4431 matches found
CVE-2016-7153
The HTTP/2 protocol does not consider the role of the TCP congestion window in providing information about content length, which makes it easier for remote attackers to obtain cleartext data by leveraging a web-browser configuration in which third-party cookies are sent, aka a "HEIST" attack...
Design/Logic Flaw
The HTTP/2 protocol does not consider the role of the TCP congestion window in providing information about content length, which makes it easier for remote attackers to obtain cleartext data by leveraging a web-browser configuration in which third-party cookies are sent, aka a "HEIST" attack...
CVE-2016-7153
The HTTP/2 protocol does not consider the role of the TCP congestion window in providing information about content length, which makes it easier for remote attackers to obtain cleartext data by leveraging a web-browser configuration in which third-party cookies are sent, aka a "HEIST" attack...
CVE-2016-7153
CVE-2016-7153 describes a vulnerability in the HTTP/2 protocol where the TCP congestion window is not considered when determining content length, potentially enabling an attacker to obtain cleartext data by leveraging a web browser configuration that sends third‑party cookies (HEIST). The connect...
CVE-2016-7153
The HTTP/2 protocol does not consider the role of the TCP congestion window in providing information about content length, which makes it easier for remote attackers to obtain cleartext data by leveraging a web-browser configuration in which third-party cookies are sent, aka a "HEIST" attack...
4 Flaws hit HTTP/2 Protocol that could allow Hackers to Disrupt Servers
If you think that the HTTP/2 protocol is more secure than the standard HTTP Hypertext Transfer Protocol, then you might be wrong, as it took researchers just four months to discover four flaws in the HTTP/2 protocol. HTTP/2 was launched properly just in May last year after Google bundled its SPDY...
Important: Red Hat Security Advisory: httpd24-httpd security update
An update for httpd24-httpd is now available for Red Hat Software Collections. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerabilit...
Apache HTTP Server 2.4.x < 2.4.23 Multiple Vulnerabilities
Binary data 9394.prm...
Apache 2.4.18 / 2.4.20 X.509 Certificate Authentication Bypass
According to its banner, the version of Apache running on the remote host is either 2.4.18 or 2.4.20. Additionally, HTTP/2 is enabled over TLS or SSL. It is, therefore, affected by the an authentication bypass vulnerability in the experimental module for the HTTP/2 protocol due to a failure to...
Apache HTTP Server Security Bypass Vulnerability (Jul 2016)
Apache HTTP Server is prone to a security bypass vulnerability. SPDX-FileCopyrightText: 2016 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE = "cpe:/a:apache:httpserver...
CVE-2016-4979
The Apache HTTP Server 2.4.18 through 2.4.20, when modhttp2 and modssl are enabled, does not properly recognize the "SSLVerifyClient require" directive for HTTP/2 request authorization, which allows remote attackers to bypass intended access restrictions by leveraging the ability to send multiple...
CVE-2016-1546
The Apache HTTP Server 2.4.17 and 2.4.18, when modhttp2 is enabled, does not limit the number of simultaneous stream workers for a single HTTP/2 connection, which allows remote attackers to cause a denial of service stream-processing outage via modified flow-control windows...
CVE-2016-1546
The Apache HTTP Server 2.4.17 and 2.4.18, when modhttp2 is enabled, does not limit the number of simultaneous stream workers for a single HTTP/2 connection, which allows remote attackers to cause a denial of service stream-processing outage via modified flow-control windows...
Authorization
The Apache HTTP Server 2.4.18 through 2.4.20, when modhttp2 and modssl are enabled, does not properly recognize the "SSLVerifyClient require" directive for HTTP/2 request authorization, which allows remote attackers to bypass intended access restrictions by leveraging the ability to send multiple...
CVE-2016-4979
A flaw was found in the way httpd performed client authentication using X.509 client certificates. When the HTTP/2 protocol was enabled, a remote attacker could use this flaw to access resources protected by certificate authentication without providing a valid client certificate...
CVE-2016-4979
The Apache HTTP Server 2.4.18 through 2.4.20, when modhttp2 and modssl are enabled, does not properly recognize the "SSLVerifyClient require" directive for HTTP/2 request authorization, which allows remote attackers to bypass intended access restrictions by leveraging the ability to send multiple...
CVE-2016-1546
The Apache HTTP Server 2.4.17 and 2.4.18, when modhttp2 is enabled, does not limit the number of simultaneous stream workers for a single HTTP/2 connection, which allows remote attackers to cause a denial of service stream-processing outage via modified flow-control windows...
CVE-2016-4979
CVE-2016-4979 affects Apache HTTP Server 2.4.18–2.4.20 when mod_http2 and mod_ssl are enabled; it fails to recognize the SSLVerifyClient require directive for HTTP/2 request authorization, enabling bypass of access restrictions by abusing multiple requests on a single connection and renegotiation...
CVE-2016-1546
The Apache HTTP Server 2.4.17 and 2.4.18, when modhttp2 is enabled, does not limit the number of simultaneous stream workers for a single HTTP/2 connection, which allows remote attackers to cause a denial of service stream-processing outage via modified flow-control windows...
FreeBSD : apache24 -- X509 Client certificate based authentication can be bypassed when HTTP/2 is used (e9d1e040-42c9-11e6-9608-20cf30e32f6d)
Apache Software Foundation reports : The Apache HTTPD web server from 2.4.18-2.4.20 did not validate a X509 client certificate correctly when experimental module for the HTTP/2 protocol is used to access a resource. The net result is that a resource that should require a valid client certificate ...