Lucene search
K

734 matches found

Github Security Blog
Github Security Blog
added 2024/01/24 8:20 p.m.25 views

Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting') in trillium-http and trillium-client

Summary Insufficient validation of outbound header values may lead to request splitting or response splitting attacks in scenarios where attackers have sufficient control over outbound headers. Details Outbound trilliumhttp::HeaderValue and trilliumhttp::HeaderName can be constructed infallibly a...

8.1CVSS6.8AI score0.00632EPSS
Exploits0References7Affected Software2
Prion
Prion
added 2024/01/24 8:15 p.m.32 views

Input validation

Trillium is a composable toolkit for building internet applications with async rust. In trillium-http prior to 0.3.12 and trillium-client prior to 0.5.4, insufficient validation of outbound header values may lead to request splitting or response splitting attacks in scenarios where attackers have...

5.1CVSS7.2AI score0.00632EPSS
Exploits0References3Affected Software2
OSV
OSV
added 2024/01/24 7:38 p.m.28 views

CVE-2024-23644 trillium-http and trillium-client vulnerable to HTTP Request/Response Splitting

Trillium is a composable toolkit for building internet applications with async rust. In trillium-http prior to 0.3.12 and trillium-client prior to 0.5.4, insufficient validation of outbound header values may lead to request splitting or response splitting attacks in scenarios where attackers have...

6.8CVSS7.9AI score0.00632EPSS
Exploits0References5
CNNVD
CNNVD
added 2024/01/24 12:0 a.m.3 views

Trillium Injection Vulnerability

Trillium is a composable toolkit from the Trillium community for building Internet applications using asynchronous Rust. An injection vulnerability exists in Trillium versions prior to 0.3.12 and 0.5.x prior to 0.5.4, which stems from insufficient header validation and may result in a split reque...

8.1CVSS7.2AI score0.00632EPSS
Exploits0References4
RustSec
RustSec
added 2024/01/23 12:0 p.m.6 views

Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')

Summary Insufficient validation of outbound header values may lead to request splitting or response splitting attacks in scenarios where attackers have sufficient control over outbound headers. Details Outbound trilliumhttp::HeaderValue and trilliumhttp::HeaderName can be constructed infallibly a...

8.1CVSS7.3AI score0.00632EPSS
Exploits0Affected Software1
Positive Technologies
Positive Technologies
added 2024/01/18 12:0 a.m.3 views

PT-2024-14033 · Ibm · Ibm Storage Defender - Data Protect

Name of the Vulnerable Software and Affected Versions: IBM Storage Defender - Data Protect versions 1.0.0 through 1.4.1 Description: The issue is caused by improper validation of input by the HOST headers, leading to HTTP header injection. This could allow an attacker to conduct various attacks...

6.5CVSS5.7AI score0.0033EPSS
Exploits0References6
RedHat Linux
RedHat Linux
added 2024/01/08 8:23 a.m.3 views

squid: DoS against HTTP and HTTPS

A flaw was found in Squid. The limits applied for validation of HTTP response headers are applied before caching. However, Squid may grow a cached HTTP response header beyond the configured maximum size, causing a stall or crash of the worker process when a large header is retrieved from the disk...

7.5CVSS5.7AI score0.05229EPSS
Exploits0References5
Amazon
Amazon
added 2024/01/08 12:0 a.m.4 views

Important: ecs-init

Issue Overview: The HTTP/1 client does not fully validate the contents of the Host header. A maliciously crafted Host header can inject additional headers or entire requests. With fix, the HTTP/1 client now refuses to send requests containing an invalid Request.Host or Request.URL.Host value...

6.5CVSS7.1AI score0.01328EPSS
Exploits0
Tenable Nessus
Tenable Nessus
added 2023/12/08 12:0 a.m.31 views

Qlik Sense Enterprise HTTP Tunneling RCE

The version of Qlik Sense Enterprise installed on the remote Windows host is prior to November 2021 Patch 17, February 2022 prior to Patch 15, May 2022 prior to Patch 16, August 2022 prior to Patch 14, November 2022 prior to Patch 12, February 2023 prior to Patch 10, May 2023 prior to Patch 6 or...

9.9CVSS8.9AI score0.84967EPSS
Exploits0References2
RedHat Linux
RedHat Linux
added 2023/12/06 10:2 a.m.4 views

squid: DoS against HTTP and HTTPS

A flaw was found in Squid. The limits applied for validation of HTTP response headers are applied before caching. However, Squid may grow a cached HTTP response header beyond the configured maximum size, causing a stall or crash of the worker process when a large header is retrieved from the disk...

7.5CVSS5.7AI score0.05229EPSS
Exploits0References5
Tenable Nessus
Tenable Nessus
added 2023/11/28 12:0 a.m.26 views

Rocky Linux 8 : container-tools:4.0 (RLSA-2023:7202)

The remote Rocky Linux 8 host has packages installed that are affected by a vulnerability as referenced in the RLSA-2023:7202 advisory. - The HTTP/1 client does not fully validate the contents of the Host header. A maliciously crafted Host header can inject additional headers or entire requests...

6.5CVSS7.2AI score0.0125EPSS
Exploits0References4
Veracode
Veracode
added 2023/11/23 8:2 a.m.23 views

Buffer Overflow

Libde265 is vulnerable to Buffer Overflows. The vulnerability is due to a lack of header validation in decctx.cc file.This can lead to a Denial Of Service or application crash...

8.1CVSS7AI score0.00979EPSS
Exploits1References3Affected Software1
Redos
Redos
added 2023/11/21 12:0 a.m.34 views

ROS-20231115-01

A vulnerability in the Squid proxy server related to the execution of a "buffer overflow" attack, writing up to 2MB of of arbitrary data to the memory heap when Squid is configured to accept HTTP Digest Authentication. Exploitation of the vulnerability could allow an attacker acting remotely to...

9.3CVSS7.7AI score0.85944EPSS
Exploits0
OSV
OSV
added 2023/11/15 10:15 p.m.2 views

CVE-2023-48365

Qlik Sense Enterprise for Windows before August 2023 Patch 2 allows unauthenticated remote code execution, aka QB-21683. Due to improper validation of HTTP headers, a remote attacker is able to elevate their privilege by tunneling HTTP requests, allowing them to execute HTTP requests on the backe...

9.9CVSS7.6AI score0.84967EPSS
Exploits0References2
CNNVD
CNNVD
added 2023/11/15 12:0 a.m.4 views

Qlik Sense Security Breach

Qlik Sense is an application from Qlik USA. Allows users to create visualizations, charts, interactive dashboards and analytical applications for local and offline use. A security vulnerability exists in versions prior to Qlik Sense Enterprise August 2023 Patch 2, which stems from incorrect...

9.9CVSS6.9AI score0.24676EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2023/11/15 12:0 a.m.16 views

CVE-2023-48365

Qlik Sense Enterprise for Windows before August 2023 Patch 2 allows unauthenticated remote code execution, aka QB-21683. Due to improper validation of HTTP headers, a remote attacker is able to elevate their privilege by tunneling HTTP requests, allowing them to execute HTTP requests on the backe...

9.6CVSS8.1AI score0.24676EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2023/11/15 12:0 a.m.5 views

PT-2023-6923

Name of the Vulnerable Software and Affected Versions Qlik Sense Enterprise for Windows versions prior to August 2023 Patch 2 Description The issue is related to improper validation of HTTP headers, allowing a remote attacker to elevate their privilege by tunneling HTTP requests and execute HTTP...

9.9CVSS8.7AI score0.24676EPSS
Exploits0References39
Amazon
Amazon
added 2023/09/20 12:0 a.m.7 views

Important: oci-add-hooks

Issue Overview: The HTTP/1 client does not fully validate the contents of the Host header. A maliciously crafted Host header can inject additional headers or entire requests. With fix, the HTTP/1 client now refuses to send requests containing an invalid Request.Host or Request.URL.Host value...

6.5CVSS7AI score0.0125EPSS
Exploits0
Tenable Nessus
Tenable Nessus
added 2023/09/20 12:0 a.m.26 views

Amazon Linux 2023 : oci-add-hooks (ALAS2023-2023-347)

It is, therefore, affected by a vulnerability as referenced in the ALAS2023-2023-347 advisory. The HTTP/1 client does not fully validate the contents of the Host header. A maliciously crafted Host header can inject additional headers or entire requests. With fix, the HTTP/1 client now refuses to...

6.5CVSS7.2AI score0.0125EPSS
Exploits0References4
UbuntuCve
UbuntuCve
added 2023/09/14 12:15 p.m.16 views

CVE-2023-2848

Movim prior to version 0.22 is affected by a Cross-Site WebSocket Hijacking vulnerability. This was the result of a missing header validation...

8.8CVSS7.2AI score0.00309EPSS
Exploits0References4
Rows per page
Query Builder