.

The vulnerability of the InvokeHTTP component in the Apache NiFi MiNiFi data processing platform exists due to insufficient verification of certificate authenticity. Exploiting this vulnerability allows an attacker to compromise data integrity from a remote location...

Oracle Fusion Middleware Security Vulnerability

Oracle Fusion Middleware Oracle Fusion Middleware is a set of business innovation platforms for enterprise and cloud environments from Oracle USA. The platform provides middleware, software collections, and other capabilities. A security vulnerability exists in Oracle WebCenter Content version...