curl: CVE-2024-2398: HTTP/2 push headers memory-leak

CVE-2024-2398 was a memory-leak vulnerability in the HTTP/2 push headers implementation of libcurl. For each incoming PUSHPROMISE header, a new string was allocated and stored in an array. When the number of headers exceeded a threshold, libcurl freed the array but forgot to free the individual...

openSUSE: Security Advisory for haproxy (SUSE-SU-2023:0153-1)

The remote host is missing an update for the SPDX-FileCopyrightText: 2024 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

openSUSE: Security Advisory for lighttpd (openSUSE-SU-2022:10132-1)

The remote host is missing an update for the SPDX-FileCopyrightText: 2024 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

Security Bulletin: Denial of Service vulnerability in WebSphere Liberty may affect IBM Business Automation Workflow (CVE-2023-44487)

Summary WebSphere Liberty is shipped with IBM Business Automation Workflow traditional to support Process Federation Server and User Management Services. WebSphere Liberty is also the application server for IBM Business Automation Workflow on Containers. A denial of service vulnerability has been...

Security Bulletin: IBM MQ is vulnerable to issues in Eclipse (CVE-2023-4218, CVE-2023-44487)

Summary IBM MQ has addressed vulnerabilities in Eclipse, which is used in IBM MQ Explorer. Vulnerability Details CVEID:CVE-2023-4218 DESCRIPTION: Eclipse IDE could allow a local authenticated attacker to obtain sensitive information, caused by improper handling of XML external entity XXE...

Security Bulletin: There is a vulnerability in Asset Data Dictionary used by IBM Maximo Manage application in IBM Maximo Application Suite (CVE-2023-34462 and CVE-2023-44487)

Summary There is a vulnerability in Asset Data Dictionary used by IBM Maximo Manage application in IBM Maximo Application Suite Vulnerability Details CVEID:CVE-2023-34462 DESCRIPTION: Netty is vulnerable to a denial of service, caused by a flaw with allocating up to 16MB of heap for each channel...

Security Bulletin: There is a vulnerability in Asset Data Dictionary used by IBM Maximo Asset Management application (CVE-2023-44487, CVE-2022-41881, CVE-2022-41915, CVE-2021-42550, CVE-2023-34462, CVE-2023-6481 and CVE-2023-6378)

Summary There is a vulnerability in Asset Data Dictionary used by IBM Maximo Asset Management application CVE-2023-44487, CVE-2022-41881, CVE-2022-41915, CVE-2021-42550, CVE-2023-34462, CVE-2023-6481 and CVE-2023-6378 Vulnerability Details CVEID:CVE-2023-44487 DESCRIPTION: Multiple vendors are...

CentOS 9 : nghttp2-1.43.0-5.el9.1

The remote CentOS Linux 9 host has packages installed that are affected by a vulnerability as referenced in the nghttp2-1.43.0-5.el9.1 build changelog. - The HTTP/2 protocol allows a denial of service server resource consumption because request cancellation can reset many streams quickly, as...

CentOS 9 : podman-4.6.0-0.3.el9

The remote CentOS Linux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the podman-4.6.0-0.3.el9 build changelog. - A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service...

CentOS 9 : toolbox-0.0.99.3-9.el9

The remote CentOS Linux 9 host has packages installed that are affected by a vulnerability as referenced in the toolbox-0.0.99.3-9.el9 build changelog. - An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP heade...

CentOS 9 : varnish-6.5.2-2.el9

The remote CentOS Linux 9 host has packages installed that are affected by a vulnerability as referenced in the varnish-6.5.2-2.el9 build changelog. - HTTP/2 request smuggling attack via a large Content-Length header for a POST request CVE-2021-36740 Note that Nessus has not tested for this issue...

CentOS 9 : skopeo-1.12.0-3.el9

The remote CentOS Linux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the skopeo-1.12.0-3.el9 build changelog. - A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service...

CentOS 9 : haproxy-2.4.17-6.el9

The remote CentOS Linux 9 host has a package installed that is affected by multiple vulnerabilities as referenced in the haproxy-2.4.17-6.el9 build changelog. - An uncontrolled resource consumption vulnerability was discovered in HAProxy which could crash the service. This issue could allow an...

CentOS 9 : containernetworking-plugins-1.3.0-2.el9

The remote CentOS Linux 9 host has a package installed that is affected by multiple vulnerabilities as referenced in the containernetworking-plugins-1.3.0-2.el9 build changelog. - A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a...

CentOS 9 : podman-4.1.1-3.el9

The remote CentOS Linux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the podman-4.1.1-3.el9 build changelog. - net/http in Go before 1.16.12 and 1.17.x before 1.17.5 allows uncontrolled memory consumption in the header canonicalization cache via...

Security Bulletin: Vulnerabilities in IBM WebSphere Application Server Liberty impact IBM Common Licensing

Summary Multiple vulnerabilities in IBM WebSphere Liberty impact IBM License Key Server Administration and Reporting Tool and IBM LKS Administration Agent. Vulnerability Details CVEID:CVE-2022-34165 DESCRIPTION: IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 and IBM WebSphere Application...

Moderate: Red Hat Security Advisory: Run Once Duration Override Operator for Red Hat OpenShift 1.1.0 for RHEL 9

An update for run-once-duration-override-container, run-once-duration-override-operator-bundle-container, and run-once-duration-override-operator-container is now available for RODOO-1.1-RHEL-9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common...

RHEL 8 / 9 : OpenShift Container Platform 4.13.35 (RHSA-2024:0948)

The remote Redhat Enterprise Linux 8 / 9 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2024:0948 advisory. Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private clo...

Security Bulletin: Netty-codec-http2 is vulnerable to CVE-2023-44487 used in IBM Maximo Application Suite - Monitor Component

Summary IBM Maximo Application Suite - Monitor Component uses netty-codec-http2 which is vulnerable to CVE-2023-44487. This bulletin identifies the steps to take to address the vulnerability. Vulnerability Details CVEID:CVE-2023-44487 DESCRIPTION: Multiple vendors are vulnerable to a denial of...

Denial Of Service

jetty-http is vulnerable to Denial Of Service DoS. The vulnerability is due to GOAWAY frames failing to be written to the queue when there is TCP congestion within the server. An attacker can exploit idle timeout periods to leave HTTP/2 or 3 connections in the ESTABLISHED state, even when they...